IAM policies for Custom Resource Lambda functions

[jstrunk]

Should Custom Resource Lambdas have policies for update and delete that depend on the resources they create, or is it sufficient to grant update and delete permissions to a specific type of resource in the region and account?

I attempted the first in the Bedrock constructs. I encountered a strange AuthorizationError race condition when the custom resource code is written in Python with boto3, but not with the JavaScript SDK.

For example, the S3 Data Source custom resource policy:

generative-ai-cdk-constructs/src/cdk-lib/bedrock/s3-data-source.ts

Lines 162 to 188 in 36401ac

	const dataSourceCRPolicy = new iam.Policy(this, 'DataSourceCRPolicy', {
	roles: [crProvider.role],
	statements: [
	new iam.PolicyStatement({
	actions: [
	'bedrock:CreateDataSource',
	'bedrock:DeleteDataSource',
	'bedrock:UpdateDataSource',
	],
	resources: [
	/** A weird race condition makes CreateDataSource fail due to permissions on the first attempt.
	* A wildcard allows CFN to deploy this policy earlier and avoid the race. */
	cdk.Stack.of(this).formatArn({
	service: 'bedrock',
	resource: 'knowledge-base',
	resourceName: '*',
	arnFormat: cdk.ArnFormat.SLASH_RESOURCE_NAME,
	}),
	// knowledgeBase.knowledgeBaseArn,
	],
	}),
	new iam.PolicyStatement({
	actions: ['s3:GetObject', 's3:ListBucket'],
	resources: [bucket.bucketArn, `${bucket.bucketArn}/*`],
	}),
	],
	});

It could better follow least privileges by using line 180 instead of lines 174-179, but that also means there would be a policy for each resource created by the custom resource provider and many updates to the policies during stack execution.

The code would be simpler if all of the policies were defined at the time of creation of the custom resource provider and allow for actions on specific types of resources in the account and region.

What is preferred?