10

I have an existing S3 bucket my-bucket.

I am writing a new CloudFormation template file which creates some new AWS resource that interacts with my-bucket. Now, my business use-case requires me to add a new permission statement to the bucketpolicy for my-bucket from within the CloudFormation template file.

SourceBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: my-bucket
      PolicyDocument:
        Statement:
          - Effect: "Allow"
            Action:
              - 's3:PutBucketNotificationConfiguration'
            Resource: "arn:aws:s3:::my-bucket"
            Principal:
              AWS: !GetAtt MyLambdaExecutionRole.Arn

The problem is that the bucket already has the following bucket-policy that was added by someone else manually via the AWS Console at some point in the past. It's an important bucket-policy from a business perspective so I cannot get rid of it:

{
    "Version": "2012-10-17",
    "Id": "S3-Policy",
    "Statement": [
        {
            "Sid": "DataCraft-012345678901-S3-datacraft",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::012345678901:user/datacraft"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

So I guess my only option is to update the existing bucket-policy to additionally accommodate my new policy statement. The question is: how can I do that through the CloudFormation template file?

EDIT: For those interested, I eventually solved the problem by writing an AWS::IAM::Policy instead of AWS::S3::BucketPolicy:

SourceBucketNotificationConfigurationPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: s3:PutBucketNotification
            Effect: Allow
            Resource: "arn:aws:s3:::my-bucket"
        Version: '2012-10-17'
      PolicyName: BucketNotificationsRolePolicy
      Roles:
        - Ref: MyLambdaExecutionRole.Arn
Improve this question

2 Answers 2

Reset to default
5

Sadly, you can't update an existing policy which is not managed by CloudFormation.

The only thing you can do is to replace policy in the bucket using CloudFormation by recreating it.

What's more, existing bucket policies can't be imported into CloudFormation. The reason is that AWS::S3::BucketPolicy is not a supported resource for importing.

Edit: Based on @JeremyThompson's Comment

I verified the use of UpdateReplacePolicy: Retain.

For that I used my own bucket and with policy. Both were created outside of CloudFormation, using the AWS console.

Then, I created a CFN template with AWS::S3::BucketPolicy. The deployment of the template failed, with or without UpdateReplacePolicy: Retain with error message:

The bucket policy already exists on bucket <bucket-name>.

This means that you can't replace existing bucket policy. The policy must be recreated in CloudFormation.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Really? If you set the UpdateReplacePolicy: Retain can't you then safely replace the S3 Buckets Policy? docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/…
@JeremyThompson My understanding is that the OP want's to add or modify existing policy which is not controlled by CloudFormation. Have I misunderstood the issue?
I was looking at this and thinking it can be done: stackoverflow.com/questions/47931342/…
@JeremyThompson I will double check it using my own bucket and policies. For now I can remove the answer, until then. Thanks for letting me know:_)
“ The only thing you can do is to replace policy in the bucket using CloudFormation by recreating it.” how can you do this?
1

You can also create a CustomResource, where you implement the logic for updating an existing bucket policy. Be sure to implement the handling of all resource events: Create, Update, Delete.

For example, here is an implementation for creating folders in S3: https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-s3-custom-resources/

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.