Non-canned ACL S3 Bucket with Cloudformation
https://stackoverflow.com/questions/10524231
-
07-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
Using Cloudformation can you set the Authenticated Users group to have put/delete Access Control when creating an S3 Bucket?
해결책
This is not possible with the initial and respectively limited Access Control Lists (ACL) of Amazon S3, where only the predefined Canned ACLs are available for use with the AWS resource types supported by AWS CloudFormation in turn, see property AccessControl of the AWS::S3::Bucket resource:
A canned ACL that grants predefined permissions on the bucket. Default is Private. For more information about canned ACLs, see Canned ACLs in the Amazon S3 documentation.
Valid values for AccessControl: AuthenticatedRead | AwsExecRead | BucketOwnerRead | BucketOwnerFullControl | LogDeliveryWrite | Private | PublicRead | PublicReadWrite
Assuming you do not want to give put/delete access to all S3 users in fact (which the Authenticated Users group actually implies to the surprise of the unaware S3 developer), but only to the users of your own (or a well known set of) account(s) as usual for most use cases, you can achieve your goal by using S3 Bucket Policies instead.
The Example Cases for Amazon S3 Bucket Policies provide an example policy for Granting Permissions to Multiple Accounts with Added Restrictions, which grants PutObject, and PutObjectAcl permissions to multiple accounts and requires that the public-read canned acl is included - stripping this to the requested set and transforming it into a CloudFormation template snippet would yield the following approximately (you'd need to adjust the Principal to your account(s) of course):
"Resources" : {
"S3Bucket" : {
"Type" : "AWS::S3::Bucket"
},
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument": {
"Id" : "Grant access to all account users",
"Statement" : [{
"Sid" : "PutObjectAccess",
"Action" : ["s3:PutObject"],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3Bucket"} ]]},
"Principal" : { "AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"] }
}]
},
"Bucket" : {"Ref" : "S3Bucket"}
}
},
},
Please be aware of the peculiarities of Using ACLs and Bucket Policies Together in case.
