## Description
I have trouble using the serverless-clamscan since I'm using an existing bucket with encryption as source bucket. serverless-clamscan lambda execution role doesn't have kms:Decrypt right for the key used to encrypt my source bucket files.
## Solution ?
Shouldn't that be automatically handled by the lib on addSourceBucket method ? Along with that part of the code:
bucket.grantRead(this._scanFunction);
this._scanFunction.addToRolePolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['s3:GetObjectTagging', 's3:GetObjectVersionTagging', 's3:PutObjectTagging', 's3:PutObjectVersionTagging'],
resources: [bucket.arnForObjects('*')],
}),
);
If you're ok with that, I could make a PR in order to get the key ARN used on that sourceBucket. Then I would use the addToRolePolicy to authorize kms:Decrypt on that key.
Error on Cloudwatch
[ERROR] Exception:
{
"source": "serverless-clamscan",
"input_bucket": "*********",
"input_key": "************************",
"status": "ERROR",
"message": "User: arn:aws:sts::************:assumed-role/*****ClamscanServerles-*****/ClamavStack-ClamscanServerle-***** is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:*:************:key/************** because no identity-based policy allows the kms:Decrypt action"
}
## Description
I have trouble using the serverless-clamscan since I'm using an existing bucket with encryption as source bucket. serverless-clamscan lambda execution role doesn't have kms:Decrypt right for the key used to encrypt my source bucket files.
## Solution ?
Shouldn't that be automatically handled by the lib on
addSourceBucketmethod ? Along with that part of the code:If you're ok with that, I could make a PR in order to get the key ARN used on that sourceBucket. Then I would use the
addToRolePolicyto authorize kms:Decrypt on that key.Error on Cloudwatch