This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::S3::Bucket The `AWS::S3::Bucket` resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack. To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to *retain* the bucket or to *delete* the bucket. For more information, see [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html). **Important** You can only delete empty buckets. Deletion fails for buckets that have contents. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::S3::Bucket", "Properties" : { "[AbacStatus](#cfn-s3-bucket-abacstatus)" : String, "[AccelerateConfiguration](#cfn-s3-bucket-accelerateconfiguration)" : AccelerateConfiguration, "[AccessControl](#cfn-s3-bucket-accesscontrol)" : String, "[AnalyticsConfigurations](#cfn-s3-bucket-analyticsconfigurations)" : [ AnalyticsConfiguration, ... ], "[BucketEncryption](#cfn-s3-bucket-bucketencryption)" : BucketEncryption, "[BucketName](#cfn-s3-bucket-bucketname)" : String, "[BucketNamePrefix](#cfn-s3-bucket-bucketnameprefix)" : String, "[BucketNamespace](#cfn-s3-bucket-bucketnamespace)" : String, "[CorsConfiguration](#cfn-s3-bucket-corsconfiguration)" : CorsConfiguration, "[IntelligentTieringConfigurations](#cfn-s3-bucket-intelligenttieringconfigurations)" : [ IntelligentTieringConfiguration, ... ], "[InventoryConfigurations](#cfn-s3-bucket-inventoryconfigurations)" : [ InventoryConfiguration, ... ], "[LifecycleConfiguration](#cfn-s3-bucket-lifecycleconfiguration)" : LifecycleConfiguration, "[LoggingConfiguration](#cfn-s3-bucket-loggingconfiguration)" : LoggingConfiguration, "[MetadataConfiguration](#cfn-s3-bucket-metadataconfiguration)" : MetadataConfiguration, "[MetadataTableConfiguration](#cfn-s3-bucket-metadatatableconfiguration)" : MetadataTableConfiguration, "[MetricsConfigurations](#cfn-s3-bucket-metricsconfigurations)" : [ MetricsConfiguration, ... ], "[NotificationConfiguration](#cfn-s3-bucket-notificationconfiguration)" : NotificationConfiguration, "[ObjectLockConfiguration](#cfn-s3-bucket-objectlockconfiguration)" : ObjectLockConfiguration, "[ObjectLockEnabled](#cfn-s3-bucket-objectlockenabled)" : Boolean, "[OwnershipControls](#cfn-s3-bucket-ownershipcontrols)" : OwnershipControls, "[PublicAccessBlockConfiguration](#cfn-s3-bucket-publicaccessblockconfiguration)" : PublicAccessBlockConfiguration, "[ReplicationConfiguration](#cfn-s3-bucket-replicationconfiguration)" : ReplicationConfiguration, "[Tags](#cfn-s3-bucket-tags)" : [ Tag, ... ], "[VersioningConfiguration](#cfn-s3-bucket-versioningconfiguration)" : VersioningConfiguration, "[WebsiteConfiguration](#cfn-s3-bucket-websiteconfiguration)" : WebsiteConfiguration } } ``` ### YAML ``` Type: AWS::S3::Bucket Properties: [AbacStatus](#cfn-s3-bucket-abacstatus): String [AccelerateConfiguration](#cfn-s3-bucket-accelerateconfiguration): AccelerateConfiguration [AccessControl](#cfn-s3-bucket-accesscontrol): String [AnalyticsConfigurations](#cfn-s3-bucket-analyticsconfigurations): - AnalyticsConfiguration [BucketEncryption](#cfn-s3-bucket-bucketencryption): BucketEncryption [BucketName](#cfn-s3-bucket-bucketname): String [BucketNamePrefix](#cfn-s3-bucket-bucketnameprefix): String [BucketNamespace](#cfn-s3-bucket-bucketnamespace): String [CorsConfiguration](#cfn-s3-bucket-corsconfiguration): CorsConfiguration [IntelligentTieringConfigurations](#cfn-s3-bucket-intelligenttieringconfigurations): - IntelligentTieringConfiguration [InventoryConfigurations](#cfn-s3-bucket-inventoryconfigurations): - InventoryConfiguration [LifecycleConfiguration](#cfn-s3-bucket-lifecycleconfiguration): LifecycleConfiguration [LoggingConfiguration](#cfn-s3-bucket-loggingconfiguration): LoggingConfiguration [MetadataConfiguration](#cfn-s3-bucket-metadataconfiguration): MetadataConfiguration [MetadataTableConfiguration](#cfn-s3-bucket-metadatatableconfiguration): MetadataTableConfiguration [MetricsConfigurations](#cfn-s3-bucket-metricsconfigurations): - MetricsConfiguration [NotificationConfiguration](#cfn-s3-bucket-notificationconfiguration): NotificationConfiguration [ObjectLockConfiguration](#cfn-s3-bucket-objectlockconfiguration): ObjectLockConfiguration [ObjectLockEnabled](#cfn-s3-bucket-objectlockenabled): Boolean [OwnershipControls](#cfn-s3-bucket-ownershipcontrols): OwnershipControls [PublicAccessBlockConfiguration](#cfn-s3-bucket-publicaccessblockconfiguration): PublicAccessBlockConfiguration [ReplicationConfiguration](#cfn-s3-bucket-replicationconfiguration): ReplicationConfiguration [Tags](#cfn-s3-bucket-tags): - Tag [VersioningConfiguration](#cfn-s3-bucket-versioningconfiguration): VersioningConfiguration [WebsiteConfiguration](#cfn-s3-bucket-websiteconfiguration): WebsiteConfiguration ``` ## Properties `AbacStatus` The ABAC status of the general purpose bucket. When ABAC is enabled for the general purpose bucket, you can use tags to manage access to the general purpose buckets as well as for cost tracking purposes. When ABAC is disabled for the general purpose buckets, you can only use tags for cost tracking purposes. For more information, see [Using tags with S3 general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/buckets-tagging.html). *Required*: No *Type*: String *Allowed values*: `Enabled | Disabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AccelerateConfiguration` Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: [AccelerateConfiguration](aws-properties-s3-bucket-accelerateconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AccessControl` This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*. A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide*. S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html). For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: String *Allowed values*: `AuthenticatedRead | AwsExecRead | BucketOwnerFullControl | BucketOwnerRead | LogDeliveryWrite | Private | PublicRead | PublicReadWrite` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AnalyticsConfigurations` Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket. *Required*: No *Type*: Array of [AnalyticsConfiguration](aws-properties-s3-bucket-analyticsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BucketEncryption` Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: [BucketEncryption](aws-properties-s3-bucket-bucketencryption.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BucketName` A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html). For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) in the *Amazon S3 User Guide*. If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `BucketNamePrefix` Property description not available. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `BucketNamespace` Property description not available. *Required*: No *Type*: String *Allowed values*: `global | account-regional` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CorsConfiguration` Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see [Enabling Cross-Origin Resource Sharing](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: [CorsConfiguration](aws-properties-s3-bucket-corsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IntelligentTieringConfigurations` Defines how Amazon S3 handles Intelligent-Tiering storage. *Required*: No *Type*: Array of [IntelligentTieringConfiguration](aws-properties-s3-bucket-intelligenttieringconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InventoryConfigurations` Specifies the S3 Inventory configuration for an Amazon S3 bucket. For more information, see [GET Bucket inventory](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html) in the *Amazon S3 API Reference*. *Required*: No *Type*: Array of [InventoryConfiguration](aws-properties-s3-bucket-inventoryconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LifecycleConfiguration` Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: [LifecycleConfiguration](aws-properties-s3-bucket-lifecycleconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LoggingConfiguration` Settings that define where logs are stored. *Required*: No *Type*: [LoggingConfiguration](aws-properties-s3-bucket-loggingconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MetadataConfiguration` The S3 Metadata configuration for a general purpose bucket. *Required*: No *Type*: [MetadataConfiguration](aws-properties-s3-bucket-metadataconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MetadataTableConfiguration` The metadata table configuration of an Amazon S3 general purpose bucket. *Required*: No *Type*: [MetadataTableConfiguration](aws-properties-s3-bucket-metadatatableconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MetricsConfigurations` Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html). *Required*: No *Type*: Array of [MetricsConfiguration](aws-properties-s3-bucket-metricsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NotificationConfiguration` Configuration that defines how Amazon S3 handles bucket notifications. *Required*: No *Type*: [NotificationConfiguration](aws-properties-s3-bucket-notificationconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ObjectLockConfiguration` This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html). + The `DefaultRetention` settings require both a mode and a period. + The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time. + You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html). You must URL encode any signed header values that contain spaces. For example, if your header value is `my file.txt`, containing two spaces after `my`, you must URL encode this value to `my%20%20file.txt`. *Required*: No *Type*: [ObjectLockConfiguration](aws-properties-s3-bucket-objectlockconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ObjectLockEnabled` Indicates whether this bucket has an Object Lock configuration enabled. Enable `ObjectLockEnabled` when you apply `ObjectLockConfiguration` to a bucket. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OwnershipControls` Configuration that defines how Amazon S3 handles Object Ownership rules. *Required*: No *Type*: [OwnershipControls](aws-properties-s3-bucket-ownershipcontrols.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PublicAccessBlockConfiguration` Configuration that defines how Amazon S3 handles public access. *Required*: No *Type*: [PublicAccessBlockConfiguration](aws-properties-s3-bucket-publicaccessblockconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ReplicationConfiguration` Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the `VersioningConfiguration` property. Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist. *Required*: No *Type*: [ReplicationConfiguration](aws-properties-s3-bucket-replicationconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An arbitrary set of tags (key-value pairs) for this S3 bucket. *Required*: No *Type*: Array of [Tag](aws-properties-s3-bucket-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VersioningConfiguration` Enables multiple versions of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them. When you enable versioning on a bucket for the first time, it might take a short amount of time for the change to be fully propagated. We recommend that you wait for 15 minutes after enabling versioning before issuing write operations (`PUT` or `DELETE`) on objects in the bucket. *Required*: No *Type*: [VersioningConfiguration](aws-properties-s3-bucket-versioningconfiguration.md) *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `WebsiteConfiguration` Information used to configure the bucket as a static website. For more information, see [Hosting Websites on Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html). *Required*: No *Type*: [WebsiteConfiguration](aws-properties-s3-bucket-websiteconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the bucket name. Example: ` amzn-s3-demo-bucket ` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) of the specified bucket. Example: `arn:aws:s3:::DOC-EXAMPLE-BUCKET` `DomainName` Returns the IPv4 DNS name of the specified bucket. Example: `DOC-EXAMPLE-BUCKET.s3.amazonaws.com` `DualStackDomainName` Returns the IPv6 DNS name of the specified bucket. Example: ` DOC-EXAMPLE-BUCKET.s3.dualstack.us-east-2.amazonaws.com` For more information about dual-stack endpoints, see [Using Amazon S3 Dual-Stack Endpoints](https://docs.aws.amazon.com/AmazonS3/latest/dev/dual-stack-endpoints.html). `MetadataConfiguration.InventoryTableConfiguration.TableArn` Property description not available. `MetadataConfiguration.InventoryTableConfiguration.TableName` Property description not available. `MetadataConfiguration.JournalTableConfiguration.TableArn` Property description not available. `MetadataConfiguration.JournalTableConfiguration.TableName` Property description not available. `MetadataTableConfiguration.S3TablesDestination.TableArn` The Amazon Resource Name (ARN) for the metadata table in the metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket. Example: `arn:aws:s3tables:region:account-id:bucket/amzn-s3-demo-bucket/table/1234567890abcdef0` `MetadataTableConfiguration.S3TablesDestination.TableNamespace` The table bucket namespace for the metadata table in the specified bucket's metadata table configuration. This value is always `aws_s3_metadata`. `RegionalDomainName` Returns the regional domain name of the specified bucket. Example: `DOC-EXAMPLE-BUCKET.s3.us-east-2.amazonaws.com` `WebsiteURL` Returns the Amazon S3 website endpoint for the specified bucket. Example (IPv4): `http://DOC-EXAMPLE-BUCKET.s3-website.us-east-2.amazonaws.com` Example (IPv6): `http://DOC-EXAMPLE-BUCKET.s3.dualstack.us-east-2.amazonaws.com` ## Examples **Topics** + [Create an S3 bucket](#aws-resource-s3-bucket--examples--Create_an_S3_bucket) + [Associate a replication configuration IAM role with an S3 bucket](#aws-resource-s3-bucket--examples--Associate_a_replication_configuration_IAM_role_with_an_S3_bucket) + [Granting public access to S3 buckets](#aws-resource-s3-bucket--examples--Granting_public_access_to_S3_buckets) + [Enabling ACLs](#aws-resource-s3-bucket--examples--Enabling_ACLs) + [Configure a static website with a routing rule](#aws-resource-s3-bucket--examples--Configure_a_static_website_with_a_routing_rule) + [Enable cross-origin resource sharing](#aws-resource-s3-bucket--examples--Enable_cross-origin_resource_sharing) + [Manage the lifecycle for S3 objects](#aws-resource-s3-bucket--examples--Manage_the_lifecycle_for_S3_objects) + [Log access requests for a specific S3 bucket](#aws-resource-s3-bucket--examples--Log_access_requests_for_a_specific_S3_bucket) + [Receive S3 bucket notifications to an SNS topic](#aws-resource-s3-bucket--examples--Receive_S3_bucket_notifications_to_an_SNS_topic) + [Enable versioning and replicate objects](#aws-resource-s3-bucket--examples--Enable_versioning_and_replicate_objects) + [Specify analytics and inventory configurations for an S3 bucket](#aws-resource-s3-bucket--examples--Specify_analytics_and_inventory_configurations_for_an_S3_bucket) ### Create an S3 bucket The following example creates an S3 bucket with a `Retain` deletion policy. #### JSON ``` { "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": "DOC-EXAMPLE-BUCKET" } } } } ``` #### YAML ``` Resources: S3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: BucketName: DOC-EXAMPLE-BUCKET ``` ### Associate a replication configuration IAM role with an S3 bucket The following example creates an S3 bucket and grants it permission to write to a replication bucket by using an AWS Identity and Access Management (IAM) role. To avoid a circular dependency, the role's policy is declared as a separate resource. The bucket depends on the `WorkItemBucketBackupRole` role. If the policy is included in the role, the role also depends on the bucket. #### JSON ``` { "Resources": { "RecordServiceS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "ReplicationConfiguration": { "Role": { "Fn::GetAtt": [ "WorkItemBucketBackupRole", "Arn" ] }, "Rules": [ { "Destination": { "Bucket": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] } ] ] }, "StorageClass": "STANDARD" }, "Id": "Backup", "Prefix": "", "Status": "Enabled" } ] }, "VersioningConfiguration": { "Status": "Enabled" } } }, "WorkItemBucketBackupRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "s3.amazonaws.com" ] } } ] } } }, "BucketBackupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" } ] ] } ] }, { "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" }, "/*" ] ] } ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] }, "/*" ] ] } ] } ] }, "PolicyName": "BucketBackupPolicy", "Roles": [ { "Ref": "WorkItemBucketBackupRole" } ] } } } } ``` #### YAML ``` Resources: RecordServiceS3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: ReplicationConfiguration: Role: !GetAtt - WorkItemBucketBackupRole - Arn Rules: - Destination: Bucket: !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket StorageClass: STANDARD Id: Backup Prefix: '' Status: Enabled VersioningConfiguration: Status: Enabled WorkItemBucketBackupRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - s3.amazonaws.com BucketBackupPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyDocument: Statement: - Action: - 's3:GetReplicationConfiguration' - 's3:ListBucket' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - Action: - 's3:GetObjectVersion' - 's3:GetObjectVersionAcl' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - /* - Action: - 's3:ReplicateObject' - 's3:ReplicateDelete' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket - /* PolicyName: BucketBackupPolicy Roles: - !Ref WorkItemBucketBackupRole ``` ### Granting public access to S3 buckets When you create a new bucket, all Block Public Access settings are automatically enabled. We recommend that you keep all Block Public Access settings enabled. If you require some level of public access to your buckets, you can disable Block Public Access settings. The following example shows creating a bucket called `my-bucket` and then disabling Block Public Access. A public bucket policy is then added to the bucket. **Note** The following example assumes the `BlockPublicPolicy` and `RestrictPublicBuckets` Block Public Access settings have been disabled at the account level. #### JSON ``` { "Resources": { "MyBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "my-bucket", "PublicAccessBlockConfiguration": { "BlockPublicAcls": false, "BlockPublicPolicy": false, "IgnorePublicAcls": false, "RestrictPublicBuckets": false } } }, "MyBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "MyBucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "MyBucket" }, "/*" ] ] } } ] } } } } } ``` #### YAML ``` Resources: MyBucket: Type: 'AWS::S3::Bucket' Properties: BucketName: my-bucket PublicAccessBlockConfiguration: BlockPublicAcls: false BlockPublicPolicy: false IgnorePublicAcls: false RestrictPublicBuckets: false MyBucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: Ref: 'MyBucket' PolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: '*' Action: 's3:GetObject' Resource: Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: 'MyBucket' - '/*' ``` ### Enabling ACLs By default, S3 Object Ownership is set to `BucketOwnerEnforced` and ACLs are disabled. A majority of modern use cases in S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. With ACLs disabled, you can control access to all objects in your bucket, regardless of who uploaded the objects to your bucket. If your specific use case requires enabling ACLs, you can set S3 Object Ownership to `BucketOwnerPreferred` or `ObjectWriter`. For more information, see [Controlling ownership of objects and disabling ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*. The following example shows Object Ownership set to `BucketOwnerPreferred`. #### JSON ``` { "Resources": { "MyBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "my-bucket", "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred" } ] }, "AccessControl": "AwsExecRead" } } } } ``` #### YAML ``` Resources: MyBucket: Type: 'AWS::S3::Bucket' Properties: BucketName: my-bucket OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred AccessControl: AwsExecRead ``` ### Configure a static website with a routing rule In this example, `AWS::S3::Bucket's Fn::GetAtt` values are used to provide outputs. If an HTTP 404 error occurs, the routing rule redirects requests to an EC2 instance and inserts the object key prefix `report-404/` in the redirect. For example, if you request a page called `out1/ExamplePage.html` and it results in an HTTP 404 error, the request is routed to a page called `report-404/ExamplePage.html` on the specified instance. For all other HTTP error codes, `error.html` is returned. This example also specifies a metrics configuration called `EntireBucket` that enables CloudWatch request metrics at the bucket level. #### JSON ``` { "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "BucketName": "public-bucket", "MetricsConfigurations": [ { "Id": "EntireBucket" } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain" } }, "Outputs": { "WebsiteURL": { "Value": { "Fn::GetAtt": [ "S3Bucket", "WebsiteURL" ] }, "Description": "URL for website hosted on S3" }, "S3BucketSecureURL": { "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "S3Bucket", "DomainName" ] } ] ] }, "Description": "Name of S3 bucket to hold website content" } } } ``` #### YAML ``` Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead BucketName: public-bucket MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt - S3Bucket - WebsiteURL Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join - '' - - 'https://' - !GetAtt - S3Bucket - DomainName Description: Name of S3 bucket to hold website content ``` ### Enable cross-origin resource sharing The following example template shows a public S3 bucket with two cross-origin resource sharing rules. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "CorsConfiguration": { "CorsRules": [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposedHeaders": [ "Date" ], "Id": "myCORSRuleId1", "MaxAge": 3600 }, { "AllowedHeaders": [ "x-amz-*" ], "AllowedMethods": [ "DELETE" ], "AllowedOrigins": [ "http://www.example.com", "http://www.example.net" ], "ExposedHeaders": [ "Connection", "Server", "Date" ], "Id": "myCORSRuleId2", "MaxAge": 1800 } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with CORS enabled." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead CorsConfiguration: CorsRules: - AllowedHeaders: - '*' AllowedMethods: - GET AllowedOrigins: - '*' ExposedHeaders: - Date Id: myCORSRuleId1 MaxAge: 3600 - AllowedHeaders: - x-amz-* AllowedMethods: - DELETE AllowedOrigins: - 'http://www.example.com' - 'http://www.example.net' ExposedHeaders: - Connection - Server - Date Id: myCORSRuleId2 MaxAge: 1800 Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with CORS enabled. ``` ### Manage the lifecycle for S3 objects The following example template shows an S3 bucket with a lifecycle configuration rule. The rule applies to all objects with the `glacier` key prefix. The objects are transitioned to Glacier after one day, and deleted after one year. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "LifecycleConfiguration": { "Rules": [ { "Id": "GlacierRule", "Prefix": "glacier", "Status": "Enabled", "ExpirationInDays": 365, "Transitions": [ { "TransitionInDays": 1, "StorageClass": "GLACIER" } ] } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private LifecycleConfiguration: Rules: - Id: GlacierRule Prefix: glacier Status: Enabled ExpirationInDays: 365 Transitions: - TransitionInDays: 1 StorageClass: GLACIER Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a lifecycle configuration. ``` ### Log access requests for a specific S3 bucket The following example template creates two S3 buckets. The `LoggingBucket` bucket store the logs from the `S3Bucket` bucket. To receive logs from the `S3Bucket` bucket, the logging bucket requires log delivery write permissions. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "LoggingConfiguration": { "DestinationBucketName": { "Ref": "LoggingBucket" }, "LogFilePrefix": "testing-logs" } } }, "LoggingBucket": { "Type": "AWS::S3::Bucket" }, "S3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "LoggingBucket" }, "PolicyDocument": { "Version": "2012-10-17" , "Statement": [ { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "LoggingBucket" }, "/*" ] ] }, "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "S3Bucket", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Fn::Sub": "${AWS::AccountId}" } } } } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a logging configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: LoggingConfiguration: DestinationBucketName: !Ref LoggingBucket LogFilePrefix: testing-logs LoggingBucket: Type: 'AWS::S3::Bucket' S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref LoggingBucket PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:PutObject' Effect: Allow Principal: Service: logging.s3.amazonaws.com Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref LoggingBucket - /* Condition: ArnLike: 'aws:SourceArn': !GetAtt - S3Bucket - Arn StringEquals: 'aws:SourceAccount': !Sub '${AWS::AccountId}' Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a logging configuration. ``` ### Receive S3 bucket notifications to an SNS topic The following example template shows an Amazon S3 bucket with a notification configuration that sends an event to the specified SNS topic when S3 has lost all replicas of an object. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "NotificationConfiguration": { "TopicConfigurations": [ { "Topic": "arn:aws:sns:us-east-1:123456789012:TestTopic", "Event": "s3:ReducedRedundancyLostObject" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a notification configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private NotificationConfiguration: TopicConfigurations: - Topic: 'arn:aws:sns:us-east-1:123456789012:TestTopic' Event: 's3:ReducedRedundancyLostObject' Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a notification configuration. ``` ### Enable versioning and replicate objects The following example enables versioning and two replication rules. The rules copy objects prefixed with either `MyPrefix` and `MyOtherPrefix` and stores the copied objects in a bucket named `my-replication-bucket`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "VersioningConfiguration": { "Status": "Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::123456789012:role/replication_role", "Rules": [ { "Id": "MyRule1", "Status": "Enabled", "Prefix": "MyPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket", "StorageClass": "STANDARD" } }, { "Status": "Enabled", "Prefix": "MyOtherPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket" } } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: VersioningConfiguration: Status: Enabled ReplicationConfiguration: Role: 'arn:aws:iam::123456789012:role/replication_role' Rules: - Id: MyRule1 Status: Enabled Prefix: MyPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' StorageClass: STANDARD - Status: Enabled Prefix: MyOtherPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' ``` ### Specify analytics and inventory configurations for an S3 bucket The following example specifies analytics and inventory results to be generated for an S3 bucket, including the format of the results and the destination bucket. The inventory list generates reports weekly and includes the current version of each object. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 Bucket with Inventory and Analytics Configurations", "Resources": { "Helper": { "Type": "AWS::S3::Bucket" }, "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AnalyticsConfigurations": [ { "Id": "AnalyticsConfigurationId", "StorageClassAnalysis": { "DataExport": { "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "AnalyticsDestinationPrefix" }, "OutputSchemaVersion": "V_1" } }, "Prefix": "AnalyticsConfigurationPrefix", "TagFilters": [ { "Key": "AnalyticsTagKey", "Value": "AnalyticsTagValue" } ] } ], "InventoryConfigurations": [ { "Id": "InventoryConfigurationId", "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "InventoryDestinationPrefix" }, "Enabled": true, "IncludedObjectVersions": "Current", "Prefix": "InventoryConfigurationPrefix", "ScheduleFrequency": "Weekly" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: S3 Bucket with Inventory and Analytics Configurations Resources: Helper: Type: 'AWS::S3::Bucket' S3Bucket: Type: 'AWS::S3::Bucket' Properties: AnalyticsConfigurations: - Id: AnalyticsConfigurationId StorageClassAnalysis: DataExport: Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: AnalyticsDestinationPrefix OutputSchemaVersion: V_1 Prefix: AnalyticsConfigurationPrefix TagFilters: - Key: AnalyticsTagKey Value: AnalyticsTagValue InventoryConfigurations: - Id: InventoryConfigurationId Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: InventoryDestinationPrefix Enabled: true IncludedObjectVersions: Current Prefix: InventoryConfigurationPrefix ScheduleFrequency: Weekly ``` ## See also + [Amazon S3 Template Snippets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-s3.html) # AWS::S3::Bucket AbortIncompleteMultipartUpload Specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload. For more information, see [ Stopping Incomplete Multipart Uploads Using a Bucket Lifecycle Policy](https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DaysAfterInitiation](#cfn-s3-bucket-abortincompletemultipartupload-daysafterinitiation)" : Integer } ``` ### YAML ``` [DaysAfterInitiation](#cfn-s3-bucket-abortincompletemultipartupload-daysafterinitiation): Integer ``` ## Properties `DaysAfterInitiation` Specifies the number of days after which Amazon S3 stops an incomplete multipart upload. *Required*: Yes *Type*: Integer *Minimum*: `0` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket AccelerateConfiguration Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccelerationStatus](#cfn-s3-bucket-accelerateconfiguration-accelerationstatus)" : String } ``` ### YAML ``` [AccelerationStatus](#cfn-s3-bucket-accelerateconfiguration-accelerationstatus): String ``` ## Properties `AccelerationStatus` Specifies the transfer acceleration status of the bucket. *Required*: Yes *Type*: String *Allowed values*: `Enabled | Suspended` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket AccessControlTranslation Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Owner](#cfn-s3-bucket-accesscontroltranslation-owner)" : String } ``` ### YAML ``` [Owner](#cfn-s3-bucket-accesscontroltranslation-owner): String ``` ## Properties `Owner` Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) in the *Amazon S3 API Reference*. *Required*: Yes *Type*: String *Allowed values*: `Destination` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket AnalyticsConfiguration Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Id](#cfn-s3-bucket-analyticsconfiguration-id)" : String, "[Prefix](#cfn-s3-bucket-analyticsconfiguration-prefix)" : String, "[StorageClassAnalysis](#cfn-s3-bucket-analyticsconfiguration-storageclassanalysis)" : StorageClassAnalysis, "[TagFilters](#cfn-s3-bucket-analyticsconfiguration-tagfilters)" : [ TagFilter, ... ] } ``` ### YAML ``` [Id](#cfn-s3-bucket-analyticsconfiguration-id): String [Prefix](#cfn-s3-bucket-analyticsconfiguration-prefix): String [StorageClassAnalysis](#cfn-s3-bucket-analyticsconfiguration-storageclassanalysis): StorageClassAnalysis [TagFilters](#cfn-s3-bucket-analyticsconfiguration-tagfilters): - TagFilter ``` ## Properties `Id` The ID that identifies the analytics configuration. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` The prefix that an object must have to be included in the analytics results. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StorageClassAnalysis` Contains data related to access patterns to be collected and made available to analyze the tradeoffs between different storage classes. *Required*: Yes *Type*: [StorageClassAnalysis](aws-properties-s3-bucket-storageclassanalysis.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagFilters` The tags to use when evaluating an analytics filter. The analytics only includes objects that meet the filter's criteria. If no filter is specified, all of the contents of the bucket are included in the analysis. *Required*: No *Type*: Array of [TagFilter](aws-properties-s3-bucket-tagfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Specify analytics and inventory configurations for an S3 bucket The following example specifies analytics and inventory results to be generated for an S3 bucket, including the format of the results and the destination bucket. The inventory list generates reports weekly and includes the current version of each object. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 Bucket with Inventory and Analytics Configurations", "Resources": { "Helper": { "Type": "AWS::S3::Bucket" }, "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AnalyticsConfigurations": [ { "Id": "AnalyticsConfigurationId", "StorageClassAnalysis": { "DataExport": { "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "AnalyticsDestinationPrefix" }, "OutputSchemaVersion": "V_1" } }, "Prefix": "AnalyticsConfigurationPrefix", "TagFilters": [ { "Key": "AnalyticsTagKey", "Value": "AnalyticsTagValue" } ] } ], "InventoryConfigurations": [ { "Id": "InventoryConfigurationId", "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "InventoryDestinationPrefix" }, "Enabled": true, "IncludedObjectVersions": "Current", "Prefix": "InventoryConfigurationPrefix", "ScheduleFrequency": "Weekly" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: S3 Bucket with Inventory and Analytics Configurations Resources: Helper: Type: 'AWS::S3::Bucket' S3Bucket: Type: 'AWS::S3::Bucket' Properties: AnalyticsConfigurations: - Id: AnalyticsConfigurationId StorageClassAnalysis: DataExport: Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: AnalyticsDestinationPrefix OutputSchemaVersion: V_1 Prefix: AnalyticsConfigurationPrefix TagFilters: - Key: AnalyticsTagKey Value: AnalyticsTagValue InventoryConfigurations: - Id: InventoryConfigurationId Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: InventoryDestinationPrefix Enabled: true IncludedObjectVersions: Current Prefix: InventoryConfigurationPrefix ScheduleFrequency: Weekly ``` # AWS::S3::Bucket BlockedEncryptionTypes A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block `PutObject`, `CopyObject`, `PostObject`, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see [Blocking or unblocking SSE-C for a general purpose bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html). This data type is used with the following actions: + [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) + [GetBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html) + [DeleteBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html) Permissions You must have the `s3:PutEncryptionConfiguration` permission to block or unblock an encryption type for a bucket. You must have the `s3:GetEncryptionConfiguration` permission to view a bucket's encryption type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EncryptionType](#cfn-s3-bucket-blockedencryptiontypes-encryptiontype)" : [ String, ... ] } ``` ### YAML ``` [EncryptionType](#cfn-s3-bucket-blockedencryptiontypes-encryptiontype): - String ``` ## Properties `EncryptionType` The object encryption type that you want to block or unblock for an Amazon S3 general purpose bucket. Currently, this parameter only supports blocking or unblocking server side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see [Using server-side encryption with customer-provided keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html). *Required*: No *Type*: Array of String *Allowed values*: `NONE | SSE-C` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket BucketEncryption Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ServerSideEncryptionConfiguration](#cfn-s3-bucket-bucketencryption-serversideencryptionconfiguration)" : [ ServerSideEncryptionRule, ... ] } ``` ### YAML ``` [ServerSideEncryptionConfiguration](#cfn-s3-bucket-bucketencryption-serversideencryptionconfiguration): - ServerSideEncryptionRule ``` ## Properties `ServerSideEncryptionConfiguration` Specifies the default server-side-encryption configuration. *Required*: Yes *Type*: Array of [ServerSideEncryptionRule](aws-properties-s3-bucket-serversideencryptionrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket CorsConfiguration Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see [Enabling Cross-Origin Resource Sharing](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CorsRules](#cfn-s3-bucket-corsconfiguration-corsrules)" : [ CorsRule, ... ] } ``` ### YAML ``` [CorsRules](#cfn-s3-bucket-corsconfiguration-corsrules): - CorsRule ``` ## Properties `CorsRules` A set of origins and methods (cross-origin access that you want to allow). You can add up to 100 rules to the configuration. *Required*: Yes *Type*: Array of [CorsRule](aws-properties-s3-bucket-corsrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Enable cross-origin resource sharing The following example template shows a public S3 bucket with two cross-origin resource sharing rules. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "CorsConfiguration": { "CorsRules": [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposedHeaders": [ "Date" ], "Id": "myCORSRuleId1", "MaxAge": 3600 }, { "AllowedHeaders": [ "x-amz-*" ], "AllowedMethods": [ "DELETE" ], "AllowedOrigins": [ "http://www.example.com", "http://www.example.net" ], "ExposedHeaders": [ "Connection", "Server", "Date" ], "Id": "myCORSRuleId2", "MaxAge": 1800 } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with CORS enabled." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead CorsConfiguration: CorsRules: - AllowedHeaders: - '*' AllowedMethods: - GET AllowedOrigins: - '*' ExposedHeaders: - Date Id: myCORSRuleId1 MaxAge: 3600 - AllowedHeaders: - x-amz-* AllowedMethods: - DELETE AllowedOrigins: - 'http://www.example.com' - 'http://www.example.net' ExposedHeaders: - Connection - Server - Date Id: myCORSRuleId2 MaxAge: 1800 Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with CORS enabled. ``` # AWS::S3::Bucket CorsRule Specifies a cross-origin access rule for an Amazon S3 bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AllowedHeaders](#cfn-s3-bucket-corsrule-allowedheaders)" : [ String, ... ], "[AllowedMethods](#cfn-s3-bucket-corsrule-allowedmethods)" : [ String, ... ], "[AllowedOrigins](#cfn-s3-bucket-corsrule-allowedorigins)" : [ String, ... ], "[ExposedHeaders](#cfn-s3-bucket-corsrule-exposedheaders)" : [ String, ... ], "[Id](#cfn-s3-bucket-corsrule-id)" : String, "[MaxAge](#cfn-s3-bucket-corsrule-maxage)" : Integer } ``` ### YAML ``` [AllowedHeaders](#cfn-s3-bucket-corsrule-allowedheaders): - String [AllowedMethods](#cfn-s3-bucket-corsrule-allowedmethods): - String [AllowedOrigins](#cfn-s3-bucket-corsrule-allowedorigins): - String [ExposedHeaders](#cfn-s3-bucket-corsrule-exposedheaders): - String [Id](#cfn-s3-bucket-corsrule-id): String [MaxAge](#cfn-s3-bucket-corsrule-maxage): Integer ``` ## Properties `AllowedHeaders` Headers that are specified in the `Access-Control-Request-Headers` header. These headers are allowed in a preflight OPTIONS request. In response to any preflight OPTIONS request, Amazon S3 returns any requested headers that are allowed. