AWS::S3::Bucket
The AWS::S3::Bucket resource creates an Amazon Simple Storage Service (Amazon S3) bucket in the same
AWS
Region in which you create the AWS CloudFormation stack.
To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. For Amazon S3 buckets, you can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute.
Important
You can delete only empty buckets. Deletion will fail for buckets that have contents.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
Copy{ "Type" : "AWS::S3::Bucket", "Properties" : { "AccessControl" :String, "BucketName" :String, "CorsConfiguration" :CORS Configuration, "LifecycleConfiguration" :Lifecycle Configuration, "LoggingConfiguration" :Logging Configuration, "NotificationConfiguration" :Notification Configuration, "ReplicationConfiguration" :Replication Configuration, "Tags" : [Resource Tag, ...], "VersioningConfiguration" :Versioning Configuration, "WebsiteConfiguration" :Website Configuration Type} }
YAML
CopyType: "AWS::S3::Bucket" Properties:AccessControl:StringBucketName:StringCorsConfiguration:CORS ConfigurationLifecycleConfiguration:Lifecycle ConfigurationLoggingConfiguration:Logging ConfigurationNotificationConfiguration:Notification ConfigurationReplicationConfiguration:Replication ConfigurationTags: -Resource TagVersioningConfiguration:Versioning ConfigurationWebsiteConfiguration:Website Configuration Type
Properties
AccessControl-
A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see Canned ACLs in the Amazon S3 documentation in the Amazon Simple Storage Service Developer Guide..
Required: No
Type: String
Valid values:
AuthenticatedRead|AwsExecRead|BucketOwnerRead|BucketOwnerFullControl|LogDeliveryWrite|Private|PublicRead|PublicReadWriteUpdate requires: No interruption
BucketName-
A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the bucket name. For more information, see Name Type. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-).
Important
If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement
CorsConfiguration-
Rules that define cross-origin resource sharing of objects in this bucket. For more information, see Enabling Cross-Origin Resource Sharing in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: Amazon S3 Cors Configuration
Update requires: No interruption
LifecycleConfiguration-
Rules that define how Amazon S3 manages objects during their lifetime. For more information, see Object Lifecycle Management in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: Amazon S3 Lifecycle Configuration
Update requires: No interruption
LoggingConfiguration-
Settings that define where logs are stored.
Required: No
Type: Amazon S3 Logging Configuration
Update requires: No interruption
NotificationConfiguration-
Configuration that defines how Amazon S3 handles bucket notifications.
Required: No
Type: Amazon S3 NotificationConfiguration
Update requires: No interruption
ReplicationConfiguration-
Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the
VersioningConfigurationproperty.Amazon S3 can store replicated objects in only one destination (S3 bucket). The destination bucket must already exist and be in a different AWS Region than your source bucket.
Required: No
Type: Amazon S3 ReplicationConfiguration
Update requires: No interruption
Tags-
An arbitrary set of tags (key-value pairs) for this S3 bucket.
Important
We recommend limiting the number of tags to seven. Applying more than seven tags prevents the AWS CLI and the AWS CloudFormation console and API actions from listing the tags for the S3 bucket.
Required: No
Type: AWS CloudFormation Resource Tags
Update requires: No interruption
VersioningConfiguration-
Enables multiple variants of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them.
Required: No
Type: Amazon S3 Versioning Configuration
Update requires: No interruption
WebsiteConfiguration-
Information used to configure the bucket as a static website. For more information, see Hosting Websites on Amazon S3.
Required: No
Type: Website Configuration Type
Update requires: No interruption
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic
function, Ref returns the resource name.
Example: mystack-mybucket-kdwwxmddtr2g.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type.
The following are the available attributes and sample return values.
Arn-
Returns the Amazon Resource Name (ARN) of the specified bucket.
Example:
arn:aws:s3:::mybucket DomainName-
Returns the IPv4 DNS name of the specified bucket.
Example:
mystack-mybucket-kdwwxmddtr2g.s3.amazonaws.com DualStackDomainName-
Returns the IPv6 DNS name of the specified bucket.
Example:
mystack-mybucket-kdwwxmddtr2g.s3.dualstack.us-east-2.amazonaws.com/For more information about dual-stack endpoints, see Using Amazon S3 Dual-Stack Endpoints.
WebsiteURL-
Returns the Amazon S3 website endpoint for the specified bucket.
Example (IPv4):
http://mystack-mybucket-kdwwxmddtr2g.s3-website-us-east-2.amazonaws.com/Example (IPv6):
http://mystack-mybucket-kdwwxmddtr2g.s3.dualstack.us-east-2.amazonaws.com/
For more information about using Fn::GetAtt, see Fn::GetAtt.
Examples
Associate a Replication Configuration IAM Role with an S3 Bucket
The following example creates an S3 bucket and grants it permission to write to a
replication bucket by using an AWS Identity and Access Management (IAM) role. To avoid
a circular dependency, the
role's policy is declared as a separate resource. The bucket depends on the
WorkItemBucketBackupRole role. If the policy is included in the role, the
role also depends on the bucket.
JSON
Copy"RecordServiceS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "ReplicationConfiguration": { "Role": { "Fn::GetAtt": [ "WorkItemBucketBackupRole", "Arn" ] }, "Rules": [{ "Destination": { "Bucket": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ]] } ]] }, "StorageClass": "STANDARD" }, "Id": "Backup", "Prefix": "", "Status": "Enabled" }] }, "VersioningConfiguration": { "Status": "Enabled" } } }, "WorkItemBucketBackupRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [{ "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "s3.amazonaws.com" ] } }] } } }, "BucketBackupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [{ "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" } ] ] }] },{ "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" }, "/*" ] ] }] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ]] }, "/*" ]] }] }] }, "PolicyName": "BucketBackupPolicy", "Roles": [{ "Ref": "WorkItemBucketBackupRole" }] } }
YAML
CopyRecordServiceS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: ReplicationConfiguration: Role: !GetAtt [WorkItemBucketBackupRole, Arn] Rules: - Destination: Bucket: !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region', !Ref 'AWS::StackName', replicationbucket]]]] StorageClass: STANDARD Id: Backup Prefix: '' Status: Enabled VersioningConfiguration: Status: Enabled WorkItemBucketBackupRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: [s3.amazonaws.com] BucketBackupPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: ['s3:GetReplicationConfiguration', 's3:ListBucket'] Effect: Allow Resource: - !Join ['', ['arn:aws:s3:::', !Ref 'RecordServiceS3Bucket']] - Action: ['s3:GetObjectVersion', 's3:GetObjectVersionAcl'] Effect: Allow Resource: - !Join ['', ['arn:aws:s3:::', !Ref 'RecordServiceS3Bucket', /*]] - Action: ['s3:ReplicateObject', 's3:ReplicateDelete'] Effect: Allow Resource: - !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region', !Ref 'AWS::StackName', replicationbucket]], /*]] PolicyName: BucketBackupPolicy Roles: [!Ref 'WorkItemBucketBackupRole']
Configure a Static Website with a Routing Rule
In this example, AWS::S3::Bucket's Fn::GetAtt
values are used to provide outputs. If an HTTP 404 error occurs, the routing rule
redirects
requests to an EC2 instance and inserts the object key prefix report-404/ in
the redirect. For example, if you request a page called ExamplePage.html and it
results in a HTTP 404 error, the request is routed to a page called
report-404/ExamplePage.html on the specified instance. For all other HTTP
error codes, error.html is returned.
JSON
Copy"Resources" : { "S3Bucket" : { "Type" : "AWS::S3::Bucket", "Properties" : { "AccessControl" : "PublicRead", "BucketName" : "PublicBucket", "WebsiteConfiguration" : { "IndexDocument" : "index.html", "ErrorDocument" : "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy" : "Retain" } }, "Outputs" : { "WebsiteURL" : { "Value" : { "Fn::GetAtt" : [ "S3Bucket", "WebsiteURL" ] }, "Description" : "URL for website hosted on S3" }, "S3BucketSecureURL" : { "Value" : { "Fn::Join" : [ "", [ "https://", { "Fn::GetAtt" : [ "S3Bucket", "DomainName" ] } ] ] }, "Description" : "Name of S3 bucket to hold website content" } }
YAML
CopyResources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead BucketName: PublicBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt [S3Bucket, WebsiteURL] Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join ['', ['https://', !GetAtt [S3Bucket, DomainName]]] Description: Name of S3 bucket to hold website content
Enable Cross-Origin Resource Sharing
The following example template shows an S3 bucket with two cross-origin resource sharing rules.
JSON
Copy{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicReadWrite", "CorsConfiguration": { "CorsRules": [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposedHeaders": [ "Date" ], "Id": "myCORSRuleId1", "MaxAge": "3600" }, { "AllowedHeaders": [ "x-amz-*" ], "AllowedMethods": [ "DELETE" ], "AllowedOrigins": [ "http://www.example1.com", "http://www.example2.com" ], "ExposedHeaders": [ "Connection", "Server", "Date" ], "Id": "myCORSRuleId2", "MaxAge": "1800" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with CORS enabled." } } }
YAML
CopyAWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicReadWrite CorsConfiguration: CorsRules: - AllowedHeaders: ['*'] AllowedMethods: [GET] AllowedOrigins: ['*'] ExposedHeaders: [Date] Id: myCORSRuleId1 MaxAge: '3600' - AllowedHeaders: [x-amz-*] AllowedMethods: [DELETE] AllowedOrigins: ['http://www.example1.com', 'http://www.example2.com'] ExposedHeaders: [Connection, Server, Date] Id: myCORSRuleId2 MaxAge: '1800' Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with CORS enabled.
Manage the Lifecycle for Amazon S3 Objects
The following example template shows an S3 bucket with a lifecycle configuration
rule. The rule applies to all objects with the glacier key prefix. The objects
are transitioned to Amazon Glacier after one day, and deleted after one year.
JSON
Copy{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicReadWrite", "LifecycleConfiguration": { "Rules": [ { "Id": "GlacierRule", "Prefix": "glacier", "Status": "Enabled", "ExpirationInDays": "365", "Transitions": [ { "TransitionInDays": "1", "StorageClass": "Glacier" } ] } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration." } } }
YAML
CopyAWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicReadWrite LifecycleConfiguration: Rules: - Id: GlacierRule Prefix: glacier Status: Enabled ExpirationInDays: '365' Transitions: - TransitionInDays: '1' StorageClass: Glacier Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with a lifecycle configuration.
Log Access Requests for a Specific S3 Bucket
The following example template creates two S3 buckets. The
LoggingBucket bucket store the logs from the S3Bucket bucket. To
receive logs from the S3Bucket bucket, the logging bucket requires log delivery
write permissions.
JSON
Copy{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "LoggingConfiguration": { "DestinationBucketName": {"Ref" : "LoggingBucket"}, "LogFilePrefix": "testing-logs" } } }, "LoggingBucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite" } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a logging configuration." } } }
YAML
CopyAWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead LoggingConfiguration: DestinationBucketName: !Ref 'LoggingBucket' LogFilePrefix: testing-logs LoggingBucket: Type: AWS::S3::Bucket Properties: AccessControl: LogDeliveryWrite Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with a logging configuration.
Receive S3 Bucket Notifications to an SNS Topic
The following example template shows an S3 bucket with a notification configuration that sends an event to the specified SNS topic when Amazon S3 has lost all replicas of an object.
JSON
Copy{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicReadWrite", "NotificationConfiguration": { "TopicConfigurations": [ { "Topic": "arn:aws:sns:us-east-1:123456789012:TestTopic", "Event": "s3:ReducedRedundancyLostObject" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a notification configuration." } } }
YAML
CopyAWSTemplateFormatVersion: '2010-09-09' Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicReadWrite NotificationConfiguration: TopicConfigurations: - Topic: arn:aws:sns:us-east-1:123456789012:TestTopic Event: s3:ReducedRedundancyLostObject Outputs: BucketName: Value: !Ref 'S3Bucket' Description: Name of the sample Amazon S3 bucket with a notification configuration.
Replicate Objects and Store Them in Another S3 Bucket
The following example includes two replication rules. Amazon S3 replicates objects
with
the MyPrefix or MyOtherPrefix prefixes and stores them in the
my-replication-bucket bucket, which must be in a different AWS Region than
the S3Bucket bucket.
JSON
Copy"S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "VersioningConfiguration":{ "Status":"Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::123456789012:role/replication_role", "Rules": [ { "Id": "MyRule1", "Status": "Enabled", "Prefix": "MyPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket", "StorageClass": "STANDARD" } }, { "Status": "Enabled", "Prefix": "MyOtherPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket" } } ] } } }
YAML
CopyS3Bucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled ReplicationConfiguration: Role: arn:aws:iam::123456789012:role/replication_role Rules: - Id: MyRule1 Status: Enabled Prefix: MyPrefix Destination: Bucket: arn:aws:s3:::my-replication-bucket StorageClass: STANDARD - Status: Enabled Prefix: MyOtherPrefix Destination: Bucket: arn:aws:s3:::my-replication-bucket
More Info
-
For more examples, see Amazon S3 Template Snippets.
-
Access Control List (ACL) Overview in the Amazon Simple Storage Service Developer Guide
-
Hosting a Static Website on Amazon S3 in the Amazon Simple Storage Service Developer Guide
