Syntax Properties Return values Examples

AWS::S3Outposts::BucketPolicy

This resource applies a bucket policy to an Amazon S3 on Outposts bucket.

If you are using an identity other than the root user of the AWS account that owns the S3 on Outposts bucket, the calling identity must have the s3-outposts:PutBucketPolicy permissions on the specified Outposts bucket and belong to the bucket owner's account in order to use this resource.

If you don't have s3-outposts:PutBucketPolicy permissions, S3 on Outposts returns a 403 Access Denied error.

Important

The root user of the AWS account that owns an Outposts bucket can always use this resource, even if the policy explicitly denies the root user the ability to perform actions on this resource.

For more information, see the AWS::IAM::Policy PolicyDocument resource description in this guide and Access Policy Language Overview.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::S3Outposts::BucketPolicy",
  "Properties" : {
      "Bucket" : String,
      "PolicyDocument" : Json
    }
}

YAML


Type: AWS::S3Outposts::BucketPolicy
Properties:
  Bucket: String
  PolicyDocument: Json

Properties

Bucket

The name of the Amazon S3 Outposts bucket to which the policy applies.

Required: Yes

Type: String

Pattern: ^arn:[^:]+:s3-outposts:[a-zA-Z0-9\-]+:\d{12}:outpost\/[^:]+\/bucket\/[^:]+$

Minimum: 20

Maximum: 2048

Update requires: Replacement

PolicyDocument

A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation, you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy PolicyDocument resource description in this guide and Access Policy Language Overview.

Required: Yes

Type: Json

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the S3 on Outposts bucket Amazon Resource Name (ARN).

For more information about using the Ref function, see Ref.

Examples

Create an Amazon S3 on Outposts bucket with a bucket policy

The following example creates an Amazon S3 on Outposts bucket and adds a bucket policy to that bucket.

Note

To add a bucket policy to a bucket, you must create your Outposts bucket before or at the same time as you add your bucket policy.

JSON


{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Bucket with no tags + Bucket Policy",
    "Resources": {
        "ExampleS3OutpostsBucket": {
            "Type": "AWS::S3Outposts::Bucket",
            "Properties": {
                "BucketName": "DOC-EXAMPLE-BUCKET",
                "OutpostId": "op-01ac5d28a6a232904"
            }
        },
        "ExampleS3OutpostsBucketPolicy": {
            "Type": "AWS::S3Outposts::BucketPolicy",
            "Properties": {
                "Bucket": {
                    "Ref": "ExampleS3OutpostsBucket"
                },
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "ID": "BucketPolicy",
                    "Statement": [
                        {
                            "Sid": "st1",
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": "arn:aws:iam::123456789012:root"
                            },
                            "Action": "s3-outposts:*",
                            "Resource": "arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/DOC-EXAMPLE-BUCKET"
                        }
                    ]
                }
            }
        }
    },
    "Outputs": {
        "ExampleS3OutpostsBucketARN": {
            "Description": "The ARN of ExampleS3OutpostsBucket",
            "Value": {
                "Ref": "ExampleS3OutpostsBucket"
            }
        },
        "ExampleS3OutpostsBucketPolicyARN": {
            "Description": "The ARN of the BucketPolicy",
            "Value": {
                "Ref": "ExampleS3OutpostsBucketPolicy"
            }
        },
        "ExampleS3OutpostsStackID": {
            "Description": "The stack ID",
            "Value": {
                "Ref": "AWS::StackID"
            },
            "Export": {
                "Name": {
                    "Fn::Sub": "${AWS::StackName}-StackID"
                }
            }
        }
    }
}

YAML


AWSTemplateFormatVersion: 2010-09-09
Description: Bucket with no tags + Bucket Policy
Resources:
  ExampleS3OutpostsBucket:
    Type: 'AWS::S3Outposts::Bucket'
    Properties:
      BucketName: DOC-EXAMPLE-BUCKET
      OutpostId: op-01ac5d28a6a232904
  ExampleS3OutpostsBucketPolicy:
    Type: 'AWS::S3Outposts::BucketPolicy'
    Properties:
      Bucket: !Ref ExampleS3OutpostsBucket
      PolicyDocument:
        Version: 2012-10-17
        ID: BucketPolicy
        Statement:
          - Sid: st1
            Effect: Allow
            Principal:
              AWS: 'arn:aws:iam::123456789012:root'
            Action: 's3-outposts:*'
            Resource: >-
              arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/DOC-EXAMPLE-BUCKET
Outputs:
  ExampleS3OutpostsBucketARN:
    Description: The ARN of ExampleS3OutpostsBucket
    Value: !Ref ExampleS3OutpostsBucket
  ExampleS3OutpostsBucketPolicyARN:
    Description: The ARN of the BucketPolicy
    Value: !Ref ExampleS3OutpostsBucketPolicy
  ExampleS3OutpostsStackID:
    Description: The stack ID
    Value: !Ref 'AWS::StackID'
    Export:
      Name: !Sub '${AWS::StackName}-StackID'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Tag

AWS::S3Outposts::Endpoint