This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.
AWS::S3::Bucket MetadataConfiguration
Creates a V2 Amazon S3 Metadata configuration of a general purpose bucket. For more information, see Accelerating data discovery with S3 Metadata in the Amazon S3 User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Destination" :
MetadataDestination
, "InventoryTableConfiguration" :InventoryTableConfiguration
, "JournalTableConfiguration" :JournalTableConfiguration
}
YAML
Destination:
MetadataDestination
InventoryTableConfiguration:InventoryTableConfiguration
JournalTableConfiguration:JournalTableConfiguration
Properties
Destination
-
The destination information for the S3 Metadata configuration.
Required: No
Type: MetadataDestination
Update requires: No interruption
InventoryTableConfiguration
-
The inventory table configuration for a metadata configuration.
Required: No
Type: InventoryTableConfiguration
Update requires: No interruption
JournalTableConfiguration
-
The journal table configuration for a metadata configuration.
Required: Yes
Type: JournalTableConfiguration
Update requires: No interruption
Examples
Create a metadata configuration
The following example creates an S3 Metadata configuration for the specified general
purpose bucket. To use this example, replace
with the name of your general purpose bucket. Also make sure to update the
AWS Identity and Access Management (IAM) Amazon Resource Name (ARN) with the name
of the IAM role that you want to use.amzn-s3-demo-bucket
JSON
{ "Resources": { "S3MetadataKMSKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "KMS key for S3 metadata encryption", "EnableKeyRotation": true, "KeyPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName" } }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow S3 Metadata Service", "Effect": "Allow", "Principal": { "Service": [ "maintenance.s3tables.amazonaws.com", "metadata.s3.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ] } } }, "S3MetadataKMSKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/s3-metadata-key", "TargetKeyId": { "Ref": "S3MetadataKMSKey" } } }, "TestMetadataBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "
amzn-s3-demo-bucket
", "MetadataConfiguration": { "JournalTableConfiguration": { "RecordExpiration": { "Expiration": "ENABLED", "Days": 10 }, "EncryptionConfiguration": { "SseAlgorithm": "aws:kms", "KmsKeyArn": { "Fn::GetAtt": [ "S3MetadataKMSKey", "Arn" ] } } }, "InventoryTableConfiguration": { "ConfigurationState": "ENABLED", "EncryptionConfiguration": { "SseAlgorithm": "aws:kms", "KmsKeyArn": { "Fn::GetAtt": [ "S3MetadataKMSKey", "Arn" ] } } } } } } } }
YAML
Resources: S3MetadataKMSKey: Type: 'AWS::KMS::Key' Properties: Description: 'KMS key for S3 metadata encryption' EnableKeyRotation: true KeyPolicy: Version: '2012-10-17' Statement: - Sid: 'Enable IAM User Permissions' Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName' Action: 'kms:*' Resource: '*' - Sid: 'Allow S3 Metadata Service' Effect: Allow Principal: Service: - 'maintenance.s3tables.amazonaws.com' - 'metadata.s3.amazonaws.com' Action: - 'kms:Decrypt' - 'kms:GenerateDataKey' Resource: '*' S3MetadataKMSKeyAlias: Type: 'AWS::KMS::Alias' Properties: AliasName: 'alias/s3-metadata-key' TargetKeyId: !Ref S3MetadataKMSKey TestMetadataBucket: Type: 'AWS::S3::Bucket' Properties: BucketName:
amzn-s3-demo-bucket
MetadataConfiguration: JournalTableConfiguration: RecordExpiration: Expiration: ENABLED Days: 10 EncryptionConfiguration: SseAlgorithm: aws:kms KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn InventoryTableConfiguration: ConfigurationState: ENABLED EncryptionConfiguration: SseAlgorithm: aws:kms KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn