Invalid Resource and malformed policy errors - aws cloudformation YAML

Question

Addig bucketpolicy for a s3 Bucket. But am running into multiple problems defining it in YAML. Here is the sample -

 S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest]] 
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

S3BucketTest is the resource name of s3 bucket I defined in the same cft

S3BucketTest:
  Type: AWS::S3::Bucket

I was able to create s3 bucket without any issues, but the bucketpolicy giving errors.

1. For the above yaml, it says that resource name is invalid.
2. If I have multiple Actions and I mention them in [], it throws invalid Acttions and malformed policy error.
3. I alo want to mention multiple resources.

I am essentially looking to replicatee this in YAML -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "stmt_cross_acct_rs_Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": ["arn:aws:iam::12345678:role/role_rs_1", "arn:aws:iam::12345678:root"]
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<demo-bucket>",
                "arn:aws:s3:::<demo-bucket>/*"
            ]
        }
    ]
}

Answer 1

This works for me. I was able to create the stack. I only had to change join to sub.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  S3BucketTest:
    Type: AWS::S3::Bucket
  S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: 
              - !Sub 'arn:aws:s3:::${S3BucketTest}'
              - !Sub 'arn:aws:s3:::${S3BucketTest}/*'              
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

Hope this helps.

Answer 2

Assuming you have a 'demobucket' as either a bucket resource or a parameter, the JSON above would look like this in YAML:

    Version: 2012-10-17
    Statement: 
      - Sid: stmt_cross_acct_rs_Access
        Effect: Allow
        Principal:
          AWS: 
            - arn:aws:iam::12345678:role/role_rs_1
            - arn:aws:iam::12345678:root
        Action:
          - s3:GetBucketLocation
          - s3:GetObject
          - s3:ListBucket
          - s3:ListBucketMultipartUploads
          - s3:ListMultipartUploadParts
          - s3:AbortMultipartUpload
          - s3:PutObject
        Resource:
          - !Sub 'arn:aws:s3:::${demobucket}'
          - !Sub 'arn:aws:s3:::${demobucket}/*'

This is what you should do for the YAML you had:

 S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: !GetAtt S3BucketTest.Arn 
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

Answer 3

For multiple resources, try this:

Resource:
  - 'arn:aws:s3:::<demo-bucket>'
  - 'arn:aws:s3:::<demo-bucket>'