From 904994fe83ce4c1e3017654464478b62b19cd2b9 Mon Sep 17 00:00:00 2001
From: Nick Dumas <nobodys@business.com>
Date: Sun, 1 Jun 2025 19:45:12 -0400
Subject: [PATCH] Policy to lock down s3 bucket

---
 s3.tf | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/s3.tf b/s3.tf
index 32f96cb..c2edf9e 100644
--- a/s3.tf
+++ b/s3.tf
@@ -9,3 +9,40 @@ resource "aws_s3_bucket_versioning" "transponder-data-versioning" {
   }
 }
 
+data "aws_iam_policy_document" "transponder-data-policy" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["athena.amazonaws.com"]
+    }
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      aws_s3_bucket.transponder-data.arn,
+      "${aws_s3_bucket.transponder-data.arn}/*",
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_lambda_function.metrics.arn]
+    }
+    actions = [
+      "s3:PutObject",
+    ]
+    resources = [
+      aws_s3_bucket.transponder-data.arn,
+      "${aws_s3_bucket.transponder-data.arn}/*",
+    ]
+  }
+}
+
+resource "aws_s3_bucket_policy" "transponder-data" {
+  bucket = aws_s3_bucket.transponder-data.id
+  policy = data.aws_iam_policy_document.transponder-data-policy.json
+}