Adding S3 bucket notification handler allows lambda access to all buckets

[namedgraph]

Hi,

I got the following response from AWS Marketplace regarding a CF template I built with CDK:

In the IAM policy, the following WRITE action(s) support resource-level permissions. You must narrow the scope of the following action(s) by specifying resources and/or adding condition keys:
For each following action: s3:PutBucketNotification, please see this IAM documentation for available resources and condition keys: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

My code is following this example (but in Java):
https://github.com/aws-samples/aws-cdk-examples/blob/main/python/lambda-s3-trigger/s3trigger/s3trigger_stack.py

I'd like to set the resource scope to the bucket's ARN, but how am I supposed to do that because the default handler policy always sets *?

aws-cdk/packages/aws-cdk-lib/aws-s3/lib/notifications-resource/notifications-resource-handler.ts

Line 71 in 4f1c94b

resources: ['*'],