S3 create bucket policy

security
aws
#1

Hello,
I would like to create a s3 bucket policy and attach a function to that, so that users are only able to add specific file types and the function is able to action on these files - so my function should have a GetObject and my users should be able to do PutObject

What is the correct way to set this up in my serverless.yml?

this is what i have so far:

service: filetype

provider:
  name: aws
  runtime: go1.x
  iamRoleStatements:
    - Effect: Allow
      Action: 
        - "s3:getObject"
      Resource: 
        Fn::Join: 
          - ""
          - 
            - "arn:aws:s3:::"
            - 
              Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
            - "/*"

  stage: ${opt:stage}
  region: ${file(./config.yml):${opt:stage}.REGION}
  environment:
    AIPS_UPLOADS_BUCKET: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}

package:
 exclude:
   - ./**
 include:
   - ./filetype

functions:
  aips:
    handler: filetype
    memorySize: 128
    events:
      - s3:
          bucket: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
          event: s3:ObjectCreated:*
    timeout: 40
    environment:
      HOST: ${file(./config.yml):${opt:stage}.HOST}
      USER: ${file(./config.yml):${opt:stage}.USER}
      PASS: ${file(./config.yml):${opt:stage}.PASS}
      FOLDER: ${file(./config.yml):${opt:stage}.FOLDER}

SampleBucketPolicy: 
  Type: AWS::S3::BucketPolicy
  Properties: 
    Bucket: 
      Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
    PolicyDocument: 
      Statement: 
        - 
          Action: 
            - "s3:putObject"
          Effect: "Deny"
          Resource: 
            Fn::Join: 
              - ""
              - 
                - "arn:aws:s3:::"
                - 
                  Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
                - "/*"
          Principal: "*"
          Condition: 
            NotResource:
              Fn::Join: 
                - ""
                - 
                  - "arn:aws:s3:::"
                  - 
                    Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
                  - "/*.pdf"

but the bucket policies are not updated when i deploy my function.

what am i missing

#2

ok, i was missing the

resources
  Resources

from my template, although now, i get this error:

Serverless: Validating template...
 
  Error --------------------------------------------------
 
  The CloudFormation template is invalid: Template format error: Unresolved resource dependencies [aips-uploads-prod] in the Resources block of the template
 
     For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.

looking at https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html

i got this

resources:
  Resources:
    SampleBucketPolicy: 
      Type: AWS::S3::BucketPolicy
      Properties: 
        Bucket:
           Ref: "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}"
        PolicyDocument: 
          Statement: 
            - 
              Action: 
                - "s3:putObject"
              Effect: "Deny"
              Resource: "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}/*"
              Principal: "*"
              Condition: 
                NotResource:
                  - "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}/*.pdf"
                  - "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}/*.jpg"

but it is still not correct. what am i missing?

#3

I met the same problem (but the bucket policies are not updated when i deploy my function.), did you fix the issue?