AWS::S3::Bucket - AWS CloudFormation

AWS::S3::Bucket

The AWS::S3::Bucket resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack.

To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute.

Important

You can only delete empty buckets. Deletion fails for buckets that have contents.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

AccelerateConfiguration

Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see Amazon S3 Transfer Acceleration in the Amazon S3 User Guide.

Required: No

Type: AccelerateConfiguration

Update requires: No interruption

AccessControl

A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see Canned ACL in the Amazon S3 User Guide.

Be aware that the syntax for this property differs from the information provided in the Amazon S3 User Guide. The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.

Required: No

Type: String

Update requires: No interruption

AnalyticsConfigurations

Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.

Required: No

Type: List of AnalyticsConfiguration

Update requires: No interruption

BucketEncryption

Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS) bucket. For information about the Amazon S3 default encryption feature, see Amazon S3 Default Encryption for S3 Buckets in the Amazon S3 User Guide.

Required: No

Type: BucketEncryption

Update requires: No interruption

BucketName

A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow Amazon S3 bucket restrictions and limitations. For more information, see Rules for naming Amazon S3 buckets in the Amazon S3 User Guide.

Important

If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.

Required: No

Type: String

Update requires: Replacement

CorsConfiguration

Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see Enabling Cross-Origin Resource Sharing in the Amazon S3 User Guide.

Required: No

Type: CorsConfiguration

Update requires: No interruption

IntelligentTieringConfigurations

Defines how Amazon S3 handles Intelligent-Tiering storage.

Required: No

Type: List of IntelligentTieringConfiguration

Update requires: No interruption

InventoryConfigurations

Specifies the inventory configuration for an Amazon S3 bucket. For more information, see GET Bucket inventory in the Amazon S3 API Reference.

Required: No

Type: List of InventoryConfiguration

Update requires: No interruption

LifecycleConfiguration

Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see Object Lifecycle Management in the Amazon S3 User Guide.

Required: No

Type: LifecycleConfiguration

Update requires: No interruption

LoggingConfiguration

Settings that define where logs are stored.

Required: No

Type: LoggingConfiguration

Update requires: No interruption

MetricsConfigurations

Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see PutBucketMetricsConfiguration.

Required: No

Type: List of MetricsConfiguration

Update requires: No interruption

NotificationConfiguration

Configuration that defines how Amazon S3 handles bucket notifications.

Required: No

Type: NotificationConfiguration

Update requires: No interruption

ObjectLockConfiguration

Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see Locking Objects.

Note
  • The DefaultRetention settings require both a mode and a period.

  • The DefaultRetention period can be either Days or Years but you must select one. You cannot specify Days and Years at the same time.

  • You can only enable Object Lock for new buckets. If you want to turn on Object Lock for an existing bucket, contact AWS Support.

Required: No

Type: ObjectLockConfiguration

Update requires: No interruption

ObjectLockEnabled

Indicates whether this bucket has an Object Lock configuration enabled. Enable ObjectLockEnabled when you apply ObjectLockConfiguration to a bucket.

Required: No

Type: Boolean

Update requires: Replacement

OwnershipControls

Configuration that defines how Amazon S3 handles object ownership rules.

Required: No

Type: OwnershipControls

Update requires: No interruption

PublicAccessBlockConfiguration

Configuration that defines how Amazon S3 handles public access.

Required: No

Type: PublicAccessBlockConfiguration

Update requires: No interruption

ReplicationConfiguration

Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the VersioningConfiguration property.

Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist.

Required: No

Type: ReplicationConfiguration

Update requires: No interruption

Tags

An arbitrary set of tags (key-value pairs) for this S3 bucket.

Required: No

Type: List of Tag

Update requires: No interruption

VersioningConfiguration

Enables multiple versions of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them.

Required: No

Type: VersioningConfiguration

Update requires: No interruption

WebsiteConfiguration

Information used to configure the bucket as a static website. For more information, see Hosting Websites on Amazon S3.

Required: No

Type: WebsiteConfiguration

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the bucket name.

Example: DOC-EXAMPLE-BUCKET

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

Returns the Amazon Resource Name (ARN) of the specified bucket.

Example: arn:aws:s3:::DOC-EXAMPLE-BUCKET

DomainName

Returns the IPv4 DNS name of the specified bucket.

Example: DOC-EXAMPLE-BUCKET.s3.amazonaws.com

DualStackDomainName

Returns the IPv6 DNS name of the specified bucket.

Example: DOC-EXAMPLE-BUCKET.s3.dualstack.us-east-2.amazonaws.com

For more information about dual-stack endpoints, see Using Amazon S3 Dual-Stack Endpoints.

RegionalDomainName

Returns the regional domain name of the specified bucket.