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AllowedMethods` An HTTP method that you allow the origin to run. *Allowed values*: `GET` \$1 `PUT` \$1 `HEAD` \$1 `POST` \$1 `DELETE` *Required*: Yes *Type*: Array of String *Allowed values*: `GET | PUT | HEAD | POST | DELETE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AllowedOrigins` One or more origins you want customers to be able to access the bucket from. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExposedHeaders` One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript `XMLHttpRequest` object). *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` A unique identifier for this rule. The value must be no more than 255 characters. *Required*: No *Type*: String *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaxAge` The time in seconds that your browser is to cache the preflight response for the specified resource. *Required*: No *Type*: Integer *Minimum*: `0` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Enable cross-origin resource sharing The following example template shows a public S3 bucket with two cross-origin resource sharing rules. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "CorsConfiguration": { "CorsRules": [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposedHeaders": [ "Date" ], "Id": "myCORSRuleId1", "MaxAge": 3600 }, { "AllowedHeaders": [ "x-amz-*" ], "AllowedMethods": [ "DELETE" ], "AllowedOrigins": [ "http://www.example.com", "http://www.example.net" ], "ExposedHeaders": [ "Connection", "Server", "Date" ], "Id": "myCORSRuleId2", "MaxAge": 1800 } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with CORS enabled." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead CorsConfiguration: CorsRules: - AllowedHeaders: - '*' AllowedMethods: - GET AllowedOrigins: - '*' ExposedHeaders: - Date Id: myCORSRuleId1 MaxAge: 3600 - AllowedHeaders: - x-amz-* AllowedMethods: - DELETE AllowedOrigins: - 'http://www.example.com' - 'http://www.example.net' ExposedHeaders: - Connection - Server - Date Id: myCORSRuleId2 MaxAge: 1800 Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with CORS enabled. ``` # AWS::S3::Bucket DataExport Specifies how data related to the storage class analysis for an Amazon S3 bucket should be exported. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Destination](#cfn-s3-bucket-dataexport-destination)" : Destination, "[OutputSchemaVersion](#cfn-s3-bucket-dataexport-outputschemaversion)" : String } ``` ### YAML ``` [Destination](#cfn-s3-bucket-dataexport-destination): Destination [OutputSchemaVersion](#cfn-s3-bucket-dataexport-outputschemaversion): String ``` ## Properties `Destination` The place to store the data for an analysis. *Required*: Yes *Type*: [Destination](aws-properties-s3-bucket-destination.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OutputSchemaVersion` The version of the output schema to use when exporting data. Must be `V_1`. *Required*: Yes *Type*: String *Allowed values*: `V_1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket DefaultRetention The container element for optionally specifying the default Object Lock retention settings for new objects placed in the specified bucket. **Note** The `DefaultRetention` settings require both a mode and a period. The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Days](#cfn-s3-bucket-defaultretention-days)" : Integer, "[Mode](#cfn-s3-bucket-defaultretention-mode)" : String, "[Years](#cfn-s3-bucket-defaultretention-years)" : Integer } ``` ### YAML ``` [Days](#cfn-s3-bucket-defaultretention-days): Integer [Mode](#cfn-s3-bucket-defaultretention-mode): String [Years](#cfn-s3-bucket-defaultretention-years): Integer ``` ## Properties `Days` The number of days that you want to specify for the default retention period. If Object Lock is turned on, you must specify `Mode` and specify either `Days` or `Years`. *Required*: Conditional *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Mode` The default Object Lock retention mode you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, you must specify `Mode` and specify either `Days` or `Years`. *Required*: Conditional *Type*: String *Allowed values*: `COMPLIANCE | GOVERNANCE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Years` The number of years that you want to specify for the default retention period. If Object Lock is turned on, you must specify `Mode` and specify either `Days` or `Years`. *Required*: Conditional *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket DeleteMarkerReplication Specifies whether Amazon S3 replicates delete markers. If you specify a `Filter` in your replication configuration, you must also include a `DeleteMarkerReplication` element. If your `Filter` includes a `Tag` element, the `DeleteMarkerReplication``Status` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config). For more information about delete marker replication, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/delete-marker-replication.html). **Note** If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see [Backward Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Status](#cfn-s3-bucket-deletemarkerreplication-status)" : String } ``` ### YAML ``` [Status](#cfn-s3-bucket-deletemarkerreplication-status): String ``` ## Properties `Status` Indicates whether to replicate delete markers. *Required*: No *Type*: String *Allowed values*: `Disabled | Enabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket Destination Specifies information about where to publish analysis or configuration results for an Amazon S3 bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BucketAccountId](#cfn-s3-bucket-destination-bucketaccountid)" : String, "[BucketArn](#cfn-s3-bucket-destination-bucketarn)" : String, "[Format](#cfn-s3-bucket-destination-format)" : String, "[Prefix](#cfn-s3-bucket-destination-prefix)" : String } ``` ### YAML ``` [BucketAccountId](#cfn-s3-bucket-destination-bucketaccountid): String [BucketArn](#cfn-s3-bucket-destination-bucketarn): String [Format](#cfn-s3-bucket-destination-format): String [Prefix](#cfn-s3-bucket-destination-prefix): String ``` ## Properties `BucketAccountId` The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data. Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BucketArn` The Amazon Resource Name (ARN) of the bucket to which data is exported. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Format` Specifies the file format used when exporting data to Amazon S3. *Allowed values*: `CSV` \$1 `ORC` \$1 `Parquet` *Required*: Yes *Type*: String *Allowed values*: `CSV | ORC | Parquet` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` The prefix to use when exporting data. The prefix is prepended to all results. