Remove unnecessary bucket permission to invoke sync Lambda function

Author: kris-szlapa

packages/cdk/nagSuppressions.ts

@@ -49,25 +49,6 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // Suppress S3 wildcard permissions for SyncKnowledgeBase Lambda default policy
-  safeAddNagSuppression(
-    stack,
-    "/EpsAssistMeStack/Functions/SyncKnowledgeBaseFunction/LambdaRole/DefaultPolicy/Resource",
-    [
-      {
-        id: "AwsSolutions-IAM5",
-        reason: "S3 wildcard permissions are required for Lambda to read from knowledge base documents bucket.",
-        appliesTo: [
-          "Action::s3:GetBucket*",
-          "Action::s3:GetObject*",
-          "Action::s3:List*",
-          "Resource::<StorageDocsBucketepsampr20Docs075F648F.Arn>/*",
-          "Resource::<StorageDocsBucketepsamDocsF25F63F1.Arn>/*"
-        ]
-      }
-    ]
-  )
-
   // Suppress API Gateway validation warning for Apis construct
   safeAddNagSuppression(
     stack,

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -133,9 +133,6 @@ export class EpsAssistMeStack extends Stack {
       vectorKB.dataSource.attrDataSourceId
     )
 
-    // Grant S3 bucket permission to invoke the sync Lambda function
-    storage.kbDocsBucket.bucket.grantRead(functions.functions.syncKnowledgeBase.function)
-
     // Add S3 event source mapping to sync Lambda function
     functions.functions.syncKnowledgeBase.function.addEventSource(
       new S3EventSource(storage.kbDocsBucket.bucket, {