AWS::S3::Bucket MetadataConfiguration - AWS CloudFormation
SyntaxPropertiesExamples

This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::S3::Bucket MetadataConfiguration

Creates a V2 Amazon S3 Metadata configuration of a general purpose bucket. For more information, see Accelerating data discovery with S3 Metadata in the Amazon S3 User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

Destination

The destination information for the S3 Metadata configuration.

Required: No

Type: MetadataDestination

Update requires: No interruption

InventoryTableConfiguration

The inventory table configuration for a metadata configuration.

Required: No

Type: InventoryTableConfiguration

Update requires: No interruption

JournalTableConfiguration

The journal table configuration for a metadata configuration.

Required: Yes

Type: JournalTableConfiguration

Update requires: No interruption

Examples

Create a metadata configuration

The following example creates an S3 Metadata configuration for the specified general purpose bucket. To use this example, replace amzn-s3-demo-bucket with the name of your general purpose bucket. Also make sure to update the AWS Identity and Access Management (IAM) Amazon Resource Name (ARN) with the name of the IAM role that you want to use.

JSON


{
  "Resources": {
    "S3MetadataKMSKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "KMS key for S3 metadata encryption",
        "EnableKeyRotation": true,
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName"
                }
              },
              "Action": "kms:*",
              "Resource": "*"
            },
            {
              "Sid": "Allow S3 Metadata Service",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "maintenance.s3tables.amazonaws.com",
                  "metadata.s3.amazonaws.com"
                ]
              },
              "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
              ],
              "Resource": "*"
            }
          ]
        }
      }
    },
    "S3MetadataKMSKeyAlias": {
      "Type": "AWS::KMS::Alias",
      "Properties": {
        "AliasName": "alias/s3-metadata-key",
        "TargetKeyId": {
          "Ref": "S3MetadataKMSKey"
        }
      }
    },
    "TestMetadataBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "amzn-s3-demo-bucket",
        "MetadataConfiguration": {
          "JournalTableConfiguration": {
            "RecordExpiration": {
              "Expiration": "ENABLED",
              "Days": 10
            },
            "EncryptionConfiguration": {
              "SseAlgorithm": "aws:kms",
              "KmsKeyArn": {
                "Fn::GetAtt": [
                  "S3MetadataKMSKey",
                  "Arn"
                ]
              }
            }
          },
          "InventoryTableConfiguration": {
            "ConfigurationState": "ENABLED",
            "EncryptionConfiguration": {
              "SseAlgorithm": "aws:kms",
              "KmsKeyArn": {
                "Fn::GetAtt": [
                  "S3MetadataKMSKey",
                  "Arn"
                ]
              }
            }
          }
        }
      }
    }
  }
}

YAML


Resources:
  S3MetadataKMSKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: 'KMS key for S3 metadata encryption'
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: 'Enable IAM User Permissions'
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName'
            Action: 'kms:*'
            Resource: '*'
          - Sid: 'Allow S3 Metadata Service'
            Effect: Allow
            Principal:
              Service: 
                - 'maintenance.s3tables.amazonaws.com'
                - 'metadata.s3.amazonaws.com'
            Action:
              - 'kms:Decrypt'
              - 'kms:GenerateDataKey'
            Resource: '*'

  S3MetadataKMSKeyAlias:
    Type: 'AWS::KMS::Alias'
    Properties:
      AliasName: 'alias/s3-metadata-key'
      TargetKeyId: !Ref S3MetadataKMSKey

  TestMetadataBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: amzn-s3-demo-bucket
      MetadataConfiguration:
        JournalTableConfiguration:
          RecordExpiration:
            Expiration: ENABLED
            Days: 10
          EncryptionConfiguration:
            SseAlgorithm: aws:kms
            KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn
        InventoryTableConfiguration:
          ConfigurationState: ENABLED
          EncryptionConfiguration:
            SseAlgorithm: aws:kms
            KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn