diff --git a/packages/@aws-cdk/aws-synthetics/lib/canary.ts b/packages/@aws-cdk/aws-synthetics/lib/canary.ts index 72d4b311ce6e3..764580c77c02c 100644 --- a/packages/@aws-cdk/aws-synthetics/lib/canary.ts +++ b/packages/@aws-cdk/aws-synthetics/lib/canary.ts @@ -349,9 +349,13 @@ export class Canary extends cdk.Resource { resources: ['*'], actions: ['s3:ListAllMyBuckets'], }), + new iam.PolicyStatement({ + resources: [this.artifactsBucket.bucketArn], + actions: ['s3:GetBucketLocation'], + }), new iam.PolicyStatement({ resources: [this.artifactsBucket.arnForObjects(`${prefix ? prefix+'/*' : '*'}`)], - actions: ['s3:PutObject', 's3:GetBucketLocation'], + actions: ['s3:PutObject'], }), new iam.PolicyStatement({ resources: ['*'], diff --git a/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json b/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json index 7d614f08201b7..256de95e7be25 100644 --- a/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json +++ b/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json @@ -41,10 +41,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryArtifactsBucket89975E6D", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ @@ -197,10 +204,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryArtifactsBucket89975E6D", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ diff --git a/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json b/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json index 58412fee9bfbb..37c351b1186d7 100644 --- a/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json +++ b/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json @@ -30,10 +30,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "mytestbucket8DC16178", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ @@ -163,10 +170,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryOneArtifactsBucketDF4A487D", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ @@ -330,10 +344,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryTwoArtifactsBucket79B179B6", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [