Using Cloudformation can you set the Authenticated Users group to have put/delete Access Control when creating an S3 Bucket?
1 Answer
This is not possible with the initial and respectively limited Access Control Lists (ACL) of Amazon S3, where only the predefined Canned ACLs are available for use with the AWS resource types supported by AWS CloudFormation in turn, see property AccessControl of the AWS::S3::Bucket resource:
A canned ACL that grants predefined permissions on the bucket. Default is Private. For more information about canned ACLs, see Canned ACLs in the Amazon S3 documentation.
Valid values for AccessControl: AuthenticatedRead | AwsExecRead | BucketOwnerRead | BucketOwnerFullControl | LogDeliveryWrite | Private | PublicRead | PublicReadWrite
Assuming you do not want to give put/delete access to all S3 users in fact (which the Authenticated Users group actually implies to the surprise of the unaware S3 developer), but only to the users of your own (or a well known set of) account(s) as usual for most use cases, you can achieve your goal by using S3 Bucket Policies instead.
The Example Cases for Amazon S3 Bucket Policies provide an example policy for Granting Permissions to Multiple Accounts with Added Restrictions, which grants PutObject, and PutObjectAcl permissions to multiple accounts and requires that the public-read canned acl is included - stripping this to the requested set and transforming it into a CloudFormation template snippet would yield the following approximately (you'd need to adjust the Principal to your account(s) of course):
"Resources" : {
"S3Bucket" : {
"Type" : "AWS::S3::Bucket"
},
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument": {
"Id" : "Grant access to all account users",
"Statement" : [{
"Sid" : "PutObjectAccess",
"Action" : ["s3:PutObject"],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3Bucket"} ]]},
"Principal" : { "AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"] }
}]
},
"Bucket" : {"Ref" : "S3Bucket"}
}
},
},
Please be aware of the peculiarities of Using ACLs and Bucket Policies Together in case.
-
That was helpful, thanks, but your "peculiarities" link above is dead. Can you summarise the issues or find where it moved to?– telentSep 29, 2014 at 10:07
-
@telent - the content seems to have gone during a significant restructuring of the entire section. I need to rephrase this somehow later on, but right now the former content is still available in the AWS China (Beijing) Region docs, see Using ACLs and Bucket Policies Together at least. Sep 29, 2014 at 18:20
arn:aws:iam::*:root
; this doesn't seem to be possible though, at least it isn't documented (you might give it a shot of course).