CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-cloudformationaws-serverless
Harry
Harry

Reputation: 548

AWS BucketPolicy failed to create - Invalid policy syntax MalformedPolicy

I'm trying to create the following bucket policy in yaml, but the bucketPolicy fails to create:

Cloudformation error message:

Invalid policy syntax. (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: CD4; S3 Extended Request ID: Noxxxx/sXX=; Proxy: null)

Bucket policy that needs to be done:

{
    "Version": "2012-10-17",
    "Id": "ig",
    "Statement": [
        {
            "Sid": "LZone",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123:role/l-zone"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname-l/*",
                "arn:aws:s3:::bucketname-l"
            ]
        }
    ]
}

This is the code (not working) in yaml for the above policy:

LBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub bucketname-l          
LBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref LBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: LZone
            Effect: Allow
            Action: 
              - 's3:AbortMultipartUpload'
              - 's3:ListBucket'
              - 's3:PutObject'
              - 's3:GetObject'
              - 's3:GetObjectVersion'
              - 's3:PutObjectAcl'
            Resource:
              Fn::Join:  
              - ""  
              -  
                - "arn:aws:s3:::"  
                -  
                  Ref: "LBucket"  
                - "/*"  
            Principal: "AWS: arn:aws:iam::123:role/l-zone"

Can someone help with this on what I'm missing. Thanks

Upvotes: 2

Views: 5800

Answers (1)

Marcin
Marcin

Reputation: 238051

The policy should be:

  LBucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref LBucket
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Sid: LZone
              Effect: Allow
              Action: 
                - 's3:AbortMultipartUpload'
                - 's3:ListBucket'
                - 's3:PutObject'
                - 's3:GetObject'
                - 's3:GetObjectVersion'
                - 's3:PutObjectAcl'
              Resource:
                - !Sub "arn:aws:s3:::${LBucket}"
                - !Sub "arn:aws:s3:::${LBucket}/*"
              Principal: 
                AWS: arn:aws:iam::123:role/l-zone

Upvotes: 3

Related Questions