Merge branch 'master' into feature-lb-access-log

aws · Jun 7, 2021 · 51515f0 · 51515f0
2 parents 90fd0cd + f9be15d
commit 51515f0
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts
@@ -1841,7 +1841,8 @@ export class Bucket extends BucketBase {
     // objects in the bucket
     this.addToResourcePolicy(new iam.PolicyStatement({
       actions: [
-        ...perms.BUCKET_READ_ACTIONS, // list objects
+        // list objects
+        ...perms.BUCKET_READ_METADATA_ACTIONS,
         ...perms.BUCKET_DELETE_ACTIONS, // and then delete them
       ],
       resources: [

diff --git a/packages/@aws-cdk/aws-s3/lib/perms.ts b/packages/@aws-cdk/aws-s3/lib/perms.ts
@@ -4,6 +4,11 @@ export const BUCKET_READ_ACTIONS = [
   's3:List*',
 ];
 
+export const BUCKET_READ_METADATA_ACTIONS = [
+  's3:GetBucket*',
+  's3:List*',
+];
+
 export const LEGACY_BUCKET_PUT_ACTIONS = [
   's3:PutObject*',
   's3:Abort*',

diff --git a/packages/@aws-cdk/aws-s3/test/bucket.test.ts b/packages/@aws-cdk/aws-s3/test/bucket.test.ts
@@ -2385,7 +2385,6 @@ describe('bucket', () => {
         'Statement': [
           {
             'Action': [
-              's3:GetObject*',
               's3:GetBucket*',
               's3:List*',
               's3:DeleteObject*',

diff --git a/packages/@aws-cdk/aws-s3/test/integ.bucket-auto-delete-objects.expected.json b/packages/@aws-cdk/aws-s3/test/integ.bucket-auto-delete-objects.expected.json
@@ -15,7 +15,6 @@
           "Statement": [
             {
               "Action": [
-                "s3:GetObject*",
                 "s3:GetBucket*",
                 "s3:List*",
                 "s3:DeleteObject*"