Question

我需要创建一个具有公共访问权限的S3存储桶，但只能将该访问权限限制为特定IP。
我使用策略生成器为S3存储桶生成了一个策略，然后通过引用存储桶的名称将其调整为模板。但是，CloudFormation不断显示“策略资源无效”错误。

以下是我正在使用的CloudFormation模板的相关部分。 “ FirstS3BucketName”是一个参数。

FirstS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: !Ref FirstS3BucketName
      PolicyDocument: |
                    {
                      "Id": "Policy1581542658034",
                      "Version": "2012-10-17",
                      "Statement": [
                        {
                          "Sid": "Stmt1581542655517",
                          "Action": "s3:*",
                          "Effect": "Allow",
                          "Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
                          "Condition": {
                            "IpAddress": {
                              "aws:SourceIp": "3.132.69.181/32"
                            }
                          },
                          "Principal": "*"
                        }
                      ]
                    }

Answer 1

您真正需要做的就是在!Sub行上添加一个PolicyDocument。仅供参考，所有JSON也可以转换为YAML。

FirstS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: !Ref FirstS3BucketName
      PolicyDocument: !Sub |
                    {
                      "Id": "Policy1581542658034",
                      "Version": "2012-10-17",
                      "Statement": [
                        {
                          "Sid": "Stmt1581542655517",
                          "Action": "s3:*",
                          "Effect": "Allow",
                          "Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
                          "Condition": {
                            "IpAddress": {
                              "aws:SourceIp": "3.132.69.181/32"
                            }
                          },
                          "Principal": "*"
                        }
                      ]
                    }

AWS Cloudformation错误：策略具有无效资源

1 个答案: