lambda cannot access to s3 bucket restricted by cloudfront

Question

I have a s3 bucket as origin of a cloudfront. The bucket have all public access blocked. I create a lambda function that download, process and upload s3 object. I create a role for the lambda and add a non public policy, according the meaning of public for amazon resources.. Here is the policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3LambdaAccessObject",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin/*",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYYY_conversor"
                }
            }
        },
        {
            "Sid": "S3LambdaListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYY_conversor"
                }
            }
        }

However, i get access denied code when trying to download and upload a file to the s3 via sdk. I even has added the lamnda to the s3 policies but still no result:

{
    "Version": "2012-10-17",
    "Id": "aws_iam_policy_document_origin",
    "Statement": [
        {
            "Sid": "S3GetObjectForCloudFront",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*"
        },
        {
            "Sid": "S3ListBucketForCloudFront",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin"
        },
        {
            "Sid": "S3PutObjectForCloudFront",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
            },
            "Action": [
                "s3:PutObjectVersionAcl",
                "s3:PutObjectAcl",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/private/*"
        },
        {
            "Sid": "S3LambdaAccessObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
                }
            }
        },
        {
            "Sid": "S3LambdaListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
                }
            }
        }
    ]
}
    ]
}

The lambda work just fine if the public access blocking is removed. What I am doing wrong?

Answer 1

The whitelist for the Lambda function Arn will not work as the Lambda function connects using its Lambda role to perform any of these interactions.

Instead you will need to whitelist the IAM role that your Lambda has attached to it. This is done by using the Principal of the IAM role Arn.

You will still need to ensure that the IAM role contains the permissions it needs to access S3 additionally.