# 调用 PutBucketPolicy 操作时出错 (MalformedPolicy)：策略使用了错误的条件键或值

- **ID:** `aws/s3-bucket-policy-conditional-check-failed`
- **领域:** aws
- **类别:** config_error
- **错误码:** `MalformedPolicy`
- **验证级别:** ai_generated
- **修复率:** 88%

## 根因

S3 存储桶策略包含一个条件块，其中使用了无效或不支持的条件键（例如，aws:SourceIp 使用了非 IP 值）或格式错误的条件值。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS SDK v2 | active | — | — |
| AWS CLI 2.15.0 | active | — | — |
| S3 API 2006-03-01 | active | — | — |

## 解决方案

1. ```
   Validate the condition key against the S3 documentation. For example, use aws:SourceIp with a valid CIDR block: `aws:SourceIp`: ["192.0.2.0/24"]
   ```
2. ```
   Use the AWS Policy Simulator to test the policy before applying it: aws iam simulate-custom-policy --policy-input-list file://policy.json
   ```
3. ```
   Check for typos in condition key names (e.g., 'aws:SourceIp' vs 'aws:SourceIP') and ensure values are in the correct format (e.g., ARN for aws:SourceArn).
   ```

## 无效尝试

- **** — The policy may be too permissive, exposing the bucket to unintended access. (60% 失败率)
- **** — Condition keys like aws:SourceAccount or aws:SourceArn are account-specific and will fail validation. (70% 失败率)
- **** — AWS condition keys are service-specific; using an unsupported key causes the policy to be rejected. (80% 失败率)