IAM Roles & Policies

Create and attach secure IAM roles with the least privilege needed for Lambda to access S3, DynamoDB, and other services.

IAM (Identity and Access Management) plays a critical role in this project. It ensures that each AWS service β€” especially Lambda β€” has just the right set of permissions to interact with S3, DynamoDB, and KMS securely.

Why IAM?

Your Lambda functions need to:

  • Read/write to DynamoDB (dedupTable)

  • Upload/delete files in S3 (owncloud-dedup-files)

  • Optionally access KMS (if using encrypted buckets)

IAM ensures these functions can only do what they are supposed to β€” nothing more.

PART 1 : IAM Roles for Uploading Files

Step 1: Create IAM Role for Lambda

  1. Go to IAM β†’ Roles β†’ Create Role

  2. Trusted entity type: AWS service

  3. Use case: Lambda

  4. Click Next: Permissions

Step 2: Attach Basic Policies

Attach the following managed policies:

  • AWSLambdaBasicExecutionRole – for logging to CloudWatch

  • Search and Add all of the policies given in the image below. Click on the blue plus icon to add them

IAM Roles

Click Next β†’ Name the role: owncloud-dedup-role β†’ Create role

Step 3: Add Inline Policy for Least Privilege

Now attach an inline policy for S3 and DynamoDB access:

  1. Go to the created role β†’ Permissions tab β†’ Add inline policy

  2. Click on the JSON tab and paste:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowKMSEncryptDecryptAccess",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:220938493400:key/4e47c2d4-7d1b-46be-9298-3c79e991a532"
        }
    ]
}

Name the policy as owncloud_policy

Creating a inline policy for S3 & DynamoDB

PART 2 : IAM Roles for Deleting Files

Step 1: Create IAM Role for Lambda

Follow the same steps as above and name the role as : deleteFileLambda-role-wpp128e3

Step 2: Add policies

Search and Add all of the policies given in the image below. Click on the blue plus icon to add them.

Step 3: Add Inline Policy

Now attach an inline policy for S3 and DynamoDB access:

  1. Go to the created role β†’ Permissions tab β†’ Add inline policy

  2. Click on the JSON tab and paste:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "s3:DeleteObject",
			"Resource": "arn:aws:s3:::owncloud-dedup-files/*"
		}
	]
}

Final Role Binding

Attach this IAM role to both Lambda functions (uploadFileLambda, deleteFileLambda)

This role now ensures:

  • πŸ” Secure, scoped access

  • πŸ“¦ No over-privileged access

  • πŸ“ˆ Logged activity via CloudWatch

After adding all the Roles and Policy, your dashboard will look like this:

PreviousLambda Function SetupNextAPI Gateway Configuration

Last updated