Security implications
It is highly recommended that you create a dedicated AWS IAM role to run this Lambda function. The role should have limited permissions to restrict operation on a dedicated S3 bucket resource for only this project.
It is never suggested to attach a full control policy such as AmazonS3FullAccess, which has full permissions to all resources under your Amazon AWS account, to the role which runs the Lambda function. Allowing full-access permissions to all resources may put your resources at risk.
Following is a list of permissions required for the IAM role to run this project across the required AWS services:
AWS service |
Permission |
---|---|
S3 |
ListBucket, HeadBucket, GetObject, PutObject, PutObjectAcl |
DynamoDB |
DescribeStream, ListStreams, Scan, GetShardIterator, GetRecords, UpdateItem |