{ "id": "aws/s3-bucket-policy-conditional-check-failed", "signature": "An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Policy has a conditional using the wrong key or value", "signature_zh": "调用 PutBucketPolicy 操作时出错 (MalformedPolicy):策略使用了错误的条件键或值", "regex": "An error occurred \\(MalformedPolicy\\) when calling the PutBucketPolicy operation: Policy has a conditional using the wrong key or value", "domain": "aws", "category": "config_error", "subcategory": null, "root_cause": "S3 bucket policy contains a Condition block with an invalid or unsupported condition key (e.g., aws:SourceIp with a non-IP value) or a malformed condition value.", "root_cause_type": "generic", "root_cause_zh": "S3 存储桶策略包含一个条件块,其中使用了无效或不支持的条件键(例如,aws:SourceIp 使用了非 IP 值)或格式错误的条件值。", "versions": [ { "version": "AWS SDK v2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS CLI 2.15.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "S3 API 2006-03-01", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The policy may be too permissive, exposing the bucket to unintended access.", "fail_rate": 0.6, "condition": "", "sources": [] }, { "action": "", "why_fails": "Condition keys like aws:SourceAccount or aws:SourceArn are account-specific and will fail validation.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "AWS condition keys are service-specific; using an unsupported key causes the policy to be rejected.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Validate the condition key against the S3 documentation. For example, use aws:SourceIp with a valid CIDR block: `aws:SourceIp`: [\"192.0.2.0/24\"]", "success_rate": 0.9, "how": "Validate the condition key against the S3 documentation. For example, use aws:SourceIp with a valid CIDR block: `aws:SourceIp`: [\"192.0.2.0/24\"]", "condition": "", "sources": [] }, { "action": "Use the AWS Policy Simulator to test the policy before applying it: aws iam simulate-custom-policy --policy-input-list file://policy.json", "success_rate": 0.85, "how": "Use the AWS Policy Simulator to test the policy before applying it: aws iam simulate-custom-policy --policy-input-list file://policy.json", "condition": "", "sources": [] }, { "action": "Check for typos in condition key names (e.g., 'aws:SourceIp' vs 'aws:SourceIP') and ensure values are in the correct format (e.g., ARN for aws:SourceArn).", "success_rate": 0.95, "how": "Check for typos in condition key names (e.g., 'aws:SourceIp' vs 'aws:SourceIP') and ensure values are in the correct format (e.g., ARN for aws:SourceArn).", "condition": "", "sources": [] } ], "workarounds_zh": [ "Validate the condition key against the S3 documentation. For example, use aws:SourceIp with a valid CIDR block: `aws:SourceIp`: [\"192.0.2.0/24\"]", "Use the AWS Policy Simulator to test the policy before applying it: aws iam simulate-custom-policy --policy-input-list file://policy.json", "Check for typos in condition key names (e.g., 'aws:SourceIp' vs 'aws:SourceIP') and ensure values are in the correct format (e.g., ARN for aws:SourceArn)." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html", "official_doc_section": null, "error_code": "MalformedPolicy", "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.88, "resolvable": "true", "first_seen": "2024-03-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }