AWS::S3::Bucket MetadataConfiguration - AWS CloudFormation

This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::S3::Bucket MetadataConfiguration

Creates a V2 Amazon S3 Metadata configuration of a general purpose bucket. For more information, see Accelerating data discovery with S3 Metadata in the Amazon S3 User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

Destination

The destination information for the S3 Metadata configuration.

Required: No

Type: MetadataDestination

Update requires: No interruption

InventoryTableConfiguration

The inventory table configuration for a metadata configuration.

Required: No

Type: InventoryTableConfiguration

Update requires: No interruption

JournalTableConfiguration

The journal table configuration for a metadata configuration.

Required: Yes

Type: JournalTableConfiguration

Update requires: No interruption

Examples

Create a metadata configuration

The following example creates an S3 Metadata configuration for the specified general purpose bucket. To use this example, replace amzn-s3-demo-bucket with the name of your general purpose bucket. Also make sure to update the AWS Identity and Access Management (IAM) Amazon Resource Name (ARN) with the name of the IAM role that you want to use.

JSON

{ "Resources": { "S3MetadataKMSKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "KMS key for S3 metadata encryption", "EnableKeyRotation": true, "KeyPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName" } }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow S3 Metadata Service", "Effect": "Allow", "Principal": { "Service": [ "maintenance.s3tables.amazonaws.com", "metadata.s3.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ] } } }, "S3MetadataKMSKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/s3-metadata-key", "TargetKeyId": { "Ref": "S3MetadataKMSKey" } } }, "TestMetadataBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "amzn-s3-demo-bucket", "MetadataConfiguration": { "JournalTableConfiguration": { "RecordExpiration": { "Expiration": "ENABLED", "Days": 10 }, "EncryptionConfiguration": { "SseAlgorithm": "aws:kms", "KmsKeyArn": { "Fn::GetAtt": [ "S3MetadataKMSKey", "Arn" ] } } }, "InventoryTableConfiguration": { "ConfigurationState": "ENABLED", "EncryptionConfiguration": { "SseAlgorithm": "aws:kms", "KmsKeyArn": { "Fn::GetAtt": [ "S3MetadataKMSKey", "Arn" ] } } } } } } } }

YAML

Resources: S3MetadataKMSKey: Type: 'AWS::KMS::Key' Properties: Description: 'KMS key for S3 metadata encryption' EnableKeyRotation: true KeyPolicy: Version: '2012-10-17' Statement: - Sid: 'Enable IAM User Permissions' Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName' Action: 'kms:*' Resource: '*' - Sid: 'Allow S3 Metadata Service' Effect: Allow Principal: Service: - 'maintenance.s3tables.amazonaws.com' - 'metadata.s3.amazonaws.com' Action: - 'kms:Decrypt' - 'kms:GenerateDataKey' Resource: '*' S3MetadataKMSKeyAlias: Type: 'AWS::KMS::Alias' Properties: AliasName: 'alias/s3-metadata-key' TargetKeyId: !Ref S3MetadataKMSKey TestMetadataBucket: Type: 'AWS::S3::Bucket' Properties: BucketName: amzn-s3-demo-bucket MetadataConfiguration: JournalTableConfiguration: RecordExpiration: Expiration: ENABLED Days: 10 EncryptionConfiguration: SseAlgorithm: aws:kms KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn InventoryTableConfiguration: ConfigurationState: ENABLED EncryptionConfiguration: SseAlgorithm: aws:kms KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn