def add_bucket_policy(self, bucket: s3.Bucket) -> s3.BucketPolicy: """Add a policy to the bucket if CloudFront is disabled. Ensure PublicRead. Args: bucket: The bucket resource to place the policy. Returns: The Bucket Policy Resource. """ return self.template.add_resource( s3.BucketPolicy( "BucketPolicy", Bucket=bucket.ref(), PolicyDocument=Policy( Version="2012-10-17", Statement=[ Statement( Effect=Allow, Principal=Principal("*"), Action=[Action("s3", "getObject")], Resource=[Join("", [bucket.get_att("Arn"), "/*"])], ) ], ), ))
def _get_cloudfront_bucket_policy_statements( self, bucket: s3.Bucket, oai: cloudfront.CloudFrontOriginAccessIdentity) -> List[Statement]: return [ Statement( Action=[awacs.s3.GetObject], Effect=Allow, Principal=Principal("CanonicalUser", oai.get_att("S3CanonicalUserId")), Resource=[Join("", [bucket.get_att("Arn"), "/*"])], ), Statement( Action=[awacs.s3.ListBucket], Effect=Allow, Principal=Principal("CanonicalUser", oai.get_att("S3CanonicalUserId")), Resource=[bucket.get_att("Arn")], ), ]
def _get_cloudfront_bucket_policy_statements( bucket: s3.Bucket, oai: cloudfront.CloudFrontOriginAccessIdentity) -> List[Statement]: return [ Statement( Action=[awacs.s3.GetObject], Effect=Allow, # S3CanonicalUserId is translated to the ARN when AWS renders this Principal=Principal("CanonicalUser", oai.get_att("S3CanonicalUserId")), Resource=[Join("", [bucket.get_att("Arn"), "/*"])], ) ]