localstack
diff --git a/‎localstack-core/localstack/services/s3/exceptions.py
Lines changed: 5 additions & 0 deletions b/‎localstack-core/localstack/services/s3/exceptions.py
Lines changed: 5 additions & 0 deletions
diff --git a/‎localstack-core/localstack/services/s3/provider.py
Lines changed: 24 additions & 4 deletions b/‎localstack-core/localstack/services/s3/provider.py
Lines changed: 24 additions & 4 deletions
diff --git a/‎tests/aws/services/s3/test_s3.py
Lines changed: 132 additions & 13 deletions b/‎tests/aws/services/s3/test_s3.py
Lines changed: 132 additions & 13 deletions
@@ -41,3 +41,8 @@ def __init__(self, message=None):
 class MalformedPolicy(CommonServiceException):
     def __init__(self, message=None):
         super().__init__("MalformedPolicy", status_code=400, message=message)
+
+
+class InvalidBucketOwnerAWSAccountID(CommonServiceException):
+    def __init__(self, message=None) -> None:
+        super().__init__("InvalidBucketOwnerAWSAccountID", status_code=400, message=message)
@@ -3,6 +3,7 @@
 import datetime
 import json
 import logging
+import re
 from collections import defaultdict
 from io import BytesIO
 from operator import itemgetter
@@ -223,6 +224,7 @@
 )
 from localstack.services.s3.cors import S3CorsHandler, s3_cors_request_handler
 from localstack.services.s3.exceptions import (
+    InvalidBucketOwnerAWSAccountID,
     InvalidBucketState,
     InvalidRequest,
     MalformedPolicy,
@@ -412,8 +414,17 @@ def _get_expiration_header(
             return expiration_header
 
     def _get_cross_account_bucket(
-        self, context: RequestContext, bucket_name: BucketName
+        self,
+        context: RequestContext,
+        bucket_name: BucketName,
+        *,
+        expected_bucket_owner: AccountId = None,
     ) -> tuple[S3Store, S3Bucket]:
+        if expected_bucket_owner and not re.fullmatch(r"\w{12}", expected_bucket_owner):
+            raise InvalidBucketOwnerAWSAccountID(
+                f"The value of the expected bucket owner parameter must be an AWS Account ID... [{expected_bucket_owner}]",
+            )
+
         store = self.get_store(context.account_id, context.region)
         if not (s3_bucket := store.buckets.get(bucket_name)):
             if not (account_id := store.global_bucket_map.get(bucket_name)):
@@ -423,6 +434,9 @@ def _get_cross_account_bucket(
             if not (s3_bucket := store.buckets.get(bucket_name)):
                 raise NoSuchBucket("The specified bucket does not exist", BucketName=bucket_name)
 
+        if expected_bucket_owner and s3_bucket.bucket_account_id != expected_bucket_owner:
+            raise AccessDenied("Access Denied")
+
         return store, s3_bucket
 
     @staticmethod
@@ -3646,7 +3660,9 @@ def get_bucket_policy(
         expected_bucket_owner: AccountId = None,
         **kwargs,
     ) -> GetBucketPolicyOutput:
-        store, s3_bucket = self._get_cross_account_bucket(context, bucket)
+        store, s3_bucket = self._get_cross_account_bucket(
+            context, bucket, expected_bucket_owner=expected_bucket_owner
+        )
         if not s3_bucket.policy:
             raise NoSuchBucketPolicy(
                 "The bucket policy does not exist",
@@ -3665,7 +3681,9 @@ def put_bucket_policy(
         expected_bucket_owner: AccountId = None,
         **kwargs,
     ) -> None:
-        store, s3_bucket = self._get_cross_account_bucket(context, bucket)
+        store, s3_bucket = self._get_cross_account_bucket(
+            context, bucket, expected_bucket_owner=expected_bucket_owner
+        )
 
         if not policy or policy[0] != "{":
             raise MalformedPolicy("Policies must be valid JSON and the first byte must be '{'")
@@ -3686,7 +3704,9 @@ def delete_bucket_policy(
         expected_bucket_owner: AccountId = None,
         **kwargs,
     ) -> None:
-        store, s3_bucket = self._get_cross_account_bucket(context, bucket)
+        store, s3_bucket = self._get_cross_account_bucket(
+            context, bucket, expected_bucket_owner=expected_bucket_owner
+        )
 
         s3_bucket.policy = None
 
 
@@ -267,6 +267,20 @@ def _filter_header(param: dict) -> dict:
     return {k: v for k, v in param.items() if k.startswith("x-amz") or k in ["content-type"]}
 
 
+def _simple_bucket_policy(s3_bucket: str) -> dict:
+    return {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": "s3:GetObject",
+                "Effect": "Allow",
+                "Resource": f"arn:aws:s3:::{s3_bucket}/*",
+                "Principal": {"AWS": "*"},
+            }
+        ],
+    }
+
+
 class TestS3:
     @pytest.mark.skipif(condition=TEST_S3_IMAGE, reason="KMS not enabled in S3 image")
     @markers.aws.validated
@@ -964,31 +978,136 @@ def test_create_bucket_via_host_name(self, s3_vhost_client, aws_client, region_n
             s3_vhost_client.delete_bucket(Bucket=bucket_name)
 
     @markers.aws.validated
-    def test_put_and_get_bucket_policy(self, s3_bucket, snapshot, aws_client, allow_bucket_acl):
+    def test_get_bucket_policy(self, s3_bucket, snapshot, aws_client, allow_bucket_acl, account_id):
+        snapshot.add_transformer(snapshot.transform.key_value("Resource"))
+        snapshot.add_transformer(snapshot.transform.key_value("BucketName"))
+
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.get_bucket_policy(Bucket=s3_bucket)
+        snapshot.match("get-bucket-policy-no-such-bucket-policy", e.value.response)
+
+        policy = _simple_bucket_policy(s3_bucket)
+        aws_client.s3.put_bucket_policy(Bucket=s3_bucket, Policy=json.dumps(policy))
+
+        # retrieve and check policy config
+        response = aws_client.s3.get_bucket_policy(Bucket=s3_bucket)
+        snapshot.match("get-bucket-policy", response)
+        assert policy == json.loads(response["Policy"])
+
+        response = aws_client.s3.get_bucket_policy(Bucket=s3_bucket, ExpectedBucketOwner=account_id)
+        snapshot.match("get-bucket-policy-with-expected-bucket-owner", response)
+        assert policy == json.loads(response["Policy"])
+
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.get_bucket_policy(Bucket=s3_bucket, ExpectedBucketOwner="000000000002")
+        snapshot.match("get-bucket-policy-with-expected-bucket-owner-error", e.value.response)
+
+    @pytest.mark.parametrize(
+        "invalid_account_id", ["0000", "0000000000020", "abcd", "aa000000000$"]
+    )
+    @markers.aws.validated
+    def test_get_bucket_policy_invalid_account_id(
+        self, s3_bucket, snapshot, aws_client, invalid_account_id
+    ):
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.get_bucket_policy(
+                Bucket=s3_bucket, ExpectedBucketOwner=invalid_account_id
+            )
+
+        snapshot.match("get-bucket-policy-invalid-bucket-owner", e.value.response)
+
+    @markers.aws.validated
+    def test_put_bucket_policy(self, s3_bucket, snapshot, aws_client, allow_bucket_acl):
         # just for the joke: Response syntax HTTP/1.1 200
         # sample response: HTTP/1.1 204 No Content
         # https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html
         snapshot.add_transformer(snapshot.transform.key_value("Resource"))
         # put bucket policy
-        policy = {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Action": "s3:GetObject",
-                    "Effect": "Allow",
-                    "Resource": f"arn:aws:s3:::{s3_bucket}/*",
-                    "Principal": {"AWS": "*"},
-                }
-            ],
-        }
+        policy = _simple_bucket_policy(s3_bucket)
         response = aws_client.s3.put_bucket_policy(Bucket=s3_bucket, Policy=json.dumps(policy))
         snapshot.match("put-bucket-policy", response)
 
-        # retrieve and check policy config
         response = aws_client.s3.get_bucket_policy(Bucket=s3_bucket)
         snapshot.match("get-bucket-policy", response)
         assert policy == json.loads(response["Policy"])
 
+    @markers.aws.validated
+    def test_put_bucket_policy_expected_bucket_owner(
+        self, s3_bucket, snapshot, aws_client, allow_bucket_acl, account_id, secondary_account_id
+    ):
+        snapshot.add_transformer(snapshot.transform.key_value("Resource"))
+        policy = _simple_bucket_policy(s3_bucket)
+
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.put_bucket_policy(
+                Bucket=s3_bucket,
+                Policy=json.dumps(policy),
+                ExpectedBucketOwner=secondary_account_id,
+            )
+        snapshot.match("put-bucket-policy-with-expected-bucket-owner-error", e.value.response)
+
+        response = aws_client.s3.put_bucket_policy(
+            Bucket=s3_bucket, Policy=json.dumps(policy), ExpectedBucketOwner=account_id
+        )
+        snapshot.match("put-bucket-policy-with-expected-bucket-owner", response)
+
+    @pytest.mark.parametrize(
+        "invalid_account_id", ["0000", "0000000000020", "abcd", "aa000000000$"]
+    )
+    @markers.aws.validated
+    def test_put_bucket_policy_invalid_account_id(
+        self, s3_bucket, snapshot, aws_client, invalid_account_id
+    ):
+        snapshot.add_transformer(snapshot.transform.key_value("Resource"))
+        policy = _simple_bucket_policy(s3_bucket)
+
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.put_bucket_policy(
+                Bucket=s3_bucket, Policy=json.dumps(policy), ExpectedBucketOwner=invalid_account_id
+            )
+
+        snapshot.match("put-bucket-policy-invalid-bucket-owner", e.value.response)
+
+    @markers.aws.validated
+    def test_delete_bucket_policy(self, s3_bucket, snapshot, aws_client, allow_bucket_acl):
+        snapshot.add_transformer(snapshot.transform.key_value("Resource"))
+        snapshot.add_transformer(snapshot.transform.key_value("BucketName"))
+
+        policy = _simple_bucket_policy(s3_bucket)
+        aws_client.s3.put_bucket_policy(Bucket=s3_bucket, Policy=json.dumps(policy))
+
+        response = aws_client.s3.delete_bucket_policy(Bucket=s3_bucket)
+        snapshot.match("delete-bucket-policy", response)
+
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.get_bucket_policy(Bucket=s3_bucket)
+        snapshot.match("get-bucket-policy-no-such-bucket-policy", e.value.response)
+
+    @markers.aws.validated
+    def test_delete_bucket_policy_expected_bucket_owner(
+        self, s3_bucket, snapshot, aws_client, allow_bucket_acl, account_id, secondary_account_id
+    ):
+        snapshot.add_transformer(snapshot.transform.key_value("Resource"))
+        snapshot.add_transformer(snapshot.transform.key_value("BucketName"))
+
+        policy = _simple_bucket_policy(s3_bucket)
+        aws_client.s3.put_bucket_policy(Bucket=s3_bucket, Policy=json.dumps(policy))
+
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.delete_bucket_policy(
+                Bucket=s3_bucket, ExpectedBucketOwner=secondary_account_id
+            )
+        snapshot.match("delete-bucket-policy-with-expected-bucket-owner-error", e.value.response)
+
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.delete_bucket_policy(Bucket=s3_bucket, ExpectedBucketOwner="invalid")
+        snapshot.match("delete-bucket-policy-invalid-bucket-owner", e.value.response)
+
+        response = aws_client.s3.delete_bucket_policy(
+            Bucket=s3_bucket, ExpectedBucketOwner=account_id
+        )
+        snapshot.match("delete-bucket-policy-with-expected-bucket-owner", response)
+
     @markers.aws.validated
     def test_put_object_tagging_empty_list(self, s3_bucket, snapshot, aws_client):
         key = "my-key"