skip to Main Content

I have a lambda outside VPC which is accessing S3. I can access S3 from lambda when public access is on. But when I switch off the public access and create a bucket policy which allows only my lambda function to access S3 then I cant access the S3 anymore and I get a time-out error. I think there is something wrong in my policy. But I am not sure what. Here is my policy:

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "LambdaAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxx:role/service-role/Lambda_accessingS3-role"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::uploads-from-lambda567",
                "arn:aws:s3:::uploads-from-lambda567/*"
            ]
        }
    ]
}

Can somebody please explain me what I am doing wrong?

2

Answers


  1. Since you switched off Public access for your s3 bucket, lambda can’t access the bucket’s Public Ip address to connect to it.

    You can move the lambda function into VPC and create a VPC Gateway endpoint for your s3 bucket to enable the lambda function to access the bucket privately without going through the internet.

    Login or Signup to reply.
  2. A time-out error is an indication that you are not reaching the Amazon S3 API endpoints. It is not related to the Bucket Policy.

    If you changed the AWS Lambda function to connect to a VPC, then it no longer has access to the Internet.

    If at all possible, it is always better to NOT configure Lambda functions to use a VPC. When a VPC is not configured then the function has direct access to the Internet. However, if the Lambda function also requires access to resources in a VPC then you would either need to:

    • Add a VPC Endpoint for S3 in the VPC, or
    • Configure the AWS Lambda function to use private subnets and launch a NAT Gateway in a public subnet

    If your particular goal is to simply to remove public access from the bucket but permit access to the Lambda function, and the Lambda function does not need to access any resources in the VPC, then simply remove the VPC configuration from the Lambda function and the Bucket Policy shown in your question should work correctly. Worst-case you will receive an Access Denied error, but never a time-out error.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search