I want to prevent unencrypted uploads to an S3 bucket for all resources. I am attempting to do this using a S3 policy, as below:

PolicyS3BucketPolicy:
  Type: AWS::S3::BucketPolicy
  DependsOn: PolicyS3Bucket
  Properties:
    Bucket: !Ref PolicyS3Bucket
    PolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Deny
          Sid: DenyUnEncryptedObjectUploads
          Action: "s3:PutObject"
          Resource: "*"
          Principal:
            AWS: "*"
          Condition:
            StringNotEquals:
              "s3:x-amz-server-side-encryption": "aws:kms"

The PolicyS3Bucket resource definition is omitted for conciseness.

When I attempt to deploy my service, I get this error:

PolicyS3BucketPolicy - Policy has invalid resource (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 5E5PR65Y1JY805Q0; S3 Extended Request ID: hxBAxt2qqqkgMRlF9JS5J0LFJ0EPxHU3mhIjYZ/x1kp WT5FdlHSKEpY97x0gT2ZE0KXKMqzyKo=; Proxy: null).

How can I set the Resource value so that this policy denies for all resources?

CodePudding user response：

I believe that problem is that your S3 bucket policy indicates:

Resource: "*"

It should be scoped to the actual bucket, for example:

Resource: "arn:aws:s3:::mybucket/*"

Or something like the following if you're using Serverless Framework:

Resource: arn:aws:s3:::${self:custom.config.myBucketName}/*