如何使用 AWS CDK 添加 S3 BucketPolicy？

Question

我想把这个 CloudFormation 片段翻译成 CDK：

Type: AWS::S3::BucketPolicy
Properties:
  Bucket:
    Ref: S3BucketImageUploadBuffer
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      Action:
        - s3:PutObject
        - s3:PutObjectAcl
      Effect: Allow
      Resource:
        - ...

查看documentation here，我看不到提供策略文档本身的方法。

Answer 1

根据最初的问题，@thomas-wagner 的答案是要走的路。

如果有人来这里寻找如何为 CloudFront 分配创建存储桶策略而不创建对存储桶的依赖关系，那么您需要使用 L1 构造 CfnBucketPolicy（以下粗略的 C# 示例）：

    IOriginAccessIdentity originAccessIdentity = new OriginAccessIdentity(this, "origin-access-identity", new OriginAccessIdentityProps
    {
        Comment = "Origin Access Identity",
    });

    PolicyStatement bucketAccessPolicy = new PolicyStatement(new PolicyStatementProps
    {
        Effect = Effect.ALLOW,
        Principals = new[]
        {
            originAccessIdentity.GrantPrincipal
        },
        Actions = new[]
        {
            "s3:GetObject",
        },
        Resources = new[]
        {
            Props.OriginBucket.ArnForObjects("*"),
        }
    });

    _ = new CfnBucketPolicy(this, $"bucket-policy", new CfnBucketPolicyProps
    {
        Bucket = Props.OriginBucket.BucketName,
        PolicyDocument = new PolicyDocument(new PolicyDocumentProps
        {
            Statements = new[]
            {
                bucketAccessPolicy,
            },
        }),
    });

其中Props.OriginBucket 是IBucket 的一个实例（只是一个桶）。

Answer 2

这是来自工作 CDK 堆栈的示例：

   artifactBucket.addToResourcePolicy(
      new PolicyStatement({
        resources: [
          this.pipeline.artifactBucket.arnForObjects("*"), 
          this.pipeline.artifactBucket.bucketArn],
        ],
        actions: ["s3:List*", "s3:Get*"],
        principals: [new ArnPrincipal(this.deploymentRole.roleArn)]
      })
    );

Answer 3

基于@Thomas Wagner 的回答，我就是这样做的。我试图将存储桶限制在给定的 IP 范围内：

import * as cdk from '@aws-cdk/core';
import * as s3 from '@aws-cdk/aws-s3';
import * as s3Deployment from '@aws-cdk/aws-s3-deployment';
import * as iam from '@aws-cdk/aws-iam';

export class StaticSiteStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Bucket where frontend site goes.
    const mySiteBucket = new s3.Bucket(this, 'mySiteBucket', {
      websiteIndexDocument: "index.html"
    });

    let ipLimitPolicy = new iam.PolicyStatement({
      actions: ['s3:Get*', 's3:List*'],
      resources: [mySiteBucket.arnForObjects('*')],
      principals: [new iam.AnyPrincipal()]
    });
    ipLimitPolicy.addCondition('IpAddress', {
      "aws:SourceIp": ['1.2.3.4/22']
    });
    // Allow connections from my CIDR
    mySiteBucket.addToResourcePolicy(ipLimitPolicy);


    // Deploy assets
    const mySiteDeploy = new s3Deployment.BucketDeployment(this, 'deployAdminSite', {
      sources: [s3Deployment.Source.asset("./mysite")],
      destinationBucket: mySiteBucket
    });

  }
}

我能够使用 s3.arnForObjects() 和 iam.AnyPrincipal() 辅助函数，而不是直接指定 ARN 或 Principal。

我要部署到存储桶的资产保存在我的项目目录的根目录中名为mysite 的目录中，然后通过调用s3Deployment.BucketDeployment 进行引用。当然，这可以是您的构建过程可以访问的任何目录。

Answer 4

CDK 的做法稍有不同。我相信你应该使用bucket.addToResourcePolicy，正如here所记录的那样。