s3 bucket notifications creates IAM policy that has no resource boundary

[nija-at]

Forked off from #2781, specifically this comment

S3 bucket notifications creates an IAM role holding a policy that contains no resource boundary, specifically "Resource": "*".

Companies typically enforce that all IAM policies should be well bounded in their actions and resource.

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-s3-notifications/test/integ.notifications.expected.json#L188-L208

[iliapolo]

From an initial investigation, it seems that the * is used because the BucketNotificationsHandler policy is created once per stack, and not per bucket. It therefore doesn't know in advance which buckets it will have to configure notifications for.

Relevant code starts here: https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource.ts#L52

We should explore an option to either incrementally update the permissions of this policy, or create a separate policy for each bucket.