AWS::S3::AccessPoint - AWS CloudFormation

AWS::S3::AccessPoint

The AWS::S3::AccessPoint resource is an Amazon S3 resource type that you can use to access buckets.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::S3::AccessPoint", "Properties" : { "Bucket" : String, "Name" : String, "Policy" : Json, "PublicAccessBlockConfiguration" : PublicAccessBlockConfiguration, "VpcConfiguration" : VpcConfiguration } }

YAML

Type: AWS::S3::AccessPoint Properties: Bucket: String Name: String Policy: Json PublicAccessBlockConfiguration: PublicAccessBlockConfiguration VpcConfiguration: VpcConfiguration

Properties

Bucket

The name of the bucket associated with this access point.

Required: Yes

Type: String

Update requires: Replacement

Name

The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.

Required: No

Type: String

Update requires: No interruption

Policy

The access point policy associated with this access point.

Required: No

Type: Json

Update requires: No interruption

PublicAccessBlockConfiguration

The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.

Required: No

Type: PublicAccessBlockConfiguration

Update requires: Replacement

VpcConfiguration

The Virtual Private Cloud (VPC) configuration for this access point, if one exists.

Required: No

Type: VpcConfiguration

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the access point name.

For more information about using the Ref function, see Ref.

Fn::GetAtt

NetworkOrigin

Indicates whether this access point allows access from the internet. If VpcConfiguration is specified for this access point, then NetworkOrigin is VPC, and the access point doesn't allow access from the internet. Otherwise, NetworkOrigin is Internet, and the access point allows access from the internet, subject to the access point and bucket access policies.

Allowed values: VPC | Internet

Examples

Create an S3 Access Point

The following example creates an Amazon S3 access point for the given S3 bucket. This access point allows user JaneDoe to make GetObject and PutObject operations only for bucket objects prefixed with /janedoe. You must include /object in the resource ARN path.

For more information, see Configuring IAM policies for using access points and Managing and using access points in the Amazon S3 User Guide.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket" }, "S3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, "/*" ] ] } ], "Principal": { "AWS": "*" }, "Condition": { "StringEquals": { "s3:DataAccessPointAccount": { "Ref": "AWS::AccountId" } } } } ] } } }, "S3AccessPoint": { "Type": "AWS::S3::AccessPoint", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "Name": "my-access-point", "Policy": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/my-access-point/object/janedoe/*" } ], "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/JaneDoe" } } } ] } } } }, "Outputs": { "S3AccessPointArn": { "Value": { "Ref": "S3AccessPoint" }, "Description": "ARN of the sample Amazon S3 access point." } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref S3Bucket PolicyDocument: Version: 2012-10-17 Statement: - Action: '*' Effect: Allow Resource: - !GetAtt - S3Bucket - Arn - !Join - '' - - !GetAtt - S3Bucket - Arn - /* Principal: AWS: '*' Condition: StringEquals: 's3:DataAccessPointAccount': !Ref 'AWS::AccountId' S3AccessPoint: Type: 'AWS::S3::AccessPoint' Properties: Bucket: !Ref S3Bucket Name: my-access-point Policy: Version: 2012-10-17 Statement: - Action: - 's3:GetObject' - 's3:PutObject' Effect: Allow Resource: - !Sub >- arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/my-access-point/object/janedoe/* Principal: AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/JaneDoe' Outputs: S3AccessPointArn: Value: !Ref S3AccessPoint Description: ARN of the sample Amazon S3 access point.

Create an S3 Access Point restricted to a VPC

The following example creates an Amazon S3 access point restricted to a virtual private cloud (VPC). For more information, see Configuring IAM policies for using access points in the Amazon S3 User Guide.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket" }, "S3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, "/*" ] ] } ], "Principal": { "AWS": "*" }, "Condition": { "StringEquals": { "s3:DataAccessPointAccount": { "Ref": "AWS::AccountId" } } } } ] } } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }, "S3AccessPoint": { "Type": "AWS::S3::AccessPoint", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "Name": "my-access-point", "VpcConfiguration": { "VpcId": { "Ref": "VPC" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true } } } }, "Outputs": { "S3AccessPointArn": { "Value": { "Ref": "S3AccessPoint" }, "Description": "ARN of the sample Amazon S3 access point." } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: AWS::S3::Bucket S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: S3Bucket PolicyDocument: Version: 2012-10-17 Statement: - Action: "*" Effect: Allow Resource: - Fn::GetAtt: - S3Bucket - Arn - Fn::Join: - "" - - Fn::GetAtt: - S3Bucket - Arn - /* Principal: AWS: "*" Condition: StringEquals: s3:DataAccessPointAccount: Ref: AWS::AccountId VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 S3AccessPoint: Type: AWS::S3::AccessPoint Properties: Bucket: Ref: S3Bucket Name: my-access-point VpcConfiguration: VpcId: Ref: VPC PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true Outputs: S3AccessPointArn: Value: Ref: S3AccessPoint Description: ARN of the sample Amazon S3 access point.