S3 create bucket policy

Serverless Framework
,
1

Hello,
I would like to create a s3 bucket policy and attach a function to that, so that users are only able to add specific file types and the function is able to action on these files - so my function should have a GetObject and my users should be able to do PutObject

What is the correct way to set this up in my serverless.yml?

this is what i have so far:

service: filetype

provider:
  name: aws
  runtime: go1.x
  iamRoleStatements:
    - Effect: Allow
      Action: 
        - "s3:getObject"
      Resource: 
        Fn::Join: 
          - ""
          - 
            - "arn:aws:s3:::"
            - 
              Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
            - "/*"

  stage: ${opt:stage}
  region: ${file(./config.yml):${opt:stage}.REGION}
  environment:
    AIPS_UPLOADS_BUCKET: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}

package:
 exclude:
   - ./**
 include:
   - ./filetype

functions:
  aips:
    handler: filetype
    memorySize: 128
    events:
      - s3:
          bucket: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
          event: s3:ObjectCreated:*
    timeout: 40
    environment:
      HOST: ${file(./config.yml):${opt:stage}.HOST}
      USER: ${file(./config.yml):${opt:stage}.USER}
      PASS: ${file(./config.yml):${opt:stage}.PASS}
      FOLDER: ${file(./config.yml):${opt:stage}.FOLDER}

SampleBucketPolicy: 
  Type: AWS::S3::BucketPolicy
  Properties: 
    Bucket: 
      Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
    PolicyDocument: 
      Statement: 
        - 
          Action: 
            - "s3:putObject"
          Effect: "Deny"
          Resource: 
            Fn::Join: 
              - ""
              - 
                - "arn:aws:s3:::"
                - 
                  Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
                - "/*"
          Principal: "*"
          Condition: 
            NotResource:
              Fn::Join: 
                - ""
                - 
                  - "arn:aws:s3:::"
                  - 
                    Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
                  - "/*.pdf"

but the bucket policies are not updated when i deploy my function.

what am i missing

2

ok, i was missing the

resources
  Resources

from my template, although now, i get this error:

Serverless: Validating template...
 
  Error --------------------------------------------------
 
  The CloudFormation template is invalid: Template format error: Unresolved resource dependencies [aips-uploads-prod] in the Resources block of the template
 
     For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.

looking at https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html

i got this

resources:
  Resources:
    SampleBucketPolicy: 
      Type: AWS::S3::BucketPolicy
      Properties: 
        Bucket:
           Ref: "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}"
        PolicyDocument: 
          Statement: 
            - 
              Action: 
                - "s3:putObject"
              Effect: "Deny"
              Resource: "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}/*"
              Principal: "*"
              Condition: 
                NotResource:
                  - "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}/*.pdf"
                  - "arn:aws:s3:::${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}/*.jpg"

but it is still not correct. what am i missing?

3

I met the same problem (but the bucket policies are not updated when i deploy my function.), did you fix the issue?

4

Adding the S3 bucket policy as resource worked for me

resources: {
    Resources: {
      // S3 Bucket for the distribution bundles
      DistBucket: {
        Type: "AWS::S3::Bucket",
        DeletionPolicy: "Delete",
        Properties: {
          CorsConfiguration: {
            CorsRules: [
              {
                AllowedHeaders: ["*"],
                AllowedMethods: ["GET"],
                AllowedOrigins: [
                  {
                    "Fn::Join": [
                      "",
                      [
                        "https://",
                        {
                          Ref: "ApiGatewayRestApi",
                        },
                        ".execute-api.",
                        {
                          Ref: "AWS::Region",
                        },
                        ".amazonaws.com",
                      ],
                    ],
                  },
                ],
                MaxAge: 3000,
              },
            ],
          },
        },
      },
      // S3 Bucket Policy for the distribution bundles
      DistBucketPolicy: {
        Type: "AWS::S3::BucketPolicy",
        Properties: {
          Bucket: {
            Ref: "DistBucket",
          },
          PolicyDocument: {
            Statement: [
              {
                Action: ["s3:GetObject"],
                Effect: "Allow",
                Resource: [
                  {
                    "Fn::Join": [
                      "",
                      [
                        "arn:aws:s3:::",
                        {
                          Ref: "DistBucket",
                        },
                        "/*",
                      ],
                    ],
                  },
                ],
                Principal: "*",
              },
            ],
            Version: "2012-10-17",
          },
        },
      },
    },