x-s3¶
Properties¶
For the properties, go to to AWS CFN S3 Definition
Settings¶
Some use-cases require special adjustments. This is what this section is for.
ExpandRegionToBucket¶
When definining the BucketName in properties, if wanted to, for uniqueness or readability, you can append to that string the region id (which is DNS compliant) to the bucket name.
Properties:
BucketName: abcd-01
Settings:
ExpandRegionToBucket: True
Results into
!Sub abcd-01-${AWS::Region}
ExpandAccountIdToBucket¶
Similar to ExpandRegionToBucket, it will append the account ID (additional or instead of).
Properties:
BucketName: abcd-01
Settings:
ExpandRegionToBucket: True
Results into
!Sub 'abcd-01-${AWS::AccountId}'
Hint
If you set both ExpandAccountIdToBucket and ExpandRegionToBucket, you end up with
!Sub 'abcd-01-${AWS::Region}-${AWS::AccountId}'
NameSeparator¶
As shown above, the separator between the bucket name and AWS::AccountId or AWS::Region is -. This parameter allows you to define something else.
Note
I would recommend not more than 2 characters separator.
Warning
The separator must allow for DNS compliance [a-z0-9.-]
EnableEncryption¶
If set to True (default) it will automatically define bucket encryption using AES256.
Hint
Soon will link x-kms keys definition to that to allow you to re-use existing keys.
Services¶
As for all other resource types, you can define the type of access you want based to the S3 buckets. However, for buckets, this means distinguish the bucket and the objects resource.
x-s3:
bucketA:
Properties: {}
Settings: {}
Services:
- name: service-01
access:
objects: RW
bucket: ListOnly
Hint
Refer to s3_access_types_reference to review available permissions
Lookup¶
Lookup is currently implemented for S3 buckets!
Hint
For S3, if the S3 bucket has a default KMS key encryption, the services will automatically be granted KMS default EncryptDecrypt permissions in order to allow using the KMS key for objects manipulation.
IAM Permissions¶
For S3 buckets, the access types is expecting a object with objects and bucket to distinguish permissions for each. If you indicate a string, the default permissions (bucket: ListOnly and objects: RW) will be applied.
Examples¶
version: "3.8"
x-s3:
bucket-01:
Properties:
BucketName: bucket-01
AccessControl: BucketOwnerFullControl
ObjectLockEnabled: True
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: False
AccelerateConfiguration:
AccelerationStatus: Suspended
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "aws:kms"
KMSMasterKeyID: "aws/s3"
VersioningConfiguration:
Status: "Enabled"
Settings:
ExpandRegionToBucket: True
ExpandAccountIdToBucket: True
EnvNames:
- bucket01
- BUCKET_ABCD-01
Services:
- name: app03
access: RWObjects
bucket-03:
Properties:
BucketName: bucket-03
AccessControl: BucketOwnerFullControl
ObjectLockEnabled: True
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: False
AccelerateConfiguration:
AccelerationStatus: Suspended
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: "Enabled"
Settings:
ExpandRegionToBucket: True
ExpandAccountIdToBucket: False
EnvNames:
- bucket01
- BUCKET_ABCD-01
Services:
- name: app03
access: RWObjects
bucket-02:
Properties: {}
Settings:
ExpandRegionToBucket: False
ExpandAccountIdToBucket: False
EnableEncryption: AES256
EnableAcceleration: True
EnvNames:
- bucket01
- BUCKET_ABCD-01
Services:
- name: app03
access:
bucket: ListOnly
objects: RW
bucket-04:
Properties:
BucketName: bucket-04
Settings:
NameSeparator: "."
ExpandRegionToBucket: False
ExpandAccountIdToBucket: False
EnableEncryption: AES256
EnableAcceleration: True
EnvNames:
- bucket01
- BUCKET_ABCD-01
Services:
- name: app03
access:
bucket: ListOnly
objects: RW
version: "3.8"
x-s3:
bucket-07:
Lookup:
Tags:
- aws:cloudformation:logical-id: ArtifactsBucket
- aws:cloudformation:stack-name: pipeline-shared-buckets
Services:
- name: app03
access:
bucket: PowerUser
objects: RW
bucket-08:
Settings:
EnvNames:
- BUCKET03
Lookup:
Name: sacrificial-lamb
Tags:
- composex: "True"
Services:
- name: app03
access:
bucket: PowerUser
objects: RW