skip to Main Content

I’m trying to add a policy to my (static website) S3 bucket to let only the CloudFormation distribution accessing it, but during deployment I still get a MalformedPolicy error and cannot find where is the problem.

CloudFormation template essential parts

Resources:

  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    DependsOn:
      - AppBucket
      - CloudFrontDistribution
    Properties:
      Bucket: !Ref AppBucket
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PolicyForCloudFrontPrivateContent
            Action: 's3:GetObject*'
            Effect: Allow
            Condition:
              StringLike:
                'aws:Referer':
                  - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
              Resource: 
                - !Sub arn:aws:s3:::${AppBucket}

  CloudFrontDistribution:
    # ...

  AppBucket:
    # ...

Deployment error

(...)

CloudFormation events from stack operations (refresh every 0.5 seconds)
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                      ResourceType                        LogicalResourceId                   ResourceStatusReason              
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS                  AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_FAILED                       AWS::S3::BucketPolicy               BucketPolicy                        Missing required field Principal  
                                                                                                            (Service: Amazon S3; Status Code: 
                                                                                                            400; Error Code: MalformedPolicy; 
                                                                                                            Request ID: DG2QHRDJQ2WS6JZV; S3  
                                                                                                            Extended Request ID: 6u+LYv77A4Ao 
                                                                                                            DmKmyB4Sfup+rueC1iGAQ82GdkfHimIZL 
                                                                                                            X/HXUPWj2FKSq7WCgi41F4XU6z6BOk=;  
                                                                                                            Proxy: null)                      
UPDATE_ROLLBACK_IN_PROGRESS         AWS::CloudFormation::Stack          test-app-hosting                    The following resource(s) failed  
                                                                                                            to update: [BucketPolicy].        
UPDATE_COMPLETE                     AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_ROLLBACK_COMPLETE_CLEANUP_   AWS::CloudFormation::Stack          test-app-hosting                    -                                 
IN_PROGRESS                                                                                                                                   
UPDATE_ROLLBACK_COMPLETE            AWS::CloudFormation::Stack          test-app-hosting                    -                                 
---------------------------------------------------------------------------------------------------------------------------------------------
Error: Failed to create/update the stack: test-app-hosting, Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once

Update #1

As bot @luk2302 and @Marcin pointed out, I were missing the Statement > Principal section (feel pretty dumb about it), but adding it gives now a new error:

---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                      ResourceType                        LogicalResourceId                   ResourceStatusReason              
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS                  AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_FAILED                       AWS::S3::BucketPolicy               BucketPolicy                        Invalid policy syntax. (Service:  
                                                                                                            Amazon S3; Status Code: 400;      
                                                                                                            Error Code: MalformedPolicy;      
                                                                                                            Request ID: NH6PZB3QF0747F4N; S3  
                                                                                                            Extended Request ID: xdXOFPWgHCjg 
                                                                                                            Lzf4gdjCg79NIXS6qtmtLuGn8N7NeLIOJ 
                                                                                                            4Qw2bgSJ2v6MKdNzbrMCWCEPKBc90E=;  
                                                                                                            Proxy: null)                      
UPDATE_ROLLBACK_IN_PROGRESS         AWS::CloudFormation::Stack          test-app-hosting                    The following resource(s) failed  
                                                                                                            to update: [BucketPolicy].

2

Answers


  1. Chosen as BEST ANSWER

    Ok, after a lot of trial and error I found that the main problem where giving Resource and Condition.StringLike.aws:Referer array values instead of strings:

    Wrong

    Resource:
      - !Sub arn:aws:s3:::${AppBucket}
    Condition:
      StringLike:
        'aws:Referer':
          - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
    

    Right

    Resource: !Sub arn:aws:s3:::${AppBucket}
    Condition:
      StringLike:
        'aws:Referer': !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
    

  2. Resource is incorrectly intended, and you are missing Principal as described in AWS docs. It should be:

      BucketPolicy:
        Type: 'AWS::S3::BucketPolicy'
        DependsOn:
          - AppBucket
          - CloudFrontDistribution
        Properties:
          Bucket: !Ref AppBucket
          PolicyDocument:
            Id: MyPolicy
            Version: 2012-10-17
            Statement:
              - Sid: PolicyForCloudFrontPrivateContent
                Action: 's3:GetObject*'
                Effect: Allow
                Principal:
                  Service: cloudfront.amazonaws.com
                Resource: 
                  - !Sub arn:aws:s3:::${AppBucket}              
                Condition:
                  StringLike:
                    'aws:Referer':
                      - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
    
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search