AWS::S3::MultiRegionAccessPointPolicy - AWS CloudFormation

AWS::S3::MultiRegionAccessPointPolicy

Applies an Amazon S3 access policy to an Amazon S3 Multi-Region Access Point.

It is not possible to delete an access policy for a Multi-Region Access Point from the CloudFormation template. When you attempt to delete the policy, CloudFormation updates the policy using DeletionPolicy:Retain and UpdateReplacePolicy:Retain. CloudFormation updates the policy to only allow access to the account that created the bucket.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::S3::MultiRegionAccessPointPolicy", "Properties" : { "MrapName" : String, "Policy" : Json } }

YAML

Type: AWS::S3::MultiRegionAccessPointPolicy Properties: MrapName: String Policy: Json

Properties

MrapName

The name of the Multi-Region Access Point.

Required: Yes

Type: String

Update requires: Replacement

Policy

The access policy associated with the Multi-Region Access Point.

Required: Yes

Type: Json

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the Multi-Region Access Point.

For more information about using the Ref function, see Ref.

Examples

Simple Multi-Region Access Point Policy

The following example grants access permissions to CloudWatch.

It is very important to note where you need to use the name versus the alias for the Multi-Region Access Point. In the following example, the name is DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT, the alias of the Multi-Region Access Point is mfzwi23gnjvgw.mrap, and the AWS account is 123456789012. For more information about how ARNs for Multi-Region Access Points work, see Making requests using a Multi-Region Access Point in the in the Amazon S3 User Guide.

JSON

{ "SampleMultiRegionAccessPointPolicy": { "Type": "AWS::S3::MultiRegionAccessPointPolicy", "DeletionPolicy" : "Retain", "UpdateReplacePolicy" : "Retain", "Properties": { "MrapName": { "Ref": "DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT" }, "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*", { "mrapalias": { "Fn::GetAtt": [ "mfzwi23gnjvgw.mrap", "Alias" ] } } ] }, "Principal": { "Service": "cloudwatch.amazonaws.com" } } ] } } } }

YAML

SampleMultiRegionAccessPointPolicy: Type: AWS::S3::MultiRegionAccessPointPolicy DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: MrapName: Ref: DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT PolicyDocument: Statement: - Action: - s3:GetObject Effect: Allow Resource: Fn::Sub: - arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/* - mrapalias: Fn::GetAtt: - mfzwi23gnjvgw.mrap - Alias Principal: Service: cloudwatch.amazonaws.com