This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.
AWS::S3Outposts::BucketPolicy
This resource applies a bucket policy to an Amazon S3 on Outposts bucket.
If you are using an identity other than the root user of the AWS account 
      that owns the S3 on Outposts bucket, the calling identity must have 
      the s3-outposts:PutBucketPolicy permissions on the specified 
      Outposts bucket and belong to the bucket owner's account in order to use 
      this resource. 
If you don't have s3-outposts:PutBucketPolicy permissions, 
      S3 on Outposts returns a 403 Access Denied error. 
Important
The root user of the AWS account that owns an Outposts bucket can always use this resource, even if the policy explicitly denies the root user the ability to perform actions on this resource.
For more information, see the AWS::IAM::Policy PolicyDocument resource description in this guide and Access Policy Language Overview.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::S3Outposts::BucketPolicy", "Properties" : { "Bucket" :String, "PolicyDocument" :Json} }
YAML
Type: AWS::S3Outposts::BucketPolicy Properties: Bucket:StringPolicyDocument:Json
Properties
- Bucket
- 
                    The name of the Amazon S3 Outposts bucket to which the policy applies. Required: Yes Type: String Pattern: ^arn:[^:]+:s3-outposts:[a-zA-Z0-9\-]+:\d{12}:outpost\/[^:]+\/bucket\/[^:]+$Minimum: 20Maximum: 2048Update requires: Replacement 
- PolicyDocument
- 
                    A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation, you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy PolicyDocument resource description in this guide and Access Policy Language Overview. Required: Yes Type: Json Update requires: No interruption 
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the S3 on Outposts bucket Amazon Resource Name (ARN).
For more information about using the Ref function, see Ref.
Examples
Create an Amazon S3 on Outposts bucket with a bucket policy
The following example creates an Amazon S3 on Outposts bucket and adds a bucket policy to that bucket.
Note
To add a bucket policy to a bucket, you must create your Outposts bucket before or at the same time as you add your bucket policy.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Bucket with no tags + Bucket Policy", "Resources": { "ExampleS3OutpostsBucket": { "Type": "AWS::S3Outposts::Bucket", "Properties": { "BucketName": "DOC-EXAMPLE-BUCKET", "OutpostId": "op-01ac5d28a6a232904" } }, "ExampleS3OutpostsBucketPolicy": { "Type": "AWS::S3Outposts::BucketPolicy", "Properties": { "Bucket": { "Ref": "ExampleS3OutpostsBucket" }, "PolicyDocument": { "Version": "2012-10-17", "ID": "BucketPolicy", "Statement": [ { "Sid": "st1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "s3-outposts:*", "Resource": "arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/DOC-EXAMPLE-BUCKET" } ] } } } }, "Outputs": { "ExampleS3OutpostsBucketARN": { "Description": "The ARN of ExampleS3OutpostsBucket", "Value": { "Ref": "ExampleS3OutpostsBucket" } }, "ExampleS3OutpostsBucketPolicyARN": { "Description": "The ARN of the BucketPolicy", "Value": { "Ref": "ExampleS3OutpostsBucketPolicy" } }, "ExampleS3OutpostsStackID": { "Description": "The stack ID", "Value": { "Ref": "AWS::StackID" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-StackID" } } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: Bucket with no tags + Bucket Policy Resources: ExampleS3OutpostsBucket: Type: 'AWS::S3Outposts::Bucket' Properties: BucketName: DOC-EXAMPLE-BUCKET OutpostId: op-01ac5d28a6a232904 ExampleS3OutpostsBucketPolicy: Type: 'AWS::S3Outposts::BucketPolicy' Properties: Bucket: !Ref ExampleS3OutpostsBucket PolicyDocument: Version: 2012-10-17 ID: BucketPolicy Statement: - Sid: st1 Effect: Allow Principal: AWS: 'arn:aws:iam::123456789012:root' Action: 's3-outposts:*' Resource: >- arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/DOC-EXAMPLE-BUCKET Outputs: ExampleS3OutpostsBucketARN: Description: The ARN of ExampleS3OutpostsBucket Value: !Ref ExampleS3OutpostsBucket ExampleS3OutpostsBucketPolicyARN: Description: The ARN of the BucketPolicy Value: !Ref ExampleS3OutpostsBucketPolicy ExampleS3OutpostsStackID: Description: The stack ID Value: !Ref 'AWS::StackID' Export: Name: !Sub '${AWS::StackName}-StackID'