Skip to content
Alchemy
GitHubXDiscord

AccessPointPolicy

The AccessPointPolicy resource lets you manage access point policies for AWS S3ObjectLambda. This allows you to define permissions for actions on your S3ObjectLambda access points.

Minimal Example

Section titled “Minimal Example”

Create a basic access point policy with required properties:

import AWS from "alchemy/aws/control";


const basicAccessPointPolicy = await AWS.S3ObjectLambda.AccessPointPolicy("basicPolicy", {
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "StringEquals": {
            "s3:DataAccessPoint": "my-access-point"
          }
        }
      }
    ]
  },
  ObjectLambdaAccessPoint: "my-access-point"
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure an advanced access point policy with multiple statements and conditions:

const advancedAccessPointPolicy = await AWS.S3ObjectLambda.AccessPointPolicy("advancedPolicy", {
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:user/Alice"
        },
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "StringEquals": {
            "s3:DataAccessPoint": "my-access-point"
          }
        }
      },
      {
        Effect: "Allow",
        Principal: "*",
        Action: "s3:ListBucket",
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "IpAddress": {
            "aws:SourceIp": "203.0.113.0/24"
          }
        }
      }
    ]
  },
  ObjectLambdaAccessPoint: "my-access-point"
});

Custom IAM Policy Example

Section titled “Custom IAM Policy Example”

Demonstrate a custom IAM policy for an access point with a specific user:

const customIamPolicy = await AWS.S3ObjectLambda.AccessPointPolicy("customPolicy", {
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:user/Bob"
        },
        Action: [
          "s3:GetObject",
          "s3:PutObject"
        ],
        Resource: "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
        Condition: {
          "StringLike": {
            "s3:prefix": ["uploads/", "uploads/*"]
          }
        }
      }
    ]
  },
  ObjectLambdaAccessPoint: "my-access-point"
});