I have a project where I needed to build an S3 bucket policy in a CFT, where certain statements should only be in the policy when a user ARN is provided. It’s hard to even Google for this use case, since bucket policies can contain “conditions”, but that’s different from conditionally including or excluding a policy statement.
The linked gists contain one extra feature – if a second user ARN is provided via a parameter, that user is added to one of the policy statements.
I’ve included json and yml versions. The yml is much easier to read, but my use case required json, so I’ve included both: https://gist.github.com/karlkranich/cd27f8bda64aa9e1cdab6cb52eaafcd8