Home > Blockchain >  AWS Cloudformation template - S3 bucket policy - MalformedPolicy error
AWS Cloudformation template - S3 bucket policy - MalformedPolicy error

Time:01-23

I'm trying to add a policy to my (static website) S3 bucket to let only the CloudFormation distribution accessing it, but during deployment I still get a MalformedPolicy error and cannot find where is the problem.

CloudFormation template essential parts

Resources:

  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    DependsOn:
      - AppBucket
      - CloudFrontDistribution
    Properties:
      Bucket: !Ref AppBucket
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PolicyForCloudFrontPrivateContent
            Action: 's3:GetObject*'
            Effect: Allow
            Condition:
              StringLike:
                'aws:Referer':
                  - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
              Resource: 
                - !Sub arn:aws:s3:::${AppBucket}

  CloudFrontDistribution:
    # ...

  AppBucket:
    # ...

Deployment error

(...)

CloudFormation events from stack operations (refresh every 0.5 seconds)
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                      ResourceType                        LogicalResourceId                   ResourceStatusReason              
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS                  AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_FAILED                       AWS::S3::BucketPolicy               BucketPolicy                        Missing required field Principal  
                                                                                                            (Service: Amazon S3; Status Code: 
                                                                                                            400; Error Code: MalformedPolicy; 
                                                                                                            Request ID: DG2QHRDJQ2WS6JZV; S3  
                                                                                                            Extended Request ID: 6u LYv77A4Ao 
                                                                                                            DmKmyB4Sfup rueC1iGAQ82GdkfHimIZL 
                                                                                                            X/HXUPWj2FKSq7WCgi41F4XU6z6BOk=;  
                                                                                                            Proxy: null)                      
UPDATE_ROLLBACK_IN_PROGRESS         AWS::CloudFormation::Stack          test-app-hosting                    The following resource(s) failed  
                                                                                                            to update: [BucketPolicy].        
UPDATE_COMPLETE                     AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_ROLLBACK_COMPLETE_CLEANUP_   AWS::CloudFormation::Stack          test-app-hosting                    -                                 
IN_PROGRESS                                                                                                                                   
UPDATE_ROLLBACK_COMPLETE            AWS::CloudFormation::Stack          test-app-hosting                    -                                 
---------------------------------------------------------------------------------------------------------------------------------------------
Error: Failed to create/update the stack: test-app-hosting, Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once

Update #1

As bot @luk2302 and @Marcin pointed out, I were missing the Statement > Principal section (feel pretty dumb about it), but adding it gives now a new error:

---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                      ResourceType                        LogicalResourceId                   ResourceStatusReason              
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS                  AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_FAILED                       AWS::S3::BucketPolicy               BucketPolicy                        Invalid policy syntax. (Service:  
                                                                                                            Amazon S3; Status Code: 400;      
                                                                                                            Error Code: MalformedPolicy;      
                                                                                                            Request ID: NH6PZB3QF0747F4N; S3  
                                                                                                            Extended Request ID: xdXOFPWgHCjg 
                                                                                                            Lzf4gdjCg79NIXS6qtmtLuGn8N7NeLIOJ 
                                                                                                            4Qw2bgSJ2v6MKdNzbrMCWCEPKBc90E=;  
                                                                                                            Proxy: null)                      
UPDATE_ROLLBACK_IN_PROGRESS         AWS::CloudFormation::Stack          test-app-hosting                    The following resource(s) failed  
                                                                                                            to update: [BucketPolicy].

CodePudding user response:

Resource is incorrectly intended, and you are missing Principal as described in AWS docs. It should be:

  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    DependsOn:
      - AppBucket
      - CloudFrontDistribution
    Properties:
      Bucket: !Ref AppBucket
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PolicyForCloudFrontPrivateContent
            Action: 's3:GetObject*'
            Effect: Allow
            Principal:
              Service: cloudfront.amazonaws.com
            Resource: 
              - !Sub arn:aws:s3:::${AppBucket}              
            Condition:
              StringLike:
                'aws:Referer':
                  - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'

CodePudding user response:

Ok, after a lot of trial and error I found that the main problem where giving Resource and Condition.StringLike.aws:Referer array values instead of strings:

Wrong

Resource:
  - !Sub arn:aws:s3:::${AppBucket}
Condition:
  StringLike:
    'aws:Referer':
      - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'

Right

Resource: !Sub arn:aws:s3:::${AppBucket}
Condition:
  StringLike:
    'aws:Referer': !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
  • Related