Set up OAC between CloudFront and your bucket with aws:SourceArn.
External ID policy review
Granting 3rd parties access to your AWS resources via roles should always use external ID condition. If a vendor asks you to provision an IAM user with access + secret key in 2023, they're doing it wrong. External IDs
AWS managed polices: Lambda Basic Execution Role
The AWSLambdaBasicExecutionRole is an AWS managed policy, and one of the most common managed policies you should consider using, at least for quick development; it's the minimum amount of permissions to see what your AWS Lambda functions are
Deny all external principals assume role
This interesting policy question on re:Post about how you can prevent principals outside of an AWS organization from assuming a role in your organization. The asker originally requests an SCP to do this, but SCPs cannot apply to principals
AWS SAM policy templates
A feature I think everyone (including myself!) should use more is AWS Serverless Application Model (SAM) policy templates. This approach is a great example of "syntactic sugar" that characterises the AWS SAM approach. As an example, a frequent
AWS IAM Policy Review 1
Why doesn't this policy work with this condition?
Block expensive AWS actions with SCPs
Block expensive and long-running AWS API calls by denying AWS IAM actions.
Get the most out of the AWS documentation
There's a lot of AWS documentation (and more every day!), so use these tips to help get the most out of the official AWS documentation as quickly as possible.