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket EncryptionConfiguration Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects. **Note** If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ReplicaKmsKeyID](#cfn-s3-bucket-encryptionconfiguration-replicakmskeyid)" : String } ``` ### YAML ``` [ReplicaKmsKeyID](#cfn-s3-bucket-encryptionconfiguration-replicakmskeyid): String ``` ## Properties `ReplicaKmsKeyID` Specifies the ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket EventBridgeConfiguration Amazon S3 can send events to Amazon EventBridge whenever certain events happen in your bucket, see [Using EventBridge](https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventBridge.html) in the *Amazon S3 User Guide*. Unlike other destinations, delivery of events to EventBridge can be either enabled or disabled for a bucket. If enabled, all events will be sent to EventBridge and you can use EventBridge rules to route events to additional targets. For more information, see [What Is Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) in the *Amazon EventBridge User Guide* ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EventBridgeEnabled](#cfn-s3-bucket-eventbridgeconfiguration-eventbridgeenabled)" : Boolean } ``` ### YAML ``` [EventBridgeEnabled](#cfn-s3-bucket-eventbridgeconfiguration-eventbridgeenabled): Boolean ``` ## Properties `EventBridgeEnabled` Enables delivery of events to Amazon EventBridge. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Enable EventBridgeConfiguration The following example template shows an Amazon S3 bucket with a notification configuration with EventBridge enabled. #### JSON ``` { "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "NotificationConfiguration": { "EventBridgeConfiguration": { "EventBridgeEnabled": true } } } } } } ``` #### YAML ``` Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: NotificationConfiguration: EventBridgeConfiguration: EventBridgeEnabled: true ``` # AWS::S3::Bucket FilterRule Specifies the Amazon S3 object key name to filter on. An object key name is the name assigned to an object in your Amazon S3 bucket. You specify whether to filter on the suffix or prefix of the object key name. A prefix is a specific string of characters at the beginning of an object key name, which you can use to organize objects. For example, you can start the key names of related objects with a prefix, such as `2023-` or `engineering/`. Then, you can use `FilterRule` to find objects in a bucket with key names that have the same prefix. A suffix is similar to a prefix, but it is at the end of the object key name instead of at the beginning. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Name](#cfn-s3-bucket-filterrule-name)" : String, "[Value](#cfn-s3-bucket-filterrule-value)" : String } ``` ### YAML ``` [Name](#cfn-s3-bucket-filterrule-name): String [Value](#cfn-s3-bucket-filterrule-value): String ``` ## Properties `Name` The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. *Required*: Yes *Type*: String *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value that the filter searches for in object key names. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket IntelligentTieringConfiguration Specifies the S3 Intelligent-Tiering configuration for an Amazon S3 bucket. For information about the S3 Intelligent-Tiering storage class, see [Storage class for automatically optimizing frequently and infrequently accessed objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-dynamic-data-access). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Id](#cfn-s3-bucket-intelligenttieringconfiguration-id)" : String, "[Prefix](#cfn-s3-bucket-intelligenttieringconfiguration-prefix)" : String, "[Status](#cfn-s3-bucket-intelligenttieringconfiguration-status)" : String, "[TagFilters](#cfn-s3-bucket-intelligenttieringconfiguration-tagfilters)" : [ TagFilter, ... ], "[Tierings](#cfn-s3-bucket-intelligenttieringconfiguration-tierings)" : [ Tiering, ... ] } ``` ### YAML ``` [Id](#cfn-s3-bucket-intelligenttieringconfiguration-id): String [Prefix](#cfn-s3-bucket-intelligenttieringconfiguration-prefix): String [Status](#cfn-s3-bucket-intelligenttieringconfiguration-status): String [TagFilters](#cfn-s3-bucket-intelligenttieringconfiguration-tagfilters): - TagFilter [Tierings](#cfn-s3-bucket-intelligenttieringconfiguration-tierings): - Tiering ``` ## Properties `Id` The ID used to identify the S3 Intelligent-Tiering configuration. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` An object key name prefix that identifies the subset of objects to which the rule applies. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` Specifies the status of the configuration. *Required*: Yes *Type*: String *Allowed values*: `Disabled | Enabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagFilters` A container for a key-value pair. *Required*: No *Type*: Array of [TagFilter](aws-properties-s3-bucket-tagfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tierings` Specifies a list of S3 Intelligent-Tiering storage class tiers in the configuration. At least one tier must be defined in the list. At most, you can specify two tiers in the list, one for each available AccessTier: `ARCHIVE_ACCESS` and `DEEP_ARCHIVE_ACCESS`. You only need Intelligent Tiering Configuration enabled on a bucket if you want to automatically move objects stored in the Intelligent-Tiering storage class to Archive Access or Deep Archive Access tiers. *Required*: Yes *Type*: Array of [Tiering](aws-properties-s3-bucket-tiering.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket InventoryConfiguration Specifies the S3 Inventory configuration for an Amazon S3 bucket. For more information, see [GET Bucket inventory](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html) in the *Amazon S3 API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Destination](#cfn-s3-bucket-inventoryconfiguration-destination)" : Destination, "[Enabled](#cfn-s3-bucket-inventoryconfiguration-enabled)" : Boolean, "[Id](#cfn-s3-bucket-inventoryconfiguration-id)" : String, "[IncludedObjectVersions](#cfn-s3-bucket-inventoryconfiguration-includedobjectversions)" : String, "[OptionalFields](#cfn-s3-bucket-inventoryconfiguration-optionalfields)" : [ String, ... ], "[Prefix](#cfn-s3-bucket-inventoryconfiguration-prefix)" : String, "[ScheduleFrequency](#cfn-s3-bucket-inventoryconfiguration-schedulefrequency)" : String } ``` ### YAML ``` [Destination](#cfn-s3-bucket-inventoryconfiguration-destination): Destination [Enabled](#cfn-s3-bucket-inventoryconfiguration-enabled): Boolean [Id](#cfn-s3-bucket-inventoryconfiguration-id): String [IncludedObjectVersions](#cfn-s3-bucket-inventoryconfiguration-includedobjectversions): String [OptionalFields](#cfn-s3-bucket-inventoryconfiguration-optionalfields): - String [Prefix](#cfn-s3-bucket-inventoryconfiguration-prefix): String [ScheduleFrequency](#cfn-s3-bucket-inventoryconfiguration-schedulefrequency): String ``` ## Properties `Destination` Contains information about where to publish the inventory results. *Required*: Yes *Type*: [Destination](aws-properties-s3-bucket-destination.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Enabled` Specifies whether the inventory is enabled or disabled. If set to `True`, an inventory list is generated. If set to `False`, no inventory list is generated. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` The ID used to identify the inventory configuration. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IncludedObjectVersions` Object versions to include in the inventory list. If set to `All`, the list includes all the object versions, which adds the version-related fields `VersionId`, `IsLatest`, and `DeleteMarker` to the list. If set to `Current`, the list does not contain these version-related fields. *Required*: Yes *Type*: String *Allowed values*: `All | Current` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OptionalFields` Contains the optional fields that are included in the inventory results. *Required*: No *Type*: Array of String *Allowed values*: `Size | LastModifiedDate | StorageClass | ETag | IsMultipartUploaded | ReplicationStatus | EncryptionStatus | ObjectLockRetainUntilDate | ObjectLockMode | ObjectLockLegalHoldStatus | IntelligentTieringAccessTier | BucketKeyStatus | ChecksumAlgorithm | ObjectAccessControlList | ObjectOwner | LifecycleExpirationDate` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` Specifies the inventory filter prefix. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ScheduleFrequency` Specifies the schedule for generating inventory results. *Required*: Yes *Type*: String *Allowed values*: `Daily | Weekly` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Specify analytics and inventory configurations for an S3 bucket The following example specifies analytics and inventory results to be generated for an S3 bucket, including the format of the results and the destination bucket. The inventory list generates reports weekly and includes the current version of each object. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 Bucket with Inventory and Analytics Configurations", "Resources": { "Helper": { "Type": "AWS::S3::Bucket" }, "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AnalyticsConfigurations": [ { "Id": "AnalyticsConfigurationId", "StorageClassAnalysis": { "DataExport": { "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "AnalyticsDestinationPrefix" }, "OutputSchemaVersion": "V_1" } }, "Prefix": "AnalyticsConfigurationPrefix", "TagFilters": [ { "Key": "AnalyticsTagKey", "Value": "AnalyticsTagValue" } ] } ], "InventoryConfigurations": [ { "Id": "InventoryConfigurationId", "Destination": { "BucketArn": { "Fn::GetAtt": [ "Helper", "Arn" ] }, "Format": "CSV", "Prefix": "InventoryDestinationPrefix" }, "Enabled": true, "IncludedObjectVersions": "Current", "Prefix": "InventoryConfigurationPrefix", "ScheduleFrequency": "Weekly" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: S3 Bucket with Inventory and Analytics Configurations Resources: Helper: Type: 'AWS::S3::Bucket' S3Bucket: Type: 'AWS::S3::Bucket' Properties: AnalyticsConfigurations: - Id: AnalyticsConfigurationId StorageClassAnalysis: DataExport: Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: AnalyticsDestinationPrefix OutputSchemaVersion: V_1 Prefix: AnalyticsConfigurationPrefix TagFilters: - Key: AnalyticsTagKey Value: AnalyticsTagValue InventoryConfigurations: - Id: InventoryConfigurationId Destination: BucketArn: !GetAtt - Helper - Arn Format: CSV Prefix: InventoryDestinationPrefix Enabled: true IncludedObjectVersions: Current Prefix: InventoryConfigurationPrefix ScheduleFrequency: Weekly ``` # AWS::S3::Bucket InventoryTableConfiguration The inventory table configuration for an S3 Metadata configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ConfigurationState](#cfn-s3-bucket-inventorytableconfiguration-configurationstate)" : String, "[EncryptionConfiguration](#cfn-s3-bucket-inventorytableconfiguration-encryptionconfiguration)" : MetadataTableEncryptionConfiguration, "[TableArn](#cfn-s3-bucket-inventorytableconfiguration-tablearn)" : String, "[TableName](#cfn-s3-bucket-inventorytableconfiguration-tablename)" : String } ``` ### YAML ``` [ConfigurationState](#cfn-s3-bucket-inventorytableconfiguration-configurationstate): String [EncryptionConfiguration](#cfn-s3-bucket-inventorytableconfiguration-encryptionconfiguration): MetadataTableEncryptionConfiguration [TableArn](#cfn-s3-bucket-inventorytableconfiguration-tablearn): String [TableName](#cfn-s3-bucket-inventorytableconfiguration-tablename): String ``` ## Properties `ConfigurationState` The configuration state of the inventory table, indicating whether the inventory table is enabled or disabled. *Required*: Yes *Type*: String *Allowed values*: `ENABLED | DISABLED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EncryptionConfiguration` The encryption configuration for the inventory table. *Required*: No *Type*: [MetadataTableEncryptionConfiguration](aws-properties-s3-bucket-metadatatableencryptionconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableArn` The Amazon Resource Name (ARN) for the inventory table. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableName` The name of the inventory table. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket JournalTableConfiguration The journal table configuration for an S3 Metadata configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EncryptionConfiguration](#cfn-s3-bucket-journaltableconfiguration-encryptionconfiguration)" : MetadataTableEncryptionConfiguration, "[RecordExpiration](#cfn-s3-bucket-journaltableconfiguration-recordexpiration)" : RecordExpiration, "[TableArn](#cfn-s3-bucket-journaltableconfiguration-tablearn)" : String, "[TableName](#cfn-s3-bucket-journaltableconfiguration-tablename)" : String } ``` ### YAML ``` [EncryptionConfiguration](#cfn-s3-bucket-journaltableconfiguration-encryptionconfiguration): MetadataTableEncryptionConfiguration [RecordExpiration](#cfn-s3-bucket-journaltableconfiguration-recordexpiration): RecordExpiration [TableArn](#cfn-s3-bucket-journaltableconfiguration-tablearn): String [TableName](#cfn-s3-bucket-journaltableconfiguration-tablename): String ``` ## Properties `EncryptionConfiguration` The encryption configuration for the journal table. *Required*: No *Type*: [MetadataTableEncryptionConfiguration](aws-properties-s3-bucket-metadatatableencryptionconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecordExpiration` The journal table record expiration settings for the journal table. *Required*: Yes *Type*: [RecordExpiration](aws-properties-s3-bucket-recordexpiration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableArn` The Amazon Resource Name (ARN) for the journal table. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableName` The name of the journal table. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket LambdaConfiguration Describes the AWS Lambda functions to invoke and the events for which to invoke them. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Event](#cfn-s3-bucket-lambdaconfiguration-event)" : String, "[Filter](#cfn-s3-bucket-lambdaconfiguration-filter)" : NotificationFilter, "[Function](#cfn-s3-bucket-lambdaconfiguration-function)" : String } ``` ### YAML ``` [Event](#cfn-s3-bucket-lambdaconfiguration-event): String [Filter](#cfn-s3-bucket-lambdaconfiguration-filter): NotificationFilter [Function](#cfn-s3-bucket-lambdaconfiguration-function): String ``` ## Properties `Event` The Amazon S3 bucket event for which to invoke the AWS Lambda function. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` The filtering rules that determine which objects invoke the AWS Lambda function. For example, you can create a filter so that only image files with a `.jpg` extension invoke the function when they are added to the Amazon S3 bucket. *Required*: No *Type*: [NotificationFilter](aws-properties-s3-bucket-notificationfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Function` The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon S3 invokes when the specified event type occurs. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket LifecycleConfiguration Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Rules](#cfn-s3-bucket-lifecycleconfiguration-rules)" : [ Rule, ... ], "[TransitionDefaultMinimumObjectSize](#cfn-s3-bucket-lifecycleconfiguration-transitiondefaultminimumobjectsize)" : String } ``` ### YAML ``` [Rules](#cfn-s3-bucket-lifecycleconfiguration-rules): - Rule [TransitionDefaultMinimumObjectSize](#cfn-s3-bucket-lifecycleconfiguration-transitiondefaultminimumobjectsize): String ``` ## Properties `Rules` A lifecycle rule for individual objects in an Amazon S3 bucket. *Required*: Yes *Type*: Array of [Rule](aws-properties-s3-bucket-rule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TransitionDefaultMinimumObjectSize` Indicates which default minimum object size behavior is applied to the lifecycle configuration. This parameter applies to general purpose buckets only. It isn't supported for directory bucket lifecycle configurations. + `all_storage_classes_128K` - Objects smaller than 128 KB will not transