AWS::S3::AccessPoint
The AWS::S3::AccessPoint resource is an Amazon S3 resource type that you can use to access buckets.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::S3::AccessPoint", "Properties" : { "Bucket" :
String
, "BucketAccountId" :String
, "Name" :String
, "Policy" :Json
, "PublicAccessBlockConfiguration" :PublicAccessBlockConfiguration
, "VpcConfiguration" :VpcConfiguration
} }
YAML
Type: AWS::S3::AccessPoint Properties: Bucket:
String
BucketAccountId:String
Name:String
Policy:Json
PublicAccessBlockConfiguration:PublicAccessBlockConfiguration
VpcConfiguration:VpcConfiguration
Properties
Bucket
-
The name of the bucket associated with this access point.
Required: Yes
Type: String
Minimum:
3
Maximum:
255
Update requires: Replacement
BucketAccountId
-
The AWS account ID associated with the S3 bucket associated with this access point.
Required: No
Type: String
Pattern:
^\d{12}$
Maximum:
64
Update requires: Replacement
Name
-
The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.
Required: No
Type: String
Pattern:
^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
Minimum:
3
Maximum:
50
Update requires: Replacement
Policy
-
The access point policy associated with this access point.
Required: No
Type: Json
Update requires: No interruption
PublicAccessBlockConfiguration
-
The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.
Required: No
Type: PublicAccessBlockConfiguration
Update requires: No interruption
VpcConfiguration
-
The Virtual Private Cloud (VPC) configuration for this access point, if one exists.
Required: No
Type: VpcConfiguration
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the access point name.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
Alias
-
The alias for this access point.
Arn
-
This property contains the details of the ARN for the access point.
Name
-
The name of this access point.
NetworkOrigin
-
Indicates whether this access point allows access from the internet. If
VpcConfiguration
is specified for this access point, thenNetworkOrigin
isVPC
, and the access point doesn't allow access from the internet. Otherwise,NetworkOrigin
isInternet
, and the access point allows access from the internet, subject to the access point and bucket access policies.Allowed values:
VPC
|Internet
Examples
Create an S3 Access Point
The following example creates an Amazon S3 access point for the given S3 bucket. This
access point allows user JaneDoe
to make GetObject and PutObject operations
only for bucket objects prefixed with /janedoe
. You must include
/object
in the resource ARN path.
For more information, see Configuring IAM policies for using access points and Managing and using access points in the Amazon S3 User Guide.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket" }, "S3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, "/*" ] ] } ], "Principal": { "AWS": "*" }, "Condition": { "StringEquals": { "s3:DataAccessPointAccount": { "Ref": "AWS::AccountId" } } } } ] } } }, "S3AccessPoint": { "Type": "AWS::S3::AccessPoint", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "Name": "my-access-point", "Policy": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/my-access-point/object/janedoe/*" } ], "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/JaneDoe" } } } ] } } } }, "Outputs": { "S3AccessPointArn": { "Value": { "Fn::GetAtt": ["S3AccessPoint", "Arn"] }, "Description": "ARN of the sample Amazon S3 access point." }, "S3AccessPointName": { "Value": { "Fn::GetAtt": ["S3AccessPoint", "Name"] }, "Description": "Name of the sample Amazon S3 access point." }, "S3AccessPointAlias": { "Value": { "Fn::GetAtt": ["S3AccessPoint", "Alias"] }, "Description": "Alias of the sample Amazon S3 access point." } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref S3Bucket PolicyDocument: Version: 2012-10-17 Statement: - Action: '*' Effect: Allow Resource: - !GetAtt - S3Bucket - Arn - !Join - '' - - !GetAtt - S3Bucket - Arn - /* Principal: AWS: '*' Condition: StringEquals: 's3:DataAccessPointAccount': !Ref 'AWS::AccountId' S3AccessPoint: Type: 'AWS::S3::AccessPoint' Properties: Bucket: !Ref S3Bucket Name: my-access-point Policy: Version: 2012-10-17 Statement: - Action: - 's3:GetObject' - 's3:PutObject' Effect: Allow Resource: - !Sub 'arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/my-access-point/object/janedoe/*' Principal: AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/JaneDoe' Outputs: S3AccessPointArn: Value: Fn::GetAtt: - S3AccessPoint - Arn Description: ARN of the sample Amazon S3 access point. S3AccessPointName: Value: Fn::GetAtt: - S3AccessPoint - Name Description: Name of the sample Amazon S3 access point. S3AccessPointAlias: Value: Fn::GetAtt: - S3AccessPoint - Alias Description: Alias of the sample Amazon S3 access point.
Create an S3 Access Point restricted to a VPC
The following example creates an Amazon S3 access point restricted to a virtual private cloud (VPC). For more information, see Configuring IAM policies for using access points in the Amazon S3 User Guide.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket" }, "S3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "S3Bucket", "Arn" ] }, "/*" ] ] } ], "Principal": { "AWS": "*" }, "Condition": { "StringEquals": { "s3:DataAccessPointAccount": { "Ref": "AWS::AccountId" } } } } ] } } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }, "S3AccessPoint": { "Type": "AWS::S3::AccessPoint", "Properties": { "Bucket": { "Ref": "S3Bucket" }, "Name": "my-access-point", "VpcConfiguration": { "VpcId": { "Ref": "VPC" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true } } } }, "Outputs": { "S3AccessPointArn": { "Value": { "Ref": "S3AccessPoint" }, "Description": "ARN of the sample Amazon S3 access point." } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: AWS::S3::Bucket S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: S3Bucket PolicyDocument: Version: 2012-10-17 Statement: - Action: "*" Effect: Allow Resource: - Fn::GetAtt: - S3Bucket - Arn - Fn::Join: - "" - - Fn::GetAtt: - S3Bucket - Arn - /* Principal: AWS: "*" Condition: StringEquals: s3:DataAccessPointAccount: Ref: AWS::AccountId VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 S3AccessPoint: Type: AWS::S3::AccessPoint Properties: Bucket: Ref: S3Bucket Name: my-access-point VpcConfiguration: VpcId: Ref: VPC PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true Outputs: S3AccessPointArn: Value: Ref: S3AccessPoint Description: ARN of the sample Amazon S3 access point.