fix: change deny exception policy

ExpediaGroup · Aug 27, 2024 · c9680cf · c9680cf
1 parent 2ba83fb
commit c9680cf
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json
@@ -86,6 +86,35 @@
 %{endfor ~}
 %{endif}
 %{if deny_exception_iamroles != "" }
+        {
+            "Sid": "Allow write permissions to the exception roles",
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": [
+                "s3:GetBucketLocation",
+                "s3:GetObject",
+                "s3:GetObjectAcl",
+                "s3:GetBucketAcl",
+                "s3:ListBucket",
+                "s3:PutObject",
+                "s3:PutObjectAcl",
+                "s3:DeleteObject",
+                "s3:GetBucketVersioning",
+                "s3:PutBucketVersioning",
+                "s3:ReplicateObject",
+                "s3:ReplicateDelete",
+                "s3:ObjectOwnerOverrideToBucketOwner"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${bucket_name}",
+                "arn:aws:s3:::${bucket_name}/*"
+            ],
+            "Condition": {
+                "StringLike": {
+                  "aws:PrincipalArn": [ "${deny_exception_iamroles}" ]
+                }
+            }
+        },
         {
             "Sid": "Deny write permissions to everything except the specified roles",
             "Effect": "Deny",