将 ELB 帐户分配给 S3 存储桶策略

Question

I used the AWS console from the load balancer edit attributes screen and used it to create a bucket to use for access logging. I'm using this policy to form CDK code in typescript to stand up new S3 buckets to use for access logging in higher level environments where I cannot use the console. This is the policy I need to somehow form in typescript CDK code:

"Statement": [
{
    "Effect":Allow",
    "Principal": {
        "AWS": "arn:--ELB-arnstuff--:root"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:--S3-Bucket-arnstuff--/AWSLogs/123456789/*"
}
]

I've managed to get the cdk code figured out to this point:

bucket.addToResourcePolicy(
    new cdk.aws_iam.PolicyStatement({ 
      effect: awsIam.Effect.ALLOW,
      principals: //'**This is part I haven't figured out**',
      actions: ['s3:PutObject'],
      resources: ['${bucket.bucketArn}/*']
    })
);

At this point I don't care if it's hard coded in the CDK, I just need something to help keep the ball rolling forward. Any help is appreciated, thanks

Answer 1

The bucket policy, along with aws accounts to be used are described in aws docs :

Region  Region name     Elastic Load Balancing account ID
us-east-1   US East (N. Virginia)   127311923021
us-east-2   US East (Ohio)  033677994240
us-west-1   US West (N. California)     027434742980
us-west-2   US West (Oregon)    797873946194
af-south-1  Africa (Cape Town)  098369216593
ca-central-1    Canada (Central)    985666609251
eu-central-1    Europe (Frankfurt)  054676820928
eu-west-1   Europe (Ireland)    156460612806
eu-west-2   Europe (London)     652711504416
eu-south-1  Europe (Milan)  635631232127
eu-west-3   Europe (Paris)  009996457667
eu-north-1  Europe (Stockholm)  897822967062
ap-east-1   Asia Pacific (Hong Kong)    754344448648
ap-northeast-1  Asia Pacific (Tokyo)    582318560864
ap-northeast-2  Asia Pacific (Seoul)    600734575887
ap-northeast-3  Asia Pacific (Osaka)    383597477331
ap-southeast-1  Asia Pacific (Singapore)    114774131450
ap-southeast-2  Asia Pacific (Sydney)   783225319266
ap-southeast-3  Asia Pacific (Jakarta)  589379963580
ap-south-1  Asia Pacific (Mumbai)   718504428378
me-south-1  Middle East (Bahrain)   076674570225
sa-east-1   South America (São Paulo)   507241528517
us-gov-west-1*  AWS GovCloud (US-West)  048591011584
us-gov-east-1*  AWS GovCloud (US-East)  190560391635
cn-north-1*     China (Beijing)     638102146993
cn-northwest-1*     China (Ningxia)     037604701340

Answer 2

I figured out why it didn't work initially when I tried to do a.fromJson and just take the AWS generated policy and consume it directly into the CDK. The addToResourcePolicy function expects only one object at a time. The AWS generated policy had 3 objects in it. When I tried to use.fromJson I was passing too many objects at once.

In my snippet above I only provided one of those and I was trying to find the cdk equivalent Principal object to use for an AWS ELB Account. I found a work around by using the.fromJson for just this one policy object:

bucket.addToResourcePolicy(
  cdk.aws_iam.PolicyStatement.fromJson({
    "Effect":Allow",
    "Principal": {
      "AWS": "arn:--ELB-arnstuff--:root"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:--S3-Bucket-arnstuff--/AWSLogs/123456789/*"
  })
);

Note the removal of the new operator when consuming a Json object and if you're running into the issue I had with multiple policies you'll need to create a bucket.addToResourcePolicy block of code for each of the Json object policies you wish to apply.