template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: S3 Object Lambda

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      BucketName: !Sub ${AWS::StackName}-assets

  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: '*'
            Effect: Allow
            Resource:
              - !GetAtt S3Bucket.Arn
              - !Sub
                  - '${varS3BucketArn}/*'
                  - varS3BucketArn: !GetAtt S3Bucket.Arn
            Principal:
              AWS: '*'
            Condition:
              StringEquals:
                's3:DataAccessPointAccount': !Sub ${AWS::AccountId}

  # S3 Access Point (Network origin: Internet)
  S3AccessPoint:
    Type: 'AWS::S3::AccessPoint'
    Properties:
      Bucket: !Ref S3Bucket
      Name: !Sub ${AWS::StackName}-ap

  # S3 Object Lambda Access Point
  S3ObjectLambdaAccessPoint:
    Type: 'AWS::S3ObjectLambda::AccessPoint'
    Properties: 
      Name: !Sub ${AWS::StackName}-olap
      ObjectLambdaConfiguration: 
        AllowedFeatures:
          - GetObject-Range
          - GetObject-PartNumber
        SupportingAccessPoint: !Sub 'arn:aws:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/${S3AccessPoint}'
        TransformationConfigurations: 
        - Actions: 
            - GetObject
          ContentTransformation: 
            AwsLambda:
              FunctionArn: !GetAtt ObjectLambdaFunction.Arn
              FunctionPayload: 'test-payload'

  # IAM principal user who has full access to the bucket, access points, and his own credentials.
  BucketUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Sub ${AWS::StackName}-user
      Policies:
        - PolicyName: !Sub ${AWS::StackName}-user-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Resource:
                - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${AWS::StackName}-user/AccessKey
              Action:
                - secretsmanager:GetSecretValue
            - Effect: Allow
              Resource:
                - !GetAtt ObjectLambdaFunction.Arn
              Action: 
                - lambda:InvokeFunction
            - Effect: Allow
              Resource: 
                - !Sub arn:aws:s3:::${S3Bucket}
                - !Sub arn:aws:s3:::${S3Bucket}/*
              Action: "*"
            - Effect: Allow
              Resource: 
                - !Sub arn:aws:s3-object-lambda:${AWS::Region}:${AWS::AccountId}:accesspoint/${S3ObjectLambdaAccessPoint}
                - !Sub arn:aws:s3-object-lambda:${AWS::Region}:${AWS::AccountId}:accesspoint/${S3ObjectLambdaAccessPoint}/*
              Action: "*"
            # Allow user to write rules to the DynamoDB table.
            - Effect: Allow
              Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${AccessControlDynamoDB}
              Action: 
                - dynamodb:PutItem
                - dynamodb:GetItem
                - dynamodb:DeleteItem
                - dynamodb:UpdateItem
                - dynamodb:Query
                - dynamodb:Scan
            # Allow user to read and write to the SSM parameter.
            - Effect: Allow
              Resource: !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}/NetworkRanges
              Action: 
                - ssm:GetParameter
                - ssm:PutParameter

  # Access key for the bucket user. Will be stored in secrets manager.
  AccessKey:
    Type: AWS::IAM::AccessKey
    DependsOn: BucketUser
    Properties: 
      Status: Active
      UserName: !Ref BucketUser

  Secret:
    Type: AWS::SecretsManager::Secret
    DependsOn: AccessKey
    Properties: 
      Name: !Sub ${BucketUser}/AccessKey
      Description: !Sub Stores the credentials for the ${BucketUser} IAM principal.
      SecretString: 
        !Sub
          - |
            {
              "user": "${user}", 
              "bucket": "${bucket}",
              "aws_access_key_id": "${id}",
              "aws_secret_access_key": "${key}",
              "aws_region": "${region}"
            }
          - user: !Sub ${AWS::StackName}-user
            id: !Ref AccessKey
            key: !GetAtt AccessKey.SecretAccessKey
            region: !Ref AWS::Region
            bucket: !Ref S3Bucket

  # Lambda function
  ObjectLambdaFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: src/
      Handler: app.handler
      Runtime: nodejs18.x
      # We wouldn't leave these defaults this high in production.
      MemorySize: 2048
      Timeout: 30
      Environment:
        Variables:
          DYNAMODB_TABLE: !Ref AccessControlDynamoDB
          ORIGINAL_BUCKET: !Ref S3Bucket
          RANGES_SSM_PARAMETER_NAME: !Ref SSMParameter
      # The function needs permission to call back to the S3 Object Lambda Access Point with the WriteGetObjectResponse.
      Policies:
        - DynamoDBReadPolicy:
            TableName: !Ref AccessControlDynamoDB
        - S3CrudPolicy:
            BucketName: !Ref S3Bucket
        - Statement:
          - Effect: Allow
            Action: 's3-object-lambda:WriteGetObjectResponse'
            Resource: '*'
        # The function needs permission to read the SSM parameter.
        - Statement:
          - Effect: Allow
            Action: 'ssm:GetParameter'
            Resource: !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}/NetworkRanges
  
  # DynamoDB table
  AccessControlDynamoDB:
    Type: AWS::Serverless::SimpleTable
    Properties:
      PrimaryKey:
        Name: PK
        Type: String
      TableName: !Sub ${AWS::StackName}-AccessControl
  ## SSM Parameter for network ranges
  SSMParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub /${AWS::StackName}/NetworkRanges
      Type: String
      Value: '{"localhost": [{"start": "127.0.0.1","end": "127.0.0.2"}]}'

Outputs:
  S3BucketName:
    Value: !Ref S3Bucket
    Description: S3 Bucket for object storage.
  S3AccessPointArn:
    Value: !Ref S3AccessPoint
    Description: Name of the S3 access point.
  S3ObjectLambdaAccessPointArn:
    Value: !GetAtt S3ObjectLambdaAccessPoint.Arn
    Description: ARN of the S3 Object Lambda access point.
  ObjectLambdaFunctionArn:
    Value: !Ref ObjectLambdaFunction
    Description: ObjectLambdaFunction ARN.  
  BucketUserName:
    Description: The name of the bucket user
    Value: !Ref BucketUser
  SecretArn:
    Description: The arn of the secret that contains the access key for the user
    Value: !Ref Secret