From 5f7ec02bf66086d4f671dfd24e620d1648f9eac9 Mon Sep 17 00:00:00 2001 From: Andrew Johnston Date: Tue, 4 Jun 2024 09:53:57 -0800 Subject: [PATCH] use inline policy and drop bucket attributes that are already the default --- cloudformation.yml | 40 +++++++++++++--------------------------- 1 file changed, 13 insertions(+), 27 deletions(-) diff --git a/cloudformation.yml b/cloudformation.yml index 137bb66..bb4f451 100644 --- a/cloudformation.yml +++ b/cloudformation.yml @@ -12,21 +12,11 @@ Resources: Bucket: Type: AWS::S3::Bucket Properties: - PublicAccessBlockConfiguration: - BlockPublicAcls: True - IgnorePublicAcls: True - BlockPublicPolicy: True - RestrictPublicBuckets: True LifecycleConfiguration: Rules: - - Status: Enabled - ExpirationInDays: 7 - Status: Enabled AbortIncompleteMultipartUpload: DaysAfterInitiation: 1 - OwnershipControls: - Rules: - - ObjectOwnership: BucketOwnerEnforced Tags: - Key: DAR Value: "NO" @@ -62,20 +52,16 @@ Resources: Principal: Service: lambda.amazonaws.com Effect: Allow - ManagedPolicyArns: - - !Ref LambdaPolicy - - LambdaPolicy: - Type: AWS::IAM::ManagedPolicy - Properties: - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - logs:CreateLogStream - - logs:PutLogEvents - Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*" - - Effect: Allow - Action: s3:PutObject - Resource: !GetAtt Bucket.Arn + Policies: + - PolicyName: policy + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - logs:CreateLogStream + - logs:PutLogEvents + Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*" + - Effect: Allow + Action: s3:PutObject + Resource: !Sub "arn:aws:s3:::${Bucket}/*"