You can't attach a AWS::S3::BucketPolicy resource to more than one bucket. To attach a policy to more than one resource you will need to use IAM resources. The AWS::IAM::Policy resource is used for defining policies through IAM management and applying them to various resources. In my opinion the IAM interface is much more powerful and flexible than the old-style policy resources (but is more complicated). Not only can you have a single policy applied to more than one bucket, but you can also have multiple policies (statements) applied to multiple buckets and assigned to multiple IAM users/groups/roles.
You grant access to the specific policy using IAM groups or users that could be created in your CloudFormation template using eg. AWS::IAM::Group resources.
Adapt this snippet to your needs:
"GetS3ContentPolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "S3ContentPolicy",
"PolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:ListBucket"
],
"Resource" : [
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" } ] ] },
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" } ] ] }
]
},
{
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource" : [
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" }, "/*" ] ] },
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" }, "/*" ] ] }
]
} ]
},
"Groups" : [
{ "Ref" : "ManagementInstancesGroup" },
{ "Ref" : "WebInstancesGroup" }
]
}
},