Alchemy

Appearance

AccessPointPolicy ​

The AccessPointPolicy resource lets you manage access point policies for AWS S3ObjectLambda. This allows you to define permissions for actions on your S3ObjectLambda access points.

Minimal Example ​

Create a basic access point policy with required properties:

ts
import AWS from "alchemy/aws/control";

const basicAccessPointPolicy = await AWS.S3ObjectLambda.AccessPointPolicy("basicPolicy", {
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "StringEquals": {
            "s3:DataAccessPoint": "my-access-point"
          }
        }
      }
    ]
  },
  ObjectLambdaAccessPoint: "my-access-point"
});

Advanced Configuration ​

Configure an advanced access point policy with multiple statements and conditions:

ts
const advancedAccessPointPolicy = await AWS.S3ObjectLambda.AccessPointPolicy("advancedPolicy", {
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:user/Alice"
        },
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "StringEquals": {
            "s3:DataAccessPoint": "my-access-point"
          }
        }
      },
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:ListBucket",
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "IpAddress": {
            "aws:SourceIp": "203.0.113.0/24"
          }
        }
      }
    ]
  },
  ObjectLambdaAccessPoint: "my-access-point"
});

Custom IAM Policy Example ​

Demonstrate a custom IAM policy for an access point with a specific user:

ts
const customIamPolicy = await AWS.S3ObjectLambda.AccessPointPolicy("customPolicy", {
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:user/Bob"
        },
        Action: [
          "s3:GetObject",
          "s3:PutObject"
        ],
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "StringLike": {
            "s3:prefix": ["uploads/", "uploads/*"]
          }
        }
      }
    ]
  },
  ObjectLambdaAccessPoint: "my-access-point"
});