diff --git a/07_Resources/IAM/group.json b/07_Resources/IAM/group.json new file mode 100644 index 0000000..c20e42c --- /dev/null +++ b/07_Resources/IAM/group.json @@ -0,0 +1,40 @@ +{ + "IAMGroup": { + "Type": "AWS::IAM::Group", + "Properties": { + "GroupName": "0x4447_s3_email", + "Policies": [ + { + "PolicyName": "l_r_w_d_plus_rename", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:GetObjectAcl", + "s3:GetObjectVersionAcl", + "s3:PutObjectAcl", + "s3:PutObjectVersionAcl" + ], + "Resource": [ + { "Fn::Sub": "arn:aws:s3:::${S3Email}" }, + { "Fn::Sub": "arn:aws:s3:::${S3Email}/*" } + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] + } + } + ] + } + } +} \ No newline at end of file diff --git a/CloudFormation.json b/CloudFormation.json index 5649d36..fbc84c2 100644 --- a/CloudFormation.json +++ b/CloudFormation.json @@ -27,6 +27,48 @@ } }, "Resources": { + "IAMGroup": { + "Type": "AWS::IAM::Group", + "Properties": { + "GroupName": "0x4447_s3_email", + "Policies": [ + { + "PolicyName": "l_r_w_d_plus_rename", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:GetObjectAcl", + "s3:GetObjectVersionAcl", + "s3:PutObjectAcl", + "s3:PutObjectVersionAcl" + ], + "Resource": [ + { + "Fn::Sub": "arn:aws:s3:::${S3Email}" + }, + { + "Fn::Sub": "arn:aws:s3:::${S3Email}/*" + } + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] + } + } + ] + } + }, "SESReceiptRule": { "Type": "AWS::SES::ReceiptRule", "Properties": { @@ -285,6 +327,24 @@ ] } }, + "PipelineConverterRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "RoleName": "0x4447_s3_email_codepipeline_converter", + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "codepipeline.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + } + }, "PipelineConverterPolicy": { "Type": "AWS::IAM::Policy", "Properties": { @@ -441,22 +501,36 @@ } } }, - "PipelineConverterRole": { + "S3ConverterPermission": { + "Type": "AWS::Lambda::Permission", + "DependsOn": "LambdaEmailConverter", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "LambdaEmailConverter" + }, + "Principal": "s3.amazonaws.com" + } + }, + "LambdaEmailConverterRole": { "Type": "AWS::IAM::Role", "Properties": { - "RoleName": "0x4447_s3_email_codepipeline_converter", + "RoleName": "0x4447_s3_email_lambda_converter", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { - "Service": "codepipeline.amazonaws.com" + "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] - } + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] } }, "LambdaEmailConverter": { @@ -479,38 +553,6 @@ "Timeout": 60 } }, - "S3ConverterPermission": { - "Type": "AWS::Lambda::Permission", - "DependsOn": "LambdaEmailConverter", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "LambdaEmailConverter" - }, - "Principal": "s3.amazonaws.com" - } - }, - "LambdaEmailConverterRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "RoleName": "0x4447_s3_email_lambda_converter", - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - } - }, "LambdaEmailConverterPolicyS3": { "Type": "AWS::IAM::Policy", "Properties": { @@ -623,7 +665,7 @@ } } }, - "CodeBuildConverterPolicyS3": { + "CodeBuildConverterPolicyLambdaUpdate": { "Type": "AWS::IAM::Policy", "Properties": { "Roles": [ @@ -631,22 +673,22 @@ "Ref": "CodeBuildConverterRole" } ], - "PolicyName": "s3_access", + "PolicyName": "update_lambda_code", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Action": "s3:*", + "Action": "lambda:UpdateFunctionCode", "Resource": { - "Fn::Sub": "arn:aws:s3:::${CodePipelineBucketName}/*" + "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaEmailConverter}" } } ] } } }, - "CodeBuildConverterPolicyLambdaUpdate": { + "CodeBuildConverterPolicyS3": { "Type": "AWS::IAM::Policy", "Properties": { "Roles": [ @@ -654,25 +696,25 @@ "Ref": "CodeBuildConverterRole" } ], - "PolicyName": "update_lambda_code", + "PolicyName": "s3_access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Action": "lambda:UpdateFunctionCode", + "Action": "s3:*", "Resource": { - "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaEmailConverter}" + "Fn::Sub": "arn:aws:s3:::${CodePipelineBucketName}/*" } } ] } } }, - "PipelineOutbound": { + "PipelineInbound": { "Type": "AWS::CodePipeline::Pipeline", "Properties": { - "Name": "0x4447_s3_email_lambda_outbound", + "Name": "0x4447_s3_email_lambda_inbound", "ArtifactStore": { "Location": { "Ref": "CodePipelineBucketName" @@ -681,7 +723,7 @@ }, "RoleArn": { "Fn::GetAtt": [ - "PipelineOutboundRole", + "PipelineInboundRole", "Arn" ] }, @@ -700,7 +742,7 @@ }, "Configuration": { "Owner": "0x4447", - "Repo": "0x4447-product-s3-email-lambda-outbound", + "Repo": "0x4447-product-s3-email-lambda-inbound", "Branch": { "Ref": "Stage" }, @@ -730,7 +772,7 @@ ], "Configuration": { "ProjectName": { - "Ref": "CodeBuildOutbound" + "Ref": "CodeBuildInbound" } }, "ActionTypeId": { @@ -745,13 +787,13 @@ ] } }, - "PipelineOutboundPolicy": { + "PipelineInboundPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "default", "Roles": [ { - "Ref": "PipelineOutboundRole" + "Ref": "PipelineInboundRole" } ], "PolicyDocument": { @@ -901,10 +943,10 @@ } } }, - "PipelineOutboundRole": { + "PipelineInboundRole": { "Type": "AWS::IAM::Role", "Properties": { - "RoleName": "0x4447_s3_email_codepipeline_outbound", + "RoleName": "0x4447_s3_email_codepipeline_inbound", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -919,31 +961,13 @@ } } }, - "CodeBuildOutboundRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "RoleName": "0x4447_s3_email_codebuild_outbound", - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } - } - }, - "CodeBuildOutbound": { + "CodeBuildInbound": { "Type": "AWS::CodeBuild::Project", "Properties": { - "Name": "0x4447_s3_email_outbound", + "Name": "0x4447_s3_email_inbound", "ServiceRole": { "Fn::GetAtt": [ - "CodeBuildOutboundRole", + "CodeBuildInboundRole", "Arn" ] }, @@ -964,19 +988,37 @@ "Name": "FUNCTION_NAME", "Type": "PLAINTEXT", "Value": { - "Ref": "LambdaEmailOutbound" + "Ref": "LambdaEmailInbound" } } ] } } }, - "CodeBuildOutboundPolicyCWL": { + "CodeBuildInboundRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "RoleName": "0x4447_s3_email_codebuild_inbound", + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + } + }, + "CodeBuildDeployPolicyCWL": { "Type": "AWS::IAM::Policy", "Properties": { "Roles": [ { - "Ref": "CodeBuildOutboundRole" + "Ref": "CodeBuildInboundRole" } ], "PolicyName": "cloud_watch_log_access", @@ -992,10 +1034,10 @@ ], "Resource": [ { - "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_outbound" + "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_inbound" }, { - "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_outbound:*" + "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_inbound:*" } ] } @@ -1003,12 +1045,12 @@ } } }, - "CodeBuildOutboundPolicyS3": { + "CodeBuildDeployPolicyS3": { "Type": "AWS::IAM::Policy", "Properties": { "Roles": [ { - "Ref": "CodeBuildOutboundRole" + "Ref": "CodeBuildInboundRole" } ], "PolicyName": "s3_access", @@ -1026,12 +1068,12 @@ } } }, - "CodeBuildOutboundPolicyLambdaUpdate": { + "CodeBuildDeployPolicyLambdaUpdate": { "Type": "AWS::IAM::Policy", "Properties": { "Roles": [ { - "Ref": "CodeBuildOutboundRole" + "Ref": "CodeBuildInboundRole" } ], "PolicyName": "update_lambda_code", @@ -1042,18 +1084,18 @@ "Effect": "Allow", "Action": "lambda:UpdateFunctionCode", "Resource": { - "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaEmailOutbound}" + "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaEmailInbound}" } } ] } } }, - "LambdaEmailOutbound": { + "LambdaEmailInbound": { "Type": "AWS::Lambda::Function", - "Description": "Take the JSON and convert it in to an raw email.", + "Description": "This Lambda organizes all the incoming emails based on the From and To field.", "Properties": { - "FunctionName": "0x4447-s3-email-outbound", + "FunctionName": "0x4447-s3-email-inbound", "Code": { "ZipFile": "exports.handler = async (event) => {return true;};" }, @@ -1061,7 +1103,7 @@ "MemorySize": 128, "Role": { "Fn::GetAtt": [ - "LambdaEmailOutboundRole", + "LambdaEmailInboundRole", "Arn" ] }, @@ -1076,21 +1118,10 @@ } } }, - "S3OutboundPermission": { - "Type": "AWS::Lambda::Permission", - "DependsOn": "LambdaEmailOutbound", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "LambdaEmailOutbound" - }, - "Principal": "s3.amazonaws.com" - } - }, - "LambdaEmailOutboundRole": { + "LambdaEmailInboundRole": { "Type": "AWS::IAM::Role", "Properties": { - "RoleName": "0x4447_s3_email_lambda_outbound", + "RoleName": "0x4447_s3_email_lambda_inbound", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -1108,13 +1139,24 @@ ] } }, - "LambdaEmailOutboundPolicyS3": { + "S3InboundPermission": { + "Type": "AWS::Lambda::Permission", + "DependsOn": "LambdaEmailInbound", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "LambdaEmailInbound" + }, + "Principal": "s3.amazonaws.com" + } + }, + "LambdaEmailInboundPolicyS3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "S3_access", "Roles": [ { - "Ref": "LambdaEmailOutboundRole" + "Ref": "LambdaEmailInboundRole" } ], "PolicyDocument": { @@ -1136,13 +1178,13 @@ } } }, - "LambdaEmailOutboundPolicySES": { + "LambdaEmailInboundPolicySES": { "Type": "AWS::IAM::Policy", "Properties": { - "PolicyName": "ses", + "PolicyName": "ses_access", "Roles": [ { - "Ref": "LambdaEmailOutboundRole" + "Ref": "LambdaEmailInboundRole" } ], "PolicyDocument": { @@ -1150,17 +1192,17 @@ "Statement": [ { "Effect": "Allow", - "Action": "ses:SendRawEmail", + "Action": "ses:ListIdentities", "Resource": "*" } ] } } }, - "PipelineInbound": { + "PipelineOutbound": { "Type": "AWS::CodePipeline::Pipeline", "Properties": { - "Name": "0x4447_s3_email_lambda_inbound", + "Name": "0x4447_s3_email_lambda_outbound", "ArtifactStore": { "Location": { "Ref": "CodePipelineBucketName" @@ -1169,7 +1211,7 @@ }, "RoleArn": { "Fn::GetAtt": [ - "PipelineInboundRole", + "PipelineOutboundRole", "Arn" ] }, @@ -1188,7 +1230,7 @@ }, "Configuration": { "Owner": "0x4447", - "Repo": "0x4447-product-s3-email-lambda-inbound", + "Repo": "0x4447-product-s3-email-lambda-outbound", "Branch": { "Ref": "Stage" }, @@ -1218,7 +1260,7 @@ ], "Configuration": { "ProjectName": { - "Ref": "CodeBuildInbound" + "Ref": "CodeBuildOutbound" } }, "ActionTypeId": { @@ -1233,13 +1275,13 @@ ] } }, - "PipelineInboundPolicy": { + "PipelineOutboundPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "default", "Roles": [ { - "Ref": "PipelineInboundRole" + "Ref": "PipelineOutboundRole" } ], "PolicyDocument": { @@ -1389,10 +1431,10 @@ } } }, - "PipelineInboundRole": { + "PipelineOutboundRole": { "Type": "AWS::IAM::Role", "Properties": { - "RoleName": "0x4447_s3_email_codepipeline_inbound", + "RoleName": "0x4447_s3_email_codepipeline_outbound", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -1407,86 +1449,83 @@ } } }, - "LambdaEmailInboundRole": { + "CodeBuildOutboundRole": { "Type": "AWS::IAM::Role", "Properties": { - "RoleName": "0x4447_s3_email_lambda_inbound", + "RoleName": "0x4447_s3_email_codebuild_outbound", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole" } ] - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - } - }, - "S3InboundPermission": { - "Type": "AWS::Lambda::Permission", - "DependsOn": "LambdaEmailInbound", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "LambdaEmailInbound" - }, - "Principal": "s3.amazonaws.com" + } } }, - "LambdaEmailInbound": { - "Type": "AWS::Lambda::Function", - "Description": "This Lambda organizes all the incoming emails based on the From and To field.", + "CodeBuildOutbound": { + "Type": "AWS::CodeBuild::Project", "Properties": { - "FunctionName": "0x4447-s3-email-inbound", - "Code": { - "ZipFile": "exports.handler = async (event) => {return true;};" - }, - "Handler": "index.handler", - "MemorySize": 128, - "Role": { + "Name": "0x4447_s3_email_outbound", + "ServiceRole": { "Fn::GetAtt": [ - "LambdaEmailInboundRole", + "CodeBuildOutboundRole", "Arn" ] }, - "Runtime": "nodejs8.10", - "Timeout": 60, + "TimeoutInMinutes": 60, + "Source": { + "Type": "CODEPIPELINE", + "BuildSpec": "buildspec.yml" + }, + "Artifacts": { + "Type": "CODEPIPELINE" + }, "Environment": { - "Variables": { - "BUCKET": { - "Ref": "EmailRestingPlace" + "Type": "LINUX_CONTAINER", + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "aws/codebuild/nodejs:8.11.0", + "EnvironmentVariables": [ + { + "Name": "FUNCTION_NAME", + "Type": "PLAINTEXT", + "Value": { + "Ref": "LambdaEmailOutbound" + } } - } + ] } } }, - "LambdaEmailInboundPolicyS3": { + "CodeBuildOutboundPolicyCWL": { "Type": "AWS::IAM::Policy", "Properties": { - "PolicyName": "S3_access", "Roles": [ { - "Ref": "LambdaEmailInboundRole" + "Ref": "CodeBuildOutboundRole" } ], + "PolicyName": "cloud_watch_log_access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Action": "s3:*", + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], "Resource": [ { - "Fn::Sub": "arn:aws:s3:::${S3Email}" + "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_outbound" }, { - "Fn::Sub": "arn:aws:s3:::${S3Email}/*" + "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_outbound:*" } ] } @@ -1494,152 +1533,155 @@ } } }, - "LambdaEmailInboundPolicySES": { + "CodeBuildOutboundPolicyS3": { "Type": "AWS::IAM::Policy", "Properties": { - "PolicyName": "ses_access", "Roles": [ { - "Ref": "LambdaEmailInboundRole" + "Ref": "CodeBuildOutboundRole" } ], + "PolicyName": "s3_access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Action": "ses:ListIdentities", - "Resource": "*" + "Action": "s3:*", + "Resource": { + "Fn::Sub": "arn:aws:s3:::${CodePipelineBucketName}/*" + } } ] } } }, - "CodeBuildInboundRole": { - "Type": "AWS::IAM::Role", + "CodeBuildOutboundPolicyLambdaUpdate": { + "Type": "AWS::IAM::Policy", "Properties": { - "RoleName": "0x4447_s3_email_codebuild_inbound", - "AssumeRolePolicyDocument": { + "Roles": [ + { + "Ref": "CodeBuildOutboundRole" + } + ], + "PolicyName": "update_lambda_code", + "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - }, - "Action": "sts:AssumeRole" + "Action": "lambda:UpdateFunctionCode", + "Resource": { + "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaEmailOutbound}" + } } ] } } }, - "CodeBuildInbound": { - "Type": "AWS::CodeBuild::Project", + "LambdaEmailOutbound": { + "Type": "AWS::Lambda::Function", + "Description": "Take the JSON and convert it in to an raw email.", "Properties": { - "Name": "0x4447_s3_email_inbound", - "ServiceRole": { + "FunctionName": "0x4447-s3-email-outbound", + "Code": { + "ZipFile": "exports.handler = async (event) => {return true;};" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { "Fn::GetAtt": [ - "CodeBuildInboundRole", + "LambdaEmailOutboundRole", "Arn" ] }, - "TimeoutInMinutes": 60, - "Source": { - "Type": "CODEPIPELINE", - "BuildSpec": "buildspec.yml" - }, - "Artifacts": { - "Type": "CODEPIPELINE" - }, + "Runtime": "nodejs8.10", + "Timeout": 60, "Environment": { - "Type": "LINUX_CONTAINER", - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/nodejs:8.11.0", - "EnvironmentVariables": [ - { - "Name": "FUNCTION_NAME", - "Type": "PLAINTEXT", - "Value": { - "Ref": "LambdaEmailInbound" - } + "Variables": { + "BUCKET": { + "Ref": "EmailRestingPlace" } - ] + } } } }, - "CodeBuildDeployPolicyCWL": { - "Type": "AWS::IAM::Policy", + "LambdaEmailOutboundRole": { + "Type": "AWS::IAM::Role", "Properties": { - "Roles": [ - { - "Ref": "CodeBuildInboundRole" - } - ], - "PolicyName": "cloud_watch_log_access", - "PolicyDocument": { + "RoleName": "0x4447_s3_email_lambda_outbound", + "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - { - "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_inbound" - }, - { - "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/0x4447_s3_email_inbound:*" - } - ] + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Action": "sts:AssumeRole" } ] - } + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] } }, - "CodeBuildDeployPolicyS3": { + "S3OutboundPermission": { + "Type": "AWS::Lambda::Permission", + "DependsOn": "LambdaEmailOutbound", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "LambdaEmailOutbound" + }, + "Principal": "s3.amazonaws.com" + } + }, + "LambdaEmailOutboundPolicyS3": { "Type": "AWS::IAM::Policy", "Properties": { + "PolicyName": "S3_access", "Roles": [ { - "Ref": "CodeBuildInboundRole" + "Ref": "LambdaEmailOutboundRole" } ], - "PolicyName": "s3_access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", - "Resource": { - "Fn::Sub": "arn:aws:s3:::${CodePipelineBucketName}/*" - } + "Resource": [ + { + "Fn::Sub": "arn:aws:s3:::${S3Email}" + }, + { + "Fn::Sub": "arn:aws:s3:::${S3Email}/*" + } + ] } ] } } }, - "CodeBuildDeployPolicyLambdaUpdate": { + "LambdaEmailOutboundPolicySES": { "Type": "AWS::IAM::Policy", "Properties": { + "PolicyName": "ses", "Roles": [ { - "Ref": "CodeBuildInboundRole" + "Ref": "LambdaEmailOutboundRole" } ], - "PolicyName": "update_lambda_code", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Action": "lambda:UpdateFunctionCode", - "Resource": { - "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaEmailInbound}" - } + "Action": "ses:SendRawEmail", + "Resource": "*" } ] } diff --git a/README.md b/README.md index 328c0af..288e543 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ The stack takes advantage of AWS S3, AWS SES, AWS Lambda, and the AWS Trigger sy - 3x CodePipelines - 3x CodeBuilds - 3x Lambdas +- 1x IAM Group All project resources can be found [here](https://github.com/topics/0x4447-product-s3-email). @@ -84,6 +85,10 @@ Deployment creates SES `rule sets`. This should be enabled by default, but it do 1. Check `0x4447_S3_Email` on the `Inactive Rule Sets` tab. 1. Hit `Set as Active Rule Set` to activate the rule. +### Attach user to the IAM Group + +After the stack is deployed you get a IAM Group with the bare minimum policy to allow to access the S3 Bucket with the emails. Use this group to give access to your IAM user to S3 Email. + # SES Limitations There are two major limitations with SES: