T5l4631JDkDI29kYWDHNUpdate the bucket policy of an AWS S3 bucket
Update the bucket policy of an AWS S3 bucket
This task involves modifying access controls and permissions of a S3 bucket to manage and secure data access, ensuring compliance with security standards and organizational requirements. This is essential for controlling and safeguarding sensitive information stored in S3. In this case the policy update is regarding write permissions for CloudTrail trail to write to S3 bucket.
inputs
outputs
import boto3
from botocore.exceptions import ClientError
import json
creds = _get_creds(cred_label)['creds']
access_key = creds['username']
secret_key = creds['password']
account_id = boto3.client('sts',aws_access_key_id=access_key,aws_secret_access_key=secret_key).get_caller_identity()['Account']
def update_s3_bucket_policy(bucket_name, policy):
"""
Update the policy of the specified S3 bucket.
:param bucket_name: Name of the S3 bucket
:param policy: Policy document as a JSON string
"""
try:
s3_client = boto3.client('s3',aws_access_key_id=access_key,aws_secret_access_key=secret_key)
# Convert policy string to a JSON object and back to a string
# This ensures the policy is properly formatted as a JSON string
policy_json = json.loads(policy)
formatted_policy = json.dumps(policy_json)
# Updating the bucket policy
s3_client.put_bucket_policy(Bucket=bucket_name, Policy=formatted_policy)
print(f"Bucket policy updated successfully for {bucket_name}")
except ClientError as e:
print(f"Error updating policy for bucket {bucket_name}: {e}")
except Exception as e:
print(f"A general error occurred: {e}")
# Replace with your bucket name
#bucket_name = 'your-logging-bucket-name'
# Define your new bucket policy here (ensure it's a valid JSON string)
new_policy='''
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{bucket_name}",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudtrail:{region_name}:{account_id}:trail/{trail_name}"
}
}
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{bucket_name}/AWSLogs/{account_id}/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudtrail:{region_name}:{account_id}:trail/{trail_name}",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
'''.format(bucket_name=bucket_name, region_name=region_name, trail_name=trail_name, account_id=account_id)
update_s3_bucket_policy(bucket_name, new_policy)
context.proceed = False
copied