In order to allow read access from the S3 Bucket for all members included in the organization, the following policy must be applied to the S3 Bucket:
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowOrganizationToReadBucket",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::stackset-lambdas",
"arn:aws:s3:::stackset-lambdas/*"
],
"Condition": {
"StringEquals": {"aws:PrincipalOrgID":["o-xxxxxxxxxx"]}
}
}
}
Where "stackset-lambdas" is the S3 Bucket name and "o-xxxxxxxxxx" is your Organization ID.