The next bit in our journey is to grant Lambda functions access to our S3 bucket as well as to some boilerplate Lambda functionality.

Creating the S3 Bucket Policy

The first thing we will do is to create an IAM policy that grants GetObject capability on our S3 bucket.

The policy should look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mtedone-pulse-serverless/*"
        }
    ]
}

Creating the Lambda Role to access the S3 policy

Next we will create an IAM role that allows Lambda functions to access our S3 bucket via the policy we’ve just created.

Ultimately the role should look like the above. I called it Pulse-LambdaData and it contains two policies:

  • AWSLambdaBasicExecutionRole, which enables Lambda to access things like CloudWatch
  • Pulse-S3-Access, which is the policy we have defined above.

That’s it folks!