Policy to lock down s3 bucket

s3.tf

@@ -9,3 +9,40 @@ resource "aws_s3_bucket_versioning" "transponder-data-versioning" {
   }
 }
 
+data "aws_iam_policy_document" "transponder-data-policy" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["athena.amazonaws.com"]
+    }
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      aws_s3_bucket.transponder-data.arn,
+      "${aws_s3_bucket.transponder-data.arn}/*",
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_lambda_function.metrics.arn]
+    }
+    actions = [
+      "s3:PutObject",
+    ]
+    resources = [
+      aws_s3_bucket.transponder-data.arn,
+      "${aws_s3_bucket.transponder-data.arn}/*",
+    ]
+  }
+}
+
+resource "aws_s3_bucket_policy" "transponder-data" {
+  bucket = aws_s3_bucket.transponder-data.id
+  policy = data.aws_iam_policy_document.transponder-data-policy.json
+}