CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-cloudformation
Anthony
Anthony

Reputation: 35928

How to write a policy for a bucket in cloud template

I have prepared a cloud template that creates AWS::IAM::Role with arn:aws:iam::aws:policy/AmazonS3FullAccess policy.

After the template runs successfully, I execute a python script to create two buckets with prefix foobar-bucket1 and foobar-bucket2.

At the moment this is how the above section of my template looks:

Resources:
  MyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ssm.amazonaws.com
            - ec2.amazonaws.com
          Action: sts:AssumeRole
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AmazonS3FullAccess
      Path: "/"

Question

I am wondering if there is a need for the IAM::Role created via cloud template to have AmazonS3FullAccess in order to create the two buckets?

Is it possible for me to give the role ONLY permission to create buckets and then FULLS3 permission ONLY on the buckets with prefix foobar-bucket1 and foobar-bucket2.

Upvotes: 1

Views: 932

Answers (1)

jens walter
jens walter

Reputation: 14029

As long as the bucket name is dynamic you cannot create a policy within you cloudformation template with the correct name in it.

In descending order of practicality:

option 1: Create the bucket within your cloudformation template and then create the IAM role accordingly within that same template (see sample below). 

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  foobarBucket1:
    Type: AWS::S3::Bucket
  foobarBucket2:
    Type: AWS::S3::Bucket
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
        - PolicyName: LambdaRolePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - s3:DeleteObject
              - s3:GetObject
              - s3:PutObject
              Resource: !Join ['', ['arn:aws:s3:::', !Ref foobarBucket1 ]]
            - Effect: Allow
              Action:
              - s3:DeleteObject
              - s3:GetObject
              - s3:PutObject
              Resource: !Join ['', ['arn:aws:s3:::', !Ref foobarBucket2 ]]

option 2: Another possibility could be that you incorporate your fixed prefix into a policy and therefore partially restrict access.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::foobarbucket1-*",
            "Effect": "Allow"
        }
    ]
}

option 3: use the bucket name as cloudformation parameter and update the existing template with the newly created name.

Upvotes: 1

Related Questions