How to specify multiple buckets in a bucketpolicy in a cfn template?

Question

The following is an example of setting a bucketpolicy in a cfn template for A bucket.

"mybucketpolicy" : {
   "Type" : "AWS::S3::BucketPolicy",
   "Properties" : {
      "PolicyDocument" : {
         "Id" : "MyPolicy",
         "Statement" : [ {
            "Sid" : "ReadAccess",
            "Action" : [ "s3:GetObject" ],
            "Effect" : "Allow",
            "Resource" : { "Fn::Join" : [
                  "", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
               ] },
            "Principal" : {
               "AWS" : { "Fn::GetAtt" : [ "mygroup", "Arn" ] }
            }
         } ]
      },
      "Bucket" : { "Ref" : "mybucket" }
      }
   }
}

If I want to apply a policy to another bucket, in addition to mybucket, how would I do that?

Do I have to:

1. create a brand new bucketpolicy lets say 'mybucketpolicy2' which would be very similar to the above?
2. just add one more item to the 'Statement' array above with the new bucket name? If yes, then this would be in conflict with the "Bucket" key above, wont it?
3. some other way?

PS: I have asked the same question on aws cfn forum but I have come to realize that I get answers quicker on SO than on aws forums.

Answer 1

You can't attach a AWS::S3::BucketPolicy resource to more than one bucket. To attach a policy to more than one resource you will need to use IAM resources. The AWS::IAM::Policy resource is used for defining policies through IAM management and applying them to various resources. In my opinion the IAM interface is much more powerful and flexible than the old-style policy resources (but is more complicated). Not only can you have a single policy applied to more than one bucket, but you can also have multiple policies (statements) applied to multiple buckets and assigned to multiple IAM users/groups/roles.

You grant access to the specific policy using IAM groups or users that could be created in your CloudFormation template using eg. AWS::IAM::Group resources.

Adapt this snippet to your needs:

"GetS3ContentPolicy" : {
  "Type" : "AWS::IAM::Policy",
  "Properties" : {
    "PolicyName" : "S3ContentPolicy",
    "PolicyDocument" : {
      "Statement" : [ {
        "Effect" : "Allow",
        "Action" : [
          "s3:ListBucket"
        ],
        "Resource" : [ 
          { "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" } ] ] },
          { "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" } ] ] }
        ]
      },
      {
        "Effect" : "Allow",
        "Action" : [
          "s3:GetObject",
          "s3:GetObjectVersion"
        ],
        "Resource" : [ 
          { "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" }, "/*" ] ] },
          { "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" }, "/*" ] ] }
        ]
      } ]
    },
    "Groups" : [
      { "Ref" : "ManagementInstancesGroup" },
      { "Ref" : "WebInstancesGroup" }
    ]
  }
},