I want to prevent unencrypted uploads to an S3 bucket for all resources. I am attempting to do this using a S3 policy, as below:
PolicyS3BucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn: PolicyS3Bucket
Properties:
Bucket: !Ref PolicyS3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Sid: DenyUnEncryptedObjectUploads
Action: "s3:PutObject"
Resource: "*"
Principal:
AWS: "*"
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption": "aws:kms"
The PolicyS3Bucket resource definition is omitted for conciseness.
When I attempt to deploy my service, I get this error:
PolicyS3BucketPolicy - Policy has invalid resource (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 5E5PR65Y1JY805Q0; S3 Extended Request ID: hxBAxt2qqqkgMRlF9JS5J0LFJ0EPxHU3mhIjYZ/x1kp+WT5FdlHSKEpY97x0gT2ZE0KXKMqzyKo=; Proxy: null).
How can I set the Resource value so that this policy denies for all resources?
>Solution :
I believe that problem is that your S3 bucket policy indicates:
Resource: "*"
It should be scoped to the actual bucket, for example:
Resource: "arn:aws:s3:::mybucket/*"
Or something like the following if you’re using Serverless Framework:
Resource: arn:aws:s3:::${self:custom.config.myBucketName}/*