Example: DOC-EXAMPLE-BUCKET.s3.us-east-2.amazonaws.com

WebsiteURL

Returns the Amazon S3 website endpoint for the specified bucket.

Example (IPv4): http://DOC-EXAMPLE-BUCKET.s3-website.us-east-2.amazonaws.com

Example (IPv6): http://DOC-EXAMPLE-BUCKET.s3.dualstack.us-east-2.amazonaws.com

Examples

Create an S3 bucket

The following example creates an S3 bucket with a Retain deletion policy.

JSON

{ "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": "DOC-EXAMPLE-BUCKET" } } } }

YAML

Resources: S3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: BucketName: DOC-EXAMPLE-BUCKET

Associate a replication configuration IAM role with an S3 bucket

The following example creates an S3 bucket and grants it permission to write to a replication bucket by using an AWS Identity and Access Management (IAM) role. To avoid a circular dependency, the role's policy is declared as a separate resource. The bucket depends on the WorkItemBucketBackupRole role. If the policy is included in the role, the role also depends on the bucket.

JSON

{ "Resources": { "RecordServiceS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "ReplicationConfiguration": { "Role": { "Fn::GetAtt": [ "WorkItemBucketBackupRole", "Arn" ] }, "Rules": [ { "Destination": { "Bucket": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] } ] ] }, "StorageClass": "STANDARD" }, "Id": "Backup", "Prefix": "", "Status": "Enabled" } ] }, "VersioningConfiguration": { "Status": "Enabled" } } }, "WorkItemBucketBackupRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "s3.amazonaws.com" ] } } ] } } }, "BucketBackupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" } ] ] } ] }, { "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" }, "/*" ] ] } ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] }, "/*" ] ] } ] } ] }, "PolicyName": "BucketBackupPolicy", "Roles": [ { "Ref": "WorkItemBucketBackupRole" } ] } } } }

YAML

Resources: RecordServiceS3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: ReplicationConfiguration: Role: !GetAtt - WorkItemBucketBackupRole - Arn Rules: - Destination: Bucket: !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket StorageClass: STANDARD Id: Backup Prefix: '' Status: Enabled VersioningConfiguration: Status: Enabled WorkItemBucketBackupRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - s3.amazonaws.com BucketBackupPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyDocument: Statement: - Action: - 's3:GetReplicationConfiguration' - 's3:ListBucket' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - Action: - 's3:GetObjectVersion' - 's3:GetObjectVersionAcl' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - /* - Action: - 's3:ReplicateObject' - 's3:ReplicateDelete' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket - /* PolicyName: BucketBackupPolicy Roles: - !Ref WorkItemBucketBackupRole

Configure a static website with a routing rule

In this example, AWS::S3::Bucket's Fn::GetAtt values are used to provide outputs. If an HTTP 404 error occurs, the routing rule redirects requests to an EC2 instance and inserts the object key prefix report-404/ in the redirect. For example, if you request a page called ExamplePage.html and it results in an HTTP 404 error, the request is routed to a page called report-404/ExamplePage.html on the specified instance. For all other HTTP error codes, error.html is returned.

This example also specifies a metrics configuration called EntireBucket that enables CloudWatch request metrics at the bucket level.

JSON

{ "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "BucketName": "public-bucket", "MetricsConfigurations": [ { "Id": "EntireBucket" } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain" } }, "Outputs": { "WebsiteURL": { "Value": { "Fn::GetAtt": [ "S3Bucket", "WebsiteURL" ] }, "Description": "URL for website hosted on S3" }, "S3BucketSecureURL": { "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "S3Bucket", "DomainName" ] } ] ] }, "Description": "Name of S3 bucket to hold website content" } } }

YAML

Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead BucketName: public-bucket MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt - S3Bucket - WebsiteURL Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join - '' - - 'https://' - !GetAtt - S3Bucket - DomainName Description: Name of S3 bucket to hold website content

Enable cross-origin resource sharing

The following example template shows a public S3 bucket with two cross-origin resource sharing rules.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "CorsConfiguration": { "CorsRules": [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposedHeaders": [ "Date" ], "Id": "myCORSRuleId1", "MaxAge": 3600 }, { "AllowedHeaders": [ "x-amz-*" ], "AllowedMethods": [ "DELETE" ], "AllowedOrigins": [ "http://www.example.com", "http://www.example.net" ], "ExposedHeaders": [ "Connection", "Server", "Date" ], "Id": "myCORSRuleId2", "MaxAge": 1800 } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with CORS enabled." } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead CorsConfiguration: CorsRules: - AllowedHeaders: - '*' AllowedMethods: - GET AllowedOrigins: - '*' ExposedHeaders: - Date Id: myCORSRuleId1 MaxAge: 3600 - AllowedHeaders: - x-amz-* AllowedMethods: - DELETE AllowedOrigins: - 'http://www.example.com' - 'http://www.example.net' ExposedHeaders: - Connection - Server - Date Id: myCORSRuleId2 MaxAge: 1800 Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with CORS enabled.

Manage the lifecycle for S3 objects

The following example template shows an S3 bucket with a lifecycle configuration rule. The rule applies to all objects with the glacier key prefix. The objects are transitioned to Glacier after one day, and deleted after one year.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "LifecycleConfiguration": { "Rules": [ { "Id": "GlacierRule", "Prefix": "glacier", "Status": "Enabled", "ExpirationInDays": 365, "Transitions": [ { "TransitionInDays": 1, "StorageClass": "GLACIER" } ] } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration." } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private LifecycleConfiguration: Rules: - Id: GlacierRule Prefix: glacier Status: Enabled ExpirationInDays: 365 Transitions: - TransitionInDays: 1 StorageClass: GLACIER Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a lifecycle configuration.

Log access requests for a specific S3 bucket

The following example template creates two S3 buckets. The LoggingBucket bucket store the logs from the S3Bucket bucket. To receive logs from the S3Bucket bucket, the logging bucket requires log delivery write permissions.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "LoggingConfiguration": { "DestinationBucketName": { "Ref": "LoggingBucket" }, "LogFilePrefix": "testing-logs" } } }, "LoggingBucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite" } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a logging configuration." } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private LoggingConfiguration: DestinationBucketName: !Ref LoggingBucket LogFilePrefix: testing-logs LoggingBucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: LogDeliveryWrite Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a logging configuration.

Receive S3 bucket notifications to an SNS topic

The following example template shows an Amazon S3 bucket with a notification configuration that sends an event to the specified SNS topic when S3 has lost all replicas of an object.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "NotificationConfiguration": { "TopicConfigurations": [ { "Topic": "arn:aws:sns:us-east-1:123456789012:TestTopic", "Event": "s3:ReducedRedundancyLostObject" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a notification configuration." } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private NotificationConfiguration: TopicConfigurations: - Topic: 'arn:aws:sns:us-east-1:123456789012:TestTopic' Event: 's3:ReducedRedundancyLostObject' Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a notification configuration.

Enable versioning and replicate objects

The following example enables versioning and two replication rules. The rules copy objects prefixed with either MyPrefix and MyOtherPrefix and stores the copied objects in a bucket named my-replication-bucket.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "VersioningConfiguration": { "Status": "Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::123456789012:role/replication_role", "Rules": [ { "Id": "MyRule1", "Status": "Enabled", "Prefix": "MyPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket", "StorageClass": "STANDARD" } }, { "Status": "Enabled", "Prefix": "MyOtherPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket" } } ] } } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: VersioningConfiguration: Status: Enabled ReplicationConfiguration: Role: 'arn:aws:iam::123456789012:role/replication_role' Rules: - Id: MyRule1 Status: Enabled Prefix: MyPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' StorageClass: STANDARD - Status: Enabled Prefix: MyOtherPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket'

Specify analytics and inventory configurations for an S3 bucket

The following example specifies analytics and inventory results to be generated for an S3 bucket, including the format of the results and the destination bucket. The inventory list generates reports weekly and includes the current version of each object.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 Bucket with Inventory and Analytics Configurations", "Resources": { "Helper": { "Type": "AWS::S3::Bucket" }, "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AnalyticsConfigurations": [ { "Id": "AnalyticsConfigurationId", "StorageClassAnalysis": { "DataExport": { "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "AnalyticsDestinationPrefix" }, "OutputSchemaVersion": "V_1" } }, "Prefix": "AnalyticsConfigurationPrefix", "TagFilters": [ { "Key": "AnalyticsTagKey", "Value": "AnalyticsTagValue" } ] } ], "InventoryConfigurations": [ { "Id": "InventoryConfigurationId", "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "InventoryDestinationPrefix" }, "Enabled": true, "IncludedObjectVersions": "Current", "Prefix": "InventoryConfigurationPrefix", "ScheduleFrequency": "Weekly" } ] } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Description: S3 Bucket with Inventory and Analytics Configurations Resources: Helper: Type: 'AWS::S3::Bucket' S3Bucket: Type: 'AWS::S3::Bucket' Properties: AnalyticsConfigurations: - Id: AnalyticsConfigurationId StorageClassAnalysis: DataExport: Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: AnalyticsDestinationPrefix OutputSchemaVersion: V_1 Prefix: AnalyticsConfigurationPrefix TagFilters: - Key: AnalyticsTagKey Value: AnalyticsTagValue InventoryConfigurations: - Id: InventoryConfigurationId Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: InventoryDestinationPrefix Enabled: true IncludedObjectVersions: Current Prefix: InventoryConfigurationPrefix ScheduleFrequency: Weekly

See also