diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts index 1bbd7f6cb8fbb..b375c510a14d1 100644 --- a/packages/@aws-cdk/aws-s3/lib/bucket.ts +++ b/packages/@aws-cdk/aws-s3/lib/bucket.ts @@ -1841,7 +1841,8 @@ export class Bucket extends BucketBase { // objects in the bucket this.addToResourcePolicy(new iam.PolicyStatement({ actions: [ - ...perms.BUCKET_READ_ACTIONS, // list objects + // list objects + ...perms.BUCKET_READ_METADATA_ACTIONS, ...perms.BUCKET_DELETE_ACTIONS, // and then delete them ], resources: [ diff --git a/packages/@aws-cdk/aws-s3/lib/perms.ts b/packages/@aws-cdk/aws-s3/lib/perms.ts index eebab60da2104..f57b97153f27c 100644 --- a/packages/@aws-cdk/aws-s3/lib/perms.ts +++ b/packages/@aws-cdk/aws-s3/lib/perms.ts @@ -4,6 +4,11 @@ export const BUCKET_READ_ACTIONS = [ 's3:List*', ]; +export const BUCKET_READ_METADATA_ACTIONS = [ + 's3:GetBucket*', + 's3:List*', +]; + export const LEGACY_BUCKET_PUT_ACTIONS = [ 's3:PutObject*', 's3:Abort*', diff --git a/packages/@aws-cdk/aws-s3/test/bucket.test.ts b/packages/@aws-cdk/aws-s3/test/bucket.test.ts index 95a8cf377dfc6..1c90c48957416 100644 --- a/packages/@aws-cdk/aws-s3/test/bucket.test.ts +++ b/packages/@aws-cdk/aws-s3/test/bucket.test.ts @@ -2385,7 +2385,6 @@ describe('bucket', () => { 'Statement': [ { 'Action': [ - 's3:GetObject*', 's3:GetBucket*', 's3:List*', 's3:DeleteObject*', diff --git a/packages/@aws-cdk/aws-s3/test/integ.bucket-auto-delete-objects.expected.json b/packages/@aws-cdk/aws-s3/test/integ.bucket-auto-delete-objects.expected.json index 831d072339649..107132c1cd2dd 100644 --- a/packages/@aws-cdk/aws-s3/test/integ.bucket-auto-delete-objects.expected.json +++ b/packages/@aws-cdk/aws-s3/test/integ.bucket-auto-delete-objects.expected.json @@ -15,7 +15,6 @@ "Statement": [ { "Action": [ - "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*"