rclark
commented
6 years ago I'm afraid not -- this permission is for the Lambda function that accepts an arbitrary bucket name from the custom resource in a template. The function must generate the inventory configuration for whatever bucket its been asked to configure.
Another way to say that: the Lambda function exists once, and it processes every bucket that a caller asks it to process. To do that, it needs to be able to take these actions on *.
https://github.com/mapbox/magic-cfn-resources/blob/d2779f320d75f93273f36f37e4af40fdbc651dcf/lib/build.js#L388-L395
Since the bucket name is passed in as part of the magic-cfn-resource configuration is there a reason why this policy cannot be scope to the passed bucket @rclark?