Update: [AEA-5930] - Add S3 Policies (#292)

## Summary

- Add Policies for modifying buckets

Author: kieran-wilkinson-4

packages/cdk/constructs/S3Bucket.ts

@@ -8,11 +8,19 @@ import {
   CfnBucket,
   CfnBucketPolicy
 } from "aws-cdk-lib/aws-s3"
-import {Key} from "aws-cdk-lib/aws-kms"
+import {CfnKey, Key} from "aws-cdk-lib/aws-kms"
+import {
+  AccountRootPrincipal,
+  Effect,
+  IPrincipal,
+  PolicyDocument,
+  PolicyStatement
+} from "aws-cdk-lib/aws-iam"
 
 export interface S3BucketProps {
   readonly bucketName: string
   readonly versioned: boolean
+  readonly deploymentRole: IPrincipal
 }
 
 export class S3Bucket extends Construct {
@@ -40,6 +48,53 @@ export class S3Bucket extends Construct {
       objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
     })
 
+    // Adding full deployment roles to this bucket
+    const deploymentPolicy = new PolicyStatement({
+      effect: Effect.ALLOW,
+      principals: [props.deploymentRole],
+      actions: [
+        "s3:Abort*",
+        "s3:GetBucket*",
+        "s3:GetObject*",
+        "s3:List*",
+        "s3:PutObject",
+        "s3:PutObjectLegalHold",
+        "s3:PutObjectRetention",
+        "s3:PutObjectTagging",
+        "s3:PutObjectVersionTagging"
+      ],
+      resources: [
+        bucket.bucketArn,
+        bucket.arnForObjects("*")
+      ]
+    })
+
+    const accountRootPrincipal = new AccountRootPrincipal()
+    const kmsPolicy = new PolicyDocument({
+      statements: [
+        new PolicyStatement({
+          effect: Effect.ALLOW,
+          principals: [accountRootPrincipal],
+          actions: ["kms:*"],
+          resources: ["*"]
+        }),
+        new PolicyStatement({
+          effect: Effect.ALLOW,
+          principals: [props.deploymentRole],
+          actions: [
+            "kms:Encrypt",
+            "kms:GenerateDataKey*"
+          ],
+          resources:["*"]
+        })
+      ]
+    })
+
+    bucket.addToResourcePolicy(deploymentPolicy)
+
+    const contentBucketKmsKey = (kmsKey.node.defaultChild as CfnKey)
+    contentBucketKmsKey.keyPolicy = kmsPolicy.toJSON()
+
     const cfnBucket = bucket.node.defaultChild as CfnBucket
     cfnBucket.cfnOptions.metadata = {
       ...cfnBucket.cfnOptions.metadata,

packages/cdk/resources/Storage.ts

@@ -1,8 +1,10 @@
 import {Construct} from "constructs"
 import {S3Bucket} from "../constructs/S3Bucket"
+import {IPrincipal} from "aws-cdk-lib/aws-iam"
 
 export interface StorageProps {
-  readonly stackName: string
+  readonly stackName: string,
+  readonly deploymentRole: IPrincipal
 }
 
 export class Storage extends Construct {
@@ -14,7 +16,9 @@ export class Storage extends Construct {
     // Create S3 bucket for knowledge base documents with encryption
     this.kbDocsBucket = new S3Bucket(this, "DocsBucket", {
       bucketName: `${props.stackName}-Docs`,
-      versioned: true
+      versioned: true,
+      deploymentRole: props.deploymentRole
     })
+
   }
 }

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -33,6 +33,7 @@ export class EpsAssistMeStack extends Stack {
 
     // imports
     const mainSlackBotLambdaExecutionRoleArn = Fn.importValue("epsam:lambda:SlackBot:ExecutionRole:Arn")
+    const deploymentRoleImport = Fn.importValue("ci-resources:CloudFormationDeployRole")
     // regression testing needs direct lambda invoke — bypasses slack webhooks entirely
     const regressionTestRoleArn = Fn.importValue("ci-resources:AssistMeRegressionTestRole")
 
@@ -50,6 +51,7 @@ export class EpsAssistMeStack extends Stack {
     const slackSigningSecret: string = this.node.tryGetContext("slackSigningSecret")
 
     const cdkExecRole = Role.fromRoleArn(this, "CdkExecRole", cdkExecRoleArn)
+    const deploymentRole = Role.fromRoleArn(this, "deploymentRole", deploymentRoleImport)
 
     if (!slackBotToken || !slackSigningSecret) {
       throw new Error("Missing required context variables. Please provide slackBotToken and slackSigningSecret")
@@ -78,7 +80,8 @@ export class EpsAssistMeStack extends Stack {
 
     // Create Storage construct first as it has no dependencies
     const storage = new Storage(this, "Storage", {
-      stackName: props.stackName
+      stackName: props.stackName,
+      deploymentRole: deploymentRole
     })
 
     // Create Bedrock execution role without dependencies