How to create a cloud watch alarm when an S3 bucket is created without encryption in AWS.
either manually or through a cloudformation template.
1- A Config rule that checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption. and here is a CloudFormation template to create it:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
ConfigRule:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
Parameters: {}
Metadata: {}
Conditions: {}
2- Use an EventBridge rule with a custom event pattern to match an AWS Config evaluation rule output as NON_COMPLIANT. Then, route the response to an SNS topic
And Finally to enforce s3 encryption, you can create SCP policy that requires that all Amazon S3 buckets use AES256 encryption:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
ScpPolicy:
Type: "Custom::ServiceControlPolicy"
Properties:
PolicyName: "scp_s3_encryption"
PolicyDescription: "This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account. "
PolicyContents: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:PutObject\"],\"Resource\":\"*\",\"Effect\":\"Deny\",\"Condition\":{\"StringNotEquals\":{\"s3:x-amz-server-side-encryption\":\"AES256\"}}},{\"Action\":[\"s3:PutObject\"],\"Resource\":\"*\",\"Effect\":\"Deny\",\"Condition\":{\"Bool\":{\"s3:x-amz-server-side-encryption\":false}}}]}"
ServiceToken:
Fn::GetAtt:
- "ScpResourceLambda"
- "Arn"
ScpResourceLambdaRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: "scp-access"
PolicyDocument:
Statement:
- Effect: "Allow"
Action:
- "organizations:UpdatePolicy"
- "organizations:DeletePolicy"
- "organizations:CreatePolicy"
- "organizations:ListPolicies"
Resource: "*"
ScpResourceLambda:
Type: "AWS::Lambda::Function"
Properties:
Code:
ZipFile: "\n'use strict';\nconst AWS = require('aws-sdk');\nconst response = require('cfn-response');\nconst organizations = new AWS.Organizations({region: 'us-east-1'});\n\nexports.handler = (event, context, cb) => {\n console.log('Invoke:', JSON.stringify(event));\n const done = (err, data) => {\n if (err) {\n console.log('Error: ', err);\n response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID');\n } else {\n response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID');\n }\n };\n \n const updatePolicies = (policyName, policyAction) => {\n organizations.listPolicies({\n Filter: \"SERVICE_CONTROL_POLICY\"\n }, function(err, data){\n if (err) done(err);\n else {\n const policy = data.Policies.filter((policy) => (policy.Name === policyName))\n let policyId = ''\n if (policy.length > 0) \n policyId = policy[0].Id\n else\n done('policy not found')\n if (policyAction === 'Update'){\n organizations.updatePolicy({\n Content: event.ResourceProperties.PolicyContents,\n PolicyId: policyId\n }, done)\n }\n else {\n organizations.deletePolicy({\n PolicyId: policyId\n }, done)\n }\n }\n })\n }\n \n if (event.RequestType === 'Update' || event.RequestType === 'Delete') {\n updatePolicies(event.ResourceProperties.PolicyName, event.RequestType)\n \n } else if (event.RequestType === 'Create') {\n organizations.createPolicy({\n Content: event.ResourceProperties.PolicyContents, \n Description: event.ResourceProperties.PolicyDescription, \n Name: event.ResourceProperties.PolicyName, \n Type: \"SERVICE_CONTROL_POLICY\"\n }, done);\n } else {\n cb(new Error('unsupported RequestType: ', event.RequestType));\n }\n};"
Handler: "index.handler"
MemorySize: 128
Role:
Fn::GetAtt:
- "ScpResourceLambdaRole"
- "Arn"
Runtime: "nodejs12.x"
Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}
Related
I am deploying on amazon using CI/CD pipeline using Github action.Deployed on Amazon successfully but when I run the graphql query on appsync it show that the #aws-sdk/client-dynamodb not found.
