IAM Roles & Policies

Create and attach secure IAM roles with the least privilege needed for Lambda to access S3, DynamoDB, and other services.

IAM (Identity and Access Management) plays a critical role in this project. It ensures that each AWS service — especially Lambda — has just the right set of permissions to interact with S3, DynamoDB, and KMS securely.

Why IAM?

Your Lambda functions need to:

• Read/write to DynamoDB (dedupTable)

• Upload/delete files in S3 (owncloud-dedup-files)

• Optionally access KMS (if using encrypted buckets)

IAM ensures these functions can only do what they are supposed to — nothing more.

---

PART 1 : IAM Roles for Uploading Files

Step 1: Create IAM Role for Lambda

1. Go to IAM → Roles → Create Role

2. Trusted entity type: AWS service

3. Use case: Lambda

4. Click Next: Permissions

---

Step 2: Attach Basic Policies

Attach the following managed policies:

• AWSLambdaBasicExecutionRole – for logging to CloudWatch

• Search and Add all of the policies given in the image below. Click on the blue plus icon to add them

IAM Roles

Click Next → Name the role: owncloud-dedup-role → Create role

---

Step 3: Add Inline Policy for Least Privilege

Now attach an inline policy for S3 and DynamoDB access:

1. Go to the created role → Permissions tab → Add inline policy

2. Click on the JSON tab and paste:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowKMSEncryptDecryptAccess",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:220938493400:key/4e47c2d4-7d1b-46be-9298-3c79e991a532"
        }
    ]
}

Name the policy as owncloud_policy

Creating a inline policy for S3 & DynamoDB

---

PART 2 : IAM Roles for Deleting Files

Step 1: Create IAM Role for Lambda

Follow the same steps as above and name the role as : deleteFileLambda-role-wpp128e3

---

Step 2: Add policies

Search and Add all of the policies given in the image below. Click on the blue plus icon to add them.

---

Step 3: Add Inline Policy

Now attach an inline policy for S3 and DynamoDB access:

1. Go to the created role → Permissions tab → Add inline policy

2. Click on the JSON tab and paste:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "s3:DeleteObject",
			"Resource": "arn:aws:s3:::owncloud-dedup-files/*"
		}
	]
}

Final Role Binding

Attach this IAM role to both Lambda functions (uploadFileLambda, deleteFileLambda)

This role now ensures:

• 🔐 Secure, scoped access

• 📦 No over-privileged access

• 📈 Logged activity via CloudWatch

After adding all the Roles and Policy, your dashboard will look like this: