AWS::S3::MultiRegionAccessPointPolicy - AWS CloudFormation


Applies an Amazon S3 access policy to an Amazon S3 Multi-Region Access Point.

It is not possible to delete an access policy for a Multi-Region Access Point from the CloudFormation template. When you attempt to delete the policy, CloudFormation updates the policy using DeletionPolicy:Retain and UpdateReplacePolicy:Retain. CloudFormation updates the policy to only allow access to the account that created the bucket.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::S3::MultiRegionAccessPointPolicy", "Properties" : { "MrapName" : String, "Policy" : Json } }


Type: AWS::S3::MultiRegionAccessPointPolicy Properties: MrapName: String Policy: Json



The name of the Multi-Region Access Point.

Required: Yes

Type: String

Update requires: Replacement


The access policy associated with the Multi-Region Access Point.

Required: Yes

Type: Json

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the Multi-Region Access Point.

For more information about using the Ref function, see Ref.


Simple Multi-Region Access Point Policy

The following example grants access permissions to CloudWatch.

It is very important to note where you need to use the name versus the alias for the Multi-Region Access Point. In the following example, the name is DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT, the alias of the Multi-Region Access Point is mfzwi23gnjvgw.mrap, and the AWS account is 123456789012. For more information about how ARNs for Multi-Region Access Points work, see Making requests using a Multi-Region Access Point in the in the Amazon S3 User Guide.


{ "SampleMultiRegionAccessPointPolicy":{ "Type":"AWS::S3::MultiRegionAccessPointPolicy", "DeletionPolicy":"Retain", "UpdateReplacePolicy":"Retain", "Properties":{ "MrapName":{ "Ref":"DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT" }, "Policy":{ "Statement":[ { "Action":[ "s3:GetObject" ], "Effect":"Allow", "Resource":{ "Fn::Sub":[ "arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*", { "mrapalias":{ "Fn::GetAtt":[ "mfzwi23gnjvgw.mrap", "Alias" ] } } ] }, "Principal":{ "Service":"" } } ] } } } }


SampleMultiRegionAccessPointPolicy: Type: 'AWS::S3::MultiRegionAccessPointPolicy' DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: MrapName: Ref: DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT Policy: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Sub': - 'arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*' - mrapalias: 'Fn::GetAtt': - mfzwi23gnjvgw.mrap - Alias Principal: Service: