MalformedPolicy
aws
config_error
ai_generated
true
An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Policy has a conditional using the wrong key or value
ID: aws/s3-bucket-policy-conditional-check-failed
88%Fix Rate
85%Confidence
1Evidence
2024-03-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS SDK v2 | active | — | — | — |
| AWS CLI 2.15.0 | active | — | — | — |
| S3 API 2006-03-01 | active | — | — | — |
Root Cause
S3 bucket policy contains a Condition block with an invalid or unsupported condition key (e.g., aws:SourceIp with a non-IP value) or a malformed condition value.
generic中文
S3 存储桶策略包含一个条件块,其中使用了无效或不支持的条件键(例如,aws:SourceIp 使用了非 IP 值)或格式错误的条件值。
Official Documentation
https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.htmlWorkarounds
-
90% success Validate the condition key against the S3 documentation. For example, use aws:SourceIp with a valid CIDR block: `aws:SourceIp`: ["192.0.2.0/24"]
Validate the condition key against the S3 documentation. For example, use aws:SourceIp with a valid CIDR block: `aws:SourceIp`: ["192.0.2.0/24"]
-
85% success Use the AWS Policy Simulator to test the policy before applying it: aws iam simulate-custom-policy --policy-input-list file://policy.json
Use the AWS Policy Simulator to test the policy before applying it: aws iam simulate-custom-policy --policy-input-list file://policy.json
-
95% success Check for typos in condition key names (e.g., 'aws:SourceIp' vs 'aws:SourceIP') and ensure values are in the correct format (e.g., ARN for aws:SourceArn).
Check for typos in condition key names (e.g., 'aws:SourceIp' vs 'aws:SourceIP') and ensure values are in the correct format (e.g., ARN for aws:SourceArn).
中文步骤
Validate the condition key against the S3 documentation. For example, use aws:SourceIp with a valid CIDR block: `aws:SourceIp`: ["192.0.2.0/24"]
Use the AWS Policy Simulator to test the policy before applying it: aws iam simulate-custom-policy --policy-input-list file://policy.json
Check for typos in condition key names (e.g., 'aws:SourceIp' vs 'aws:SourceIP') and ensure values are in the correct format (e.g., ARN for aws:SourceArn).
Dead Ends
Common approaches that don't work:
-
60% fail
The policy may be too permissive, exposing the bucket to unintended access.
-
70% fail
Condition keys like aws:SourceAccount or aws:SourceArn are account-specific and will fail validation.
-
80% fail
AWS condition keys are service-specific; using an unsupported key causes the policy to be rejected.