I’ve been using SLS since 2017 and obviously missing something fundamental this entire time. The only way that my Lambdas can interact with S3 is if the S3 bucket is configured for public access. The iam role statements in serverless.yml control the Lambda, but that makes no sense if the world can see the bucket anyway.
This challenge is further compounded by the need to allow the Lambda to call an Amplify deploy API endpoint. AFAIK there is no way to make that public (which is actually a good thing).
My only recourse it seems is to deploy my Lambda, then look for the roles that were created and go into IAM, find those roles and change permissions on them. Is there not an easier way to do this?