Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
AWS::S3::Bucket
The AWS::S3::Bucket resource creates an Amazon S3 bucket in the same AWS
Region where you create the AWS CloudFormation stack.
To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute.
You can only delete empty buckets. Deletion fails for buckets that have contents.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::S3::Bucket", "Properties" : { "AccelerateConfiguration" :AccelerateConfiguration, "AccessControl" :String, "AnalyticsConfigurations" :[ AnalyticsConfiguration, ... ], "BucketEncryption" :BucketEncryption, "BucketName" :String, "CorsConfiguration" :CorsConfiguration, "InventoryConfigurations" :[ InventoryConfiguration, ... ], "LifecycleConfiguration" :LifecycleConfiguration, "LoggingConfiguration" :LoggingConfiguration, "MetricsConfigurations" :[ MetricsConfiguration, ... ], "NotificationConfiguration" :NotificationConfiguration, "ObjectLockConfiguration" :ObjectLockConfiguration, "ObjectLockEnabled" :Boolean, "PublicAccessBlockConfiguration" :PublicAccessBlockConfiguration, "ReplicationConfiguration" :ReplicationConfiguration, "Tags" :[ Tag, ... ], "VersioningConfiguration" :VersioningConfiguration, "WebsiteConfiguration" :WebsiteConfiguration} }
YAML
Type: AWS::S3::Bucket Properties: AccelerateConfiguration:AccelerateConfigurationAccessControl:StringAnalyticsConfigurations:- AnalyticsConfigurationBucketEncryption:BucketEncryptionBucketName:StringCorsConfiguration:CorsConfigurationInventoryConfigurations:- InventoryConfigurationLifecycleConfiguration:LifecycleConfigurationLoggingConfiguration:LoggingConfigurationMetricsConfigurations:- MetricsConfigurationNotificationConfiguration:NotificationConfigurationObjectLockConfiguration:ObjectLockConfigurationObjectLockEnabled:BooleanPublicAccessBlockConfiguration:PublicAccessBlockConfigurationReplicationConfiguration:ReplicationConfigurationTags:- TagVersioningConfiguration:VersioningConfigurationWebsiteConfiguration:WebsiteConfiguration
Properties
AccelerateConfiguration-
Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see Amazon S3 Transfer Acceleration in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: AccelerateConfiguration
Update requires: No interruption
AccessControl-
A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see Canned ACL in the Amazon Simple Storage Service Developer Guide.
Be aware that the syntax for this property differs from the information provided in the Amazon Simple Storage Service Developer Guide. The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.
Required: No
Type: String
Update requires: No interruption
AnalyticsConfigurations-
Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.
Required: No
Type: List of AnalyticsConfiguration
Update requires: No interruption
BucketEncryption-
Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS) bucket. For information about the Amazon S3 default encryption feature, see Amazon S3 Default Encryption for S3 Buckets in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: BucketEncryption
Update requires: No interruption
BucketName-
A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. For more information, see Name Type. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-).
Important If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement
CorsConfiguration-
Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see Enabling Cross-Origin Resource Sharing in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: CorsConfiguration
Update requires: No interruption
InventoryConfigurations-
Specifies the inventory configuration for an Amazon S3 bucket. For more information, see GET Bucket inventory in the Amazon Simple Storage Service API Reference.
Required: No
Type: List of InventoryConfiguration
Update requires: No interruption
LifecycleConfiguration-
Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see Object Lifecycle Management in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: LifecycleConfiguration
Update requires: No interruption
LoggingConfiguration-
Settings that define where logs are stored.
Required: No
Type: LoggingConfiguration
Update requires: No interruption
MetricsConfigurations-
Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see PUT Bucket metrics in the Amazon Simple Storage Service API Reference.
Required: No
Type: List of MetricsConfiguration
Update requires: No interruption
NotificationConfiguration-
Configuration that defines how Amazon S3 handles bucket notifications.
Required: No
Type: NotificationConfiguration
Update requires: No interruption
ObjectLockConfiguration-
Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket.
Note DefaultRetentionrequires either Days or Years. You can't specify both at the same time.Related Resources
Required: No
Type: ObjectLockConfiguration
Update requires: No interruption
ObjectLockEnabled-
Indicates whether this bucket has an Object Lock configuration enabled.
Required: No
Type: Boolean
Update requires: Replacement
PublicAccessBlockConfiguration-
Configuration that defines how Amazon S3 handles public access.
Required: No
Type: PublicAccessBlockConfiguration
Update requires: No interruption
ReplicationConfiguration-
Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the
VersioningConfigurationproperty.Amazon S3 can store replicated objects in only one destination bucket. The destination bucket must already exist and be in a different AWS Region than your source bucket.
Required: No
Type: ReplicationConfiguration
Update requires: No interruption
Tags-
An arbitrary set of tags (key-value pairs) for this S3 bucket.
Required: No
Type: List of Tag
Update requires: No interruption
VersioningConfiguration-
Enables multiple versions of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them.
Required: No
Type: VersioningConfiguration
Update requires: No interruption
WebsiteConfiguration-
Information used to configure the bucket as a static website. For more information, see Hosting Websites on Amazon S3.
Required: No
Type: WebsiteConfiguration
Update requires: No interruption
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name.
Example: mystack-mybucket-kdwwxmddtr2g
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
Returns the Amazon Resource Name (ARN) of the specified bucket.
Example:
arn:aws:s3:::mybucket DomainName-
Returns the IPv4 DNS name of the specified bucket.
Example:
mystack-mybucket-kdwwxmddtr2g.s3.amazonaws.com DualStackDomainName-
Returns the IPv6 DNS name of the specified bucket.
Example:
mystack-mybucket-kdwwxmddtr2g.s3.dualstack.us-east-2.amazonaws.comFor more information about dual-stack endpoints, see Using Amazon S3 Dual-Stack Endpoints.
RegionalDomainName-
Returns the regional domain name of the specified bucket.
Example:
mystack-mybucket-kdwwxmddtr2g.s3.us-east-2.amazonaws.com WebsiteURL-
Returns the Amazon S3 website endpoint for the specified bucket.
Example (IPv4):
http://mystack-mybucket-kdwwxmddtr2g.s3-website-us-east-2.amazonaws.comExample (IPv6):
http://mystack-mybucket-kdwwxmddtr2g.s3.dualstack.us-east-2.amazonaws.com
Examples
Create an S3 bucket
The following example creates an S3 bucket with a Retain deletion policy.
JSON
"Resources" : { "S3Bucket" : { "Type" : "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties" : { "BucketName" : "my-bucket" } } }
YAML
Resources: S3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: BucketName: my-bucket
Associate a Replication Configuration IAM Role with an S3 Bucket
The following example creates an S3 bucket and grants it permission to write to a
replication bucket by using an AWS Identity and Access Management (IAM) role. To avoid
a circular dependency, the
role's policy is declared as a separate resource. The bucket depends on the
WorkItemBucketBackupRole role. If the policy is included in the role, the
role also depends on the bucket.
JSON
"Resources": { "RecordServiceS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "ReplicationConfiguration": { "Role": { "Fn::GetAtt": [ "WorkItemBucketBackupRole", "Arn" ] }, "Rules": [{ "Destination": { "Bucket": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ]] } ]] }, "StorageClass": "STANDARD" }, "Id": "Backup", "Prefix": "", "Status": "Enabled" }] }, "VersioningConfiguration": { "Status": "Enabled" } } }, "WorkItemBucketBackupRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [{ "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "s3.amazonaws.com" ] } }] } } }, "BucketBackupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [{ "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" } ] ] }] },{ "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" }, "/*" ] ] }] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ]] }, "/*" ]] }] }] }, "PolicyName": "BucketBackupPolicy", "Roles": [{ "Ref": "WorkItemBucketBackupRole" }] } } }
YAML
Resources: RecordServiceS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: ReplicationConfiguration: Role: !GetAtt [WorkItemBucketBackupRole, Arn] Rules: - Destination: Bucket: !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region', !Ref 'AWS::StackName', replicationbucket]]]] StorageClass: STANDARD Id: Backup Prefix: '' Status: Enabled VersioningConfiguration: Status: Enabled WorkItemBucketBackupRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: [s3.amazonaws.com] BucketBackupPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: ['s3:GetReplicationConfiguration', 's3:ListBucket'] Effect: Allow Resource: - !Join ['', ['arn:aws:s3:::', !Ref 'RecordServiceS3Bucket']] - Action: ['s3:GetObjectVersion', 's3:GetObjectVersionAcl'] Effect: Allow Resource: - !Join ['', ['arn:aws:s3:::', !Ref 'RecordServiceS3Bucket', /*]] - Action: ['s3:ReplicateObject', 's3:ReplicateDelete'] Effect: Allow Resource: - !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region', !Ref 'AWS::StackName', replicationbucket]], /*]] PolicyName: BucketBackupPolicy Roles: [!Ref 'WorkItemBucketBackupRole']
Configure a Static Website with a Routing Rule
In this example, AWS::S3::Bucket's Fn::GetAtt values are used to provide
outputs. If an HTTP 404 error occurs, the routing rule redirects requests to an EC2
instance
and inserts the object key prefix report-404/ in the redirect. For example, if
you request a page called ExamplePage.html and it results in an HTTP 404 error,
the request is routed to a page called report-404/ExamplePage.html on the
specified instance. For all other HTTP error codes, error.html is returned.
This example also specifies a metrics configuration called EntireBucket
that enables CloudWatch request metrics at the bucket level.
JSON
{ "Resources" : { "S3Bucket" : { "Type" : "AWS::S3::Bucket", "Properties" : { "AccessControl" : "PublicRead", "BucketName" : "public-bucket", "MetricsConfigurations": [ { "Id": "EntireBucket" } ], "WebsiteConfiguration" : { "IndexDocument" : "index.html", "ErrorDocument" : "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy" : "Retain" } }, "Outputs" : { "WebsiteURL" : { "Value" : { "Fn::GetAtt" : [ "S3Bucket", "WebsiteURL" ] }, "Description" : "URL for website hosted on S3" }, "S3BucketSecureURL" : { "Value" : { "Fn::Join" : [ "", [ "https://", { "Fn::GetAtt" : [ "S3Bucket", "DomainName" ] } ] ] }, "Description" : "Name of S3 bucket to hold website content" } } }
YAML
Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead BucketName: public-bucket MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt [S3Bucket, WebsiteURL] Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join ['', ['https://', !GetAtt [S3Bucket, DomainName]]] Description: Name of S3 bucket to hold website content
Enable Cross-Origin Resource Sharing
The following example template shows a public S3 bucket with two cross-origin resource sharing rules.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "CorsConfiguration": { "CorsRules": [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposedHeaders": [ "Date" ], "Id": "myCORSRuleId1", "MaxAge": "3600" }, { "AllowedHeaders": [ "x-amz-*" ], "AllowedMethods": [ "DELETE" ], "AllowedOrigins": [ "http://www.example1.com", "http://www.example2.com" ], "ExposedHeaders": [ "Connection", "Server", "Date" ], "Id": "myCORSRuleId2", "MaxAge": "1800" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with CORS enabled." } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead CorsConfiguration: CorsRules: - AllowedHeaders: ['*'] AllowedMethods: [GET] AllowedOrigins: ['*'] ExposedHeaders: [Date] Id: myCORSRuleId1 MaxAge: '3600' - AllowedHeaders: [x-amz-*] AllowedMethods: [DELETE] AllowedOrigins: ['http://www.example1.com', 'http://www.example2.com'] ExposedHeaders: [Connection, Server, Date] Id: myCORSRuleId2 MaxAge: '1800' Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with CORS enabled.
Manage the Lifecycle for Amazon S3 Objects
The following example template shows an S3 bucket with a lifecycle configuration
rule. The rule applies to all objects with the glacier key prefix. The objects
are transitioned to Glacier after one day, and deleted after one year.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "LifecycleConfiguration": { "Rules": [ { "Id": "GlacierRule", "Prefix": "glacier", "Status": "Enabled", "ExpirationInDays": "365", "Transitions": [ { "TransitionInDays": "1", "StorageClass": "GLACIER" } ] } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration." } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: Private LifecycleConfiguration: Rules: - Id: GlacierRule Prefix: glacier Status: Enabled ExpirationInDays: '365' Transitions: - TransitionInDays: '1' StorageClass: GLACIER Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with a lifecycle configuration.
Log Access Requests for a Specific S3 Bucket
The following example template creates two S3 buckets. The
LoggingBucket bucket store the logs from the S3Bucket bucket. To
receive logs from the S3Bucket bucket, the logging bucket requires log delivery
write permissions.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "LoggingConfiguration": { "DestinationBucketName": {"Ref" : "LoggingBucket"}, "LogFilePrefix": "testing-logs" } } }, "LoggingBucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite" } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a logging configuration." } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: Private LoggingConfiguration: DestinationBucketName: !Ref 'LoggingBucket' LogFilePrefix: testing-logs LoggingBucket: Type: AWS::S3::Bucket Properties: AccessControl: LogDeliveryWrite Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with a logging configuration.
Receive S3 Bucket Notifications to an SNS Topic
The following example template shows an Amazon S3 bucket with a notification configuration that sends an event to the specified SNS topic when S3 has lost all replicas of an object.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "NotificationConfiguration": { "TopicConfigurations": [ { "Topic": "arn:aws:sns:us-east-1:123456789012:TestTopic", "Event": "s3:ReducedRedundancyLostObject" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a notification configuration." } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: Private NotificationConfiguration: TopicConfigurations: - Topic: arn:aws:sns:us-east-1:123456789012:TestTopic Event: s3:ReducedRedundancyLostObject Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with a notification configuration.
Replicate Objects and Store Them in Another S3 Bucket
The following example includes two replication rules. Amazon S3 replicates objects
with
the MyPrefix or MyOtherPrefix prefixes and stores them in the
my-replication-bucket bucket, which must be in a different AWS Region than
the S3Bucket bucket.
JSON
"S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "VersioningConfiguration":{ "Status":"Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::123456789012:role/replication_role", "Rules": [ { "Id": "MyRule1", "Status": "Enabled", "Prefix": "MyPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket", "StorageClass": "STANDARD" } }, { "Status": "Enabled", "Prefix": "MyOtherPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket" } } ] } } }
YAML
S3Bucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled ReplicationConfiguration: Role: arn:aws:iam::123456789012:role/replication_role Rules: - Id: MyRule1 Status: Enabled Prefix: MyPrefix Destination: Bucket: arn:aws:s3:::my-replication-bucket StorageClass: STANDARD - Status: Enabled Prefix: MyOtherPrefix Destination: Bucket: arn:aws:s3:::my-replication-bucket
Specify Analytics and Inventory Configurations for an Amazon S3 Bucket
The following example specifies analytics and inventory results to be generated for an S3 bucket, including the format of the results and the bucket to which they are published. The inventory list is enabled to generate weekly, and only includes the current version of each object.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 Bucket with Inventory and Analytics Configurations", "Resources": { "Helper": { "Type": "AWS::S3::Bucket" }, "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AnalyticsConfigurations": [ { "Id": "AnalyticsConfigurationId", "StorageClassAnalysis": { "DataExport": { "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "AnalyticsDestinationPrefix" }, "OutputSchemaVersion": "V_1" } }, "Prefix": "AnalyticsConfigurationPrefix", "TagFilters": [ { "Key": "AnalyticsTagKey", "Value": "AnalyticsTagValue" } ] } ], "InventoryConfigurations": [ { "Id": "InventoryConfigurationId", "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "InventoryDestinationPrefix" }, "Enabled": "true", "IncludedObjectVersions": "Current", "Prefix": "InventoryConfigurationPrefix", "ScheduleFrequency": "Weekly" } ] } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: S3 Bucket with Inventory and Analytics Configurations Resources: Helper: Type: AWS::S3::Bucket S3Bucket: Type: AWS::S3::Bucket Properties: AnalyticsConfigurations: - Id: AnalyticsConfigurationId StorageClassAnalysis: DataExport: Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: AnalyticsDestinationPrefix OutputSchemaVersion: V_1 Prefix: AnalyticsConfigurationPrefix TagFilters: - Key: AnalyticsTagKey Value: AnalyticsTagValue InventoryConfigurations: - Id: InventoryConfigurationId Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: InventoryDestinationPrefix Enabled: 'true' IncludedObjectVersions: Current Prefix: InventoryConfigurationPrefix ScheduleFrequency: Weekly
Create a Bucket with Default Encryption Enabled
The following example creates a bucket with server-side bucket encryption configured. This example uses S3-managed keys. You can use KMS-managed keys instead by modifying the Amazon S3 Bucket ServerSideEncryptionByDefault property.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [{ "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } }] } }, "DeletionPolicy": "Delete" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption Resources: EncryptedS3Bucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 DeletionPolicy: Delete
See Also
