I have a lambda outside VPC which is accessing S3. I can access S3 from lambda when public access is on. But when I switch off the public access and create a bucket policy which allows only my lambda function to access S3 then I cant access the S3 anymore and I get a time-out error. I think there is something wrong in my policy. But I am not sure what. Here is my policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "LambdaAllow",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxx:role/service-role/Lambda_accessingS3-role"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::uploads-from-lambda567",
"arn:aws:s3:::uploads-from-lambda567/*"
]
}
]
}
Can somebody please explain me what I am doing wrong?
2
Answers
Since you switched off Public access for your s3 bucket, lambda can’t access the bucket’s Public Ip address to connect to it.
You can move the lambda function into VPC and create a VPC Gateway endpoint for your s3 bucket to enable the lambda function to access the bucket privately without going through the internet.
A time-out error is an indication that you are not reaching the Amazon S3 API endpoints. It is not related to the Bucket Policy.
If you changed the AWS Lambda function to connect to a VPC, then it no longer has access to the Internet.
If at all possible, it is always better to NOT configure Lambda functions to use a VPC. When a VPC is not configured then the function has direct access to the Internet. However, if the Lambda function also requires access to resources in a VPC then you would either need to:
If your particular goal is to simply to remove public access from the bucket but permit access to the Lambda function, and the Lambda function does not need to access any resources in the VPC, then simply remove the VPC configuration from the Lambda function and the Bucket Policy shown in your question should work correctly. Worst-case you will receive an
Access Deniederror, but never a time-out error.