我需要创建一个具有公有访问权限的 S3 存储桶,但将该访问权限限制为仅特定 IP。
我使用 S3 存储桶的策略生成器生成了一个策略,然后通过引用存储桶的名称将其调整为我的模板;但是,CloudFormation 不断给出"策略具有无效资源"错误。
以下是我正在使用的CloudFormation模板的相关部分。 "FirstS3BucketName"是一个参数。
FirstS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref FirstS3BucketName
PolicyDocument: |
{
"Id": "Policy1581542658034",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1581542655517",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "3.132.69.181/32"
}
},
"Principal": "*"
}
]
}
您真正需要做的就是在PolicyDocument行上添加一个!Sub。仅供参考,所有这些JSON也可以转换为YAML。
FirstS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref FirstS3BucketName
PolicyDocument: !Sub |
{
"Id": "Policy1581542658034",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1581542655517",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "3.132.69.181/32"
}
},
"Principal": "*"
}
]
}