You can see the error on this image
succesfully deployed on github
I add dynamodb package on package.json
`{
"name": "Serverless-apix",
"type": "module",
"version": "1.0.0",
"description": "",
"scripts": {
"start": "sls offline start --stage local",
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"#aws-sdk/client-dynamodb": "^3.215.0",
"ramda": "^0.28.0",
"serverless": "^3.24.1",
"serverless-appsync-plugin": "^1.14.0",
"serverless-iam-roles-per-function": "^3.2.0"
},
"devDependencies": {}
}`
Controller Where I call the Dynamodb
`import { PutItemCommand } from "#aws-sdk/client-dynamodb";
import { ddbClient } from "../../dynamodb/db.js";`
Db file
`import { DynamoDBClient } from "#aws-sdk/client-dynamodb";
const REGION = "us-east-1"; //e.g. "us-east-1"
// const client = new DynamoDBClient({
// // region: "us-east-1",
// // accessKeyId: "AKIA272VV64HPNKION2R",
// // secretAccessKeyId: "7IARIpa5q8ZEf0NQKKsUPTDP+oszFaw+Dd5v4s7N",
// // endpoint: "http://localhost:8000"
// region: 'localhost',
// endpoint: 'http://localhost:8000'
// });
const ddbClient = new DynamoDBClient({ region: REGION });
export { ddbClient };å`
Serverless file
`service: image-base-serverless-api
provider:
name: aws
runtime: nodejs14.x
stage: ${opt:stage, 'dev'}
region: us-east-1
environment:
# DYNAMODB_TABLE_NAME: ${self:custom.usersTableName}
STAGE: ${self:provider.stage}
REGION: ${self:provider.region}
APPSYNC_NAME: "${self:custom.defaultPrefix}-appsync"
SERVICE_NAME: ${self:service}-${self:provider.stage}
DYNAMODB: ${self:service}-${self:provider.stage}
TABLE_NAME:
Ref: usersTable
iam:
role:
statements: # permissions for all of your functions can be set here
- Effect: Allow
Action: # Gives permission to DynamoDB tables in a specific region
- dynamodb:*
- lambda:*
- s3:*
Resource:
- arn:aws:dynamodb:${self:provider.region}:*:*
- arn:aws:lambda:${self:provider.region}:*:*
- "Fn::GetAtt": [usersTable, Arn]
plugins: ${file(plugins/plugins-${self:provider.stage}.yml)}
package:
exclude:
- node_modules/**
- venv/**
custom:
usersTableName: users-table-${self:provider.stage}
dynamodb:
stages:
- local
start:
port: 8000
inMemory: false
dbPath: "dynamodb_local_data"
migrate: true
appSync:
name: image-base-serverless-backened-api-${self:provider.stage}
schema: schema.graphql
authenticationType: API_KEY
serviceRole: "AppSyncServiceRole"
mappingTemplates: ${file(appsync/mappingtemplate.yml)}
dataSources: ${file(appsync/datasource.yml)}
appsync-offline: # appsync-offline configuration
port: 62222
dynamodb:
client:
endpoint: "http://localhost:8000"
region: localhost
defaultPrefix: ${self:service}-${self:provider.stage}
functions:
- ${file(src/adminusers/admin-user-route.yml)}
resources:
# Roles
- ${file(resources/roles.yml)}
# DynamoDB tables
- ${file(resources/dynamodb-tables.yml)}
# - ${file(resources/dynamodb.yml)}
# - ${file(resources/iam.yml)}
`
I Shall be very thankfull if you help me to solve this error
I downgrade the node version and also try deploy the amazon directly and also deploy the code using CI/CD pipeline but its show the same error on each tried.I have
I created a CustomResource to call a lambda function when the CloudFormation stack is created. It fails with the following error:
Received response status [FAILED] from custom resource. Message returned: User: arn:aws:sts::<account>:assumed-role/stack-role is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:<account>:function:<lambda> because no identity-based policy allows the lambda:InvokeFunction action
This is the code in the CDK:
import * as cr from '#aws-cdk/custom-resources';
const callLambda = new cr.AwsCustomResource(this, 'MyCustomResource', {
onCreate: {
service: 'Lambda',
action: 'invoke',
region: 'us-east-1',
physicalResourceId: cr.PhysicalResourceId.of(Date.now.toString()),
parameters: {
FunctionName: `my-function`,
Payload: '{}'
},
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
})
});
How can I grant permissions to the stack's assumed role so that it can perform lambda:InvokeFunction?
