我需要创建一个具有公共访问权限的S3存储桶,但只能将该访问权限限制为特定IP。
我使用策略生成器为S3存储桶生成了一个策略,然后通过引用存储桶的名称将其调整为模板。但是,CloudFormation不断显示“策略资源无效”错误。
以下是我正在使用的CloudFormation模板的相关部分。 “ FirstS3BucketName”是一个参数。
FirstS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref FirstS3BucketName
PolicyDocument: |
{
"Id": "Policy1581542658034",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1581542655517",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "3.132.69.181/32"
}
},
"Principal": "*"
}
]
}
答案 0 :(得分:1)
您真正需要做的就是在!Sub行上添加一个PolicyDocument。仅供参考,所有JSON也可以转换为YAML。
FirstS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref FirstS3BucketName
PolicyDocument: !Sub |
{
"Id": "Policy1581542658034",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1581542655517",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "3.132.69.181/32"
}
},
"Principal": "*"
}
]
}