def add_bucket_policy(self, bucket: s3.Bucket) -> s3.BucketPolicy:
"""Add a policy to the bucket if CloudFront is disabled. Ensure PublicRead.
Args:
bucket: The bucket resource to place the policy.
Returns:
The Bucket Policy Resource.
"""
return self.template.add_resource(
s3.BucketPolicy(
"BucketPolicy",
Bucket=bucket.ref(),
PolicyDocument=Policy(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Principal=Principal("*"),
Action=[Action("s3", "getObject")],
Resource=[Join("", [bucket.get_att("Arn"), "/*"])],
)
],
),
))
def _get_cloudfront_bucket_policy_statements(
self, bucket: s3.Bucket,
oai: cloudfront.CloudFrontOriginAccessIdentity) -> List[Statement]:
return [
Statement(
Action=[awacs.s3.GetObject],
Effect=Allow,
Principal=Principal("CanonicalUser",
oai.get_att("S3CanonicalUserId")),
Resource=[Join("", [bucket.get_att("Arn"), "/*"])],
),
Statement(
Action=[awacs.s3.ListBucket],
Effect=Allow,
Principal=Principal("CanonicalUser",
oai.get_att("S3CanonicalUserId")),
Resource=[bucket.get_att("Arn")],
),
]
def _get_cloudfront_bucket_policy_statements(
bucket: s3.Bucket,
oai: cloudfront.CloudFrontOriginAccessIdentity) -> List[Statement]:
return [
Statement(
Action=[awacs.s3.GetObject],
Effect=Allow,
# S3CanonicalUserId is translated to the ARN when AWS renders this
Principal=Principal("CanonicalUser",
oai.get_att("S3CanonicalUserId")),
Resource=[Join("", [bucket.get_att("Arn"), "/*"])],
)
]