I solved the issue by creating a role that assumes the lambda service principal, and adding a policy statement allowing the lambda:InvokeFunction.
import * as cr from '#aws-cdk/custom-resources';
import * as iam from "#aws-cdk/aws-iam";
let role = new iam.Role(this, `my-role`, {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
role.addToPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['lambda:InvokeFunction'],
resources: ['*']
}));
const callLambda = new cr.AwsCustomResource(this, 'MyCustomResource', {
onCreate: {
service: 'Lambda',
action: 'invoke',
region: 'us-east-1',
physicalResourceId: cr.PhysicalResourceId.of(Date.now.toString()),
parameters: {
FunctionName: `my-function`,
Payload: '{}'
},
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
}),
role: role as any
});
I find fromStatements works...must be some issues with fromSdkCalls
new cr.AwsCustomResource(this, 'MyCustomResource', {
onCreate: {
service: 'Lambda',
action: 'invoke',
region: 'us-east-1',
physicalResourceId: cr.PhysicalResourceId.of(Date.now.toString()),
parameters: {
FunctionName: `my-function`,
Payload: '{}'
},
},
policy: cr.AwsCustomResourcePolicy.fromStatements([
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["lambda:InvokeFunction"],
resources: ["*"],
}),
])
});
Add a ResourcePolicy to your construct.
// infer the required permissions; fine-grained controls also available
policy: AwsCustomResourcePolicy.fromSdkCalls({resources: AwsCustomResourcePolicy.ANY_RESOURCE})
I'm using the Serverless Framework to create a lambda that saves a CSV to a S3 bucket.
I already have a similar lambda that does this with another bucket.
This is where it gets weird: I can upload the CSV to the first S3 bucket I created (many months back), but I'm getting an AccessDenied error when uploading the same CSV to the new S3 bucket which was, as far as I can tell, created in the exact same way as the first via the serverless.yml config.
The error is:
Error: AccessDenied: Access Denied
These are the relevant bits from the serverless.yml:
provider:
name: aws
runtime: nodejs12.x
stage: ${opt:stage, 'dev'}
region: eu-west-1
environment:
BUCKET_NEW: ${self:custom.bucketNew}
BUCKET: ${self:custom.bucket}
iam:
role:
statements:
- Effect: 'Allow'
Action: 'lambda:InvokeFunction'
Resource: '*'
- Effect: 'Allow'
Action:
- 's3:GetObject'
- 's3:PutObject'
Resource:
- 'arn:aws:s3:::*' # Added this whilst debugging
- 'arn:aws:s3:::*/*' # Added this whilst debugging
- 'arn:aws:s3:::${self:custom.bucket}'
- 'arn:aws:s3:::${self:custom.bucket}/*'
- 'arn:aws:s3:::${self:custom.bucketNew}'
- 'arn:aws:s3:::${self:custom.bucketNew}/*'
functions:
uploadReport:
handler: services/uploadReport.handler
vpc:
securityGroupIds:
- 000001
subnetIds:
- subnet-00000A
- subnet-00000B
- subnet-00000C
resources:
Resources:
Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: ${self:custom.bucket}
BucketNew:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: ${self:custom.bucketNew}
custom:
stage: ${opt:stage, 'dev'}
bucket: ${self:service}-${self:custom.stage}-report
bucketNew: ${self:service}-${self:custom.stage}-report-new
Lambda code (simplified):
const fs = require('fs')
const AWS = require('aws-sdk')
const S3 = new AWS.S3({
httpOptions: {
connectTimeout: 1000,
},
})
const uploadToS3 = (params) => new Promise((resolve, reject) => {
S3.putObject(params, err => (err ? reject(err) : resolve(params.Key)))
})
module.exports.handler = async () => {
const fileName = `report-new.csv`
const filePath = `/tmp/${fileName}`
// Some code that creates a CSV file at filePath.
const bucketParams = {
Bucket: process.env.BUCKET_NEW, // Works for process.env.BUCKET, but not process.env.BUCKET_NEW.
Key: fileName,
Body: fs.readFileSync(filePath).toString('utf-8'),
}
try {
const s3Upload = await uploadToS3(bucketParams)
} catch (e) {
throw new Error(e) // Throws Error: AccessDenied: Access Denied.
}
}
Found the solution but it's my own mistake. My lambda was actually within a VPC. My original question (before the edit) did not show this.
Lambda in a VPC can't talk with S3 buckets unless the VPC has an Endpoint Gateway that enables it to talk with any specifically referenced buckets.
I had previously created an Endpoint Gateway that let it talk with the initial bucket I created a while back, but forgot to update the Endpoint Gateway to let it talk to the new bucket.
Leaving this answer here unless anyone else spends an entire day trying to fix something silly.
I think you are likely missing some permissions I often use "s3:Put*" on my serverless applications which may not be advisable since it is so broad.
Here is a minimum list of permissions required to upload an object I found here What minimum permissions should I set to give S3 file upload access?
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation"
I have setup an API Gateway (v1, not v2) REST API resource using CloudFormation template. Recently I have noticed that the default execute-api endpoint is also created, which I can disable in the settings.
The type of this API is AWS::ApiGateway::RestApi.
Naturally, I would like this to be done through the template, so the question is: can this setting be defined in the CloudFormation template, rather than havign to be clicked manually in the AWS Console? This option is available for the APIGateway V2 API resource (AWS::ApiGatewayV2::Api) but not the APIGateway V1 REST API resource (AWS::ApiGateway::RestApi) in the CloudFormation templates, even though it can be changed manuall for the APIGateway V1 REST API in the console.
There is also a CLI way of doing this for the AWS::ApiGateway::RestApi.
Here are some links I have used to search for this setting:
AWS::ApiGatewayV2::API
AWS::ApiGateway::RestApi
Disabling default api-execute endpoint via CLI
Support for disabling the default execute-api endpoint has recently been added to AWS::ApiGateway::RestApi cloudformation: DisableExecuteApiEndpoint
MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
DisableExecuteApiEndpoint: true
You can disable it though a simple custom resource. Below is an example of such a fully working template that does that:
Resources:
MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Description: A test API
Name: MyRestAPI
LambdaBasicExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
MyCustomResource:
Type: Custom::DisableDefaultApiEndpoint
Properties:
ServiceToken: !GetAtt 'MyCustomFunction.Arn'
APIId: !Ref 'MyRestApi'
MyCustomFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.lambda_handler
Description: "Disable default API endpoint"
Timeout: 30
Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
Runtime: python3.7
Code:
ZipFile: |
import json
import logging
import cfnresponse
import boto3
logger = logging.getLogger()
logger.setLevel(logging.INFO)
client = boto3.client('apigateway')
def lambda_handler(event, context):
logger.info('got event {}'.format(event))
try:
responseData = {}
if event['RequestType'] in ["Create"]:
APIId = event['ResourceProperties']['APIId']
response = client.update_rest_api(
restApiId=APIId,
patchOperations=[
{
'op': 'replace',
'path': '/disableExecuteApiEndpoint',
'value': 'True'
}
]
)
logger.info(str(response))
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
else:
logger.info('Unexpected RequestType!')
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
except Exception as err:
logger.error(err)
responseData = {"Data": str(err)}
cfnresponse.send(event,context,
cfnresponse.FAILED,responseData)
return
In case anyone stumbles across this answer that is using CDK, this can be done concisely (without defining a Lambda function) using the AwsCustomResource construct:
const restApi = new apigw.RestApi(...);
const executeApiResource = new cr.AwsCustomResource(this, "execute-api-resource", {
functionName: "disable-execute-api-endpoint",
onCreate: {
service: "APIGateway",
action: "updateRestApi",
parameters: {
restApiId: restApi.restApiId,
patchOperations: [{
op: "replace",
path: "/disableExecuteApiEndpoint",
value: "True"
}]
},
physicalResourceId: cr.PhysicalResourceId.of("execute-api-resource")
},
policy: cr.AwsCustomResourcePolicy.fromStatements([new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["apigateway:PATCH"],
resources: ["arn:aws:apigateway:*::/*"],
})])
});
executeApiResource.node.addDependency(restApi);
You can disable it in AWS CDK. This is done by finding the CloudFormation resource and setting it to true.
const api = new apigateway.RestApi(this, 'api', );
(api.node.children[0] as apigateway.CfnRestApi).addPropertyOverride('DisableExecuteApiEndpoint','true')
Here is a Python variant of the answer provided by snorberhuis.
rest_api = apigateway.RestApi(self,...)
cfn_apigw = rest_api.node.default_child
cfn_apigw.add_property_override('DisableExecuteApiEndpoint', True)
Amazon's docs on "Abstractions and Escape Hatches" is very good for understanding what's going on here.
I am working with AWS Textract and I want to analyze a multipage document, therefore I have to use the async options, so I first used startDocumentAnalysisfunction and I got a JobId as the return, But it needs to trigger a function that I have set to trigger when the SNS topic got a message.
These are my serverless file and handler file.
provider:
name: aws
runtime: nodejs8.10
stage: dev
region: us-east-1
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource: { "Fn::Join": ["", ["arn:aws:s3:::${self:custom.secrets.IMAGE_BUCKET_NAME}", "/*" ] ] }
- Effect: "Allow"
Action:
- "sts:AssumeRole"
- "SNS:Publish"
- "lambda:InvokeFunction"
- "textract:DetectDocumentText"
- "textract:AnalyzeDocument"
- "textract:StartDocumentAnalysis"
- "textract:GetDocumentAnalysis"
Resource: "*"
custom:
secrets: ${file(secrets.${opt:stage, self:provider.stage}.yml)}
functions:
routes:
handler: src/functions/routes/handler.run
events:
- s3:
bucket: ${self:custom.secrets.IMAGE_BUCKET_NAME}
event: s3:ObjectCreated:*
textract:
handler: src/functions/routes/handler.detectTextAnalysis
events:
- sns: "TextractTopic"
resources:
Resources:
TextractTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: "Start Textract API Response"
TopicName: TextractResponseTopic
Handler.js
module.exports.run = async (event) => {
const uploadedBucket = event.Records[0].s3.bucket.name;
const uploadedObjetct = event.Records[0].s3.object.key;
var params = {
DocumentLocation: {
S3Object: {
Bucket: uploadedBucket,
Name: uploadedObjetct
}
},
FeatureTypes: [
"TABLES",
"FORMS"
],
NotificationChannel: {
RoleArn: 'arn:aws:iam::<accont-id>:role/qvalia-ocr-solution-dev-us-east-1-lambdaRole',
SNSTopicArn: 'arn:aws:sns:us-east-1:<accont-id>:TextractTopic'
}
};
let textractOutput = await new Promise((resolve, reject) => {
textract.startDocumentAnalysis(params, function(err, data) {
if (err) reject(err);
else resolve(data);
});
});
}
I manually published an sns message to the topic and then it is firing the textract lambda, which currently has this,
module.exports.detectTextAnalysis = async (event) => {
console.log('SNS Topic isssss Generated');
console.log(event.Records[0].Sns.Message);
};
What is the mistake that I have and why the textract startDocumentAnalysis is not publishing a message and making it trigger the lambda?
Note: I haven't use the startDocumentTextDetection before using the startTextAnalysis function, though it is not necessary to call it before this.
Make sure you have in your Trusted Relationships of the role you are using:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"textract.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The SNS Topic name must be AmazonTextract
At the end your arn should look this:
arn:aws:sns:us-east-2:111111111111:AmazonTextract
I was able got this working directly via Serverless Framework by adding a Lambda execution resource to my serverless.yml file:
resources:
Resources:
IamRoleLambdaExecution:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
- textract.amazonaws.com
Action: sts:AssumeRole
And then I just used the same role generated by Serverless (for the lambda function) as the notification channel role parameter when starting the Textract document analysis:
Thanks to this this post for pointing me in the right direction!
For anyone using the CDK in TypeScript, you will need to add Lambda as a ServicePrincipal as usual to the Lambda Execution Role. Next, access the assumeRolePolicy of the execution role and call the addStatements method.
The basic execution role without any additional statement (add those later)
this.executionRole = new iam.Role(this, 'ExecutionRole', {
assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
});
Next, add Textract as an additional ServicePrincipal
this.executionRole.assumeRolePolicy?.addStatements(
new PolicyStatement({
principals: [
new ServicePrincipal('textract.amazonaws.com'),
],
actions: ['sts:AssumeRole']
})
);
Also, ensure the execution role has full permissions on the target SNS topic (note the topic is created already and accessed via fromTopicArn method)
const stmtSNSOps = new PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
"SNS:*"
],
resources: [
this.textractJobStatusTopic.topicArn
]
});
Add the policy statement to a global policy (within the active stack)
this.standardPolicy = new iam.Policy(this, 'Policy', {
statements: [
...
stmtSNSOps,
...
]
});
Finally, attach the policy to the execution role
this.executionRole.attachInlinePolicy(this.standardPolicy);
If you have your bucket encrypted you should grant kms permissions, otherwise it won't work