AWS: How to update an existing S3 bucket-policy via CloudFormation?

Question

I have an existing S3 bucket my-bucket .

I am writing a new CloudFormation template file which creates some new AWS resource that interacts with my-bucket . Now, my business use-case requires me to add a new permission statement to the bucketpolicy for my-bucket from within the CloudFormation template file .

SourceBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: my-bucket
      PolicyDocument:
        Statement:
          - Effect: "Allow"
            Action:
              - 's3:PutBucketNotificationConfiguration'
            Resource: "arn:aws:s3:::my-bucket"
            Principal:
              AWS: !GetAtt MyLambdaExecutionRole.Arn

The problem is that the bucket already has the following bucket-policy that was added by someone else manually via the AWS Console at some point in the past. It's an important bucket-policy from a business perspective so I cannot get rid of it:

{
    "Version": "2012-10-17",
    "Id": "S3-Policy",
    "Statement": [
        {
            "Sid": "DataCraft-012345678901-S3-datacraft",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::012345678901:user/datacraft"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

So I guess my only option is to update the existing bucket-policy to additionally accommodate my new policy statement. The question is: how can I do that through the CloudFormation template file?

EDIT: For those interested, I eventually solved the problem by writing an AWS::IAM::Policy instead of AWS::S3::BucketPolicy :

SourceBucketNotificationConfigurationPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: s3:PutBucketNotification
            Effect: Allow
            Resource: "arn:aws:s3:::my-bucket"
        Version: '2012-10-17'
      PolicyName: BucketNotificationsRolePolicy
      Roles:
        - Ref: MyLambdaExecutionRole.Arn

Answer 1

Sadly, you can't update an existing policy which is not managed by CloudFormation.

The only thing you can do is to replace policy in the bucket using CloudFormation by recreating it.

What's more, existing bucket policies can't be imported into CloudFormation. The reason is that AWS::S3::BucketPolicy is not a supported resource for importing .

Edit: Based on @JeremyThompson 's Comment

I verified the use of UpdateReplacePolicy: Retain .

For that I used my own bucket and with policy. Both were created outside of CloudFormation, using the AWS console.

Then, I created a CFN template with AWS::S3::BucketPolicy . The deployment of the template failed , with or without UpdateReplacePolicy: Retain with error message:

The bucket policy already exists on bucket <bucket-name>.

This means that you can't replace existing bucket policy. The policy must be recreated in CloudFormation.

Answer 2

You can also create a CustomResource , where you implement the logic for updating an existing bucket policy. Be sure to implement the handling of all resource events: Create, Update, Delete.

For example, here is an implementation for creating folders in S3: https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-s3-custom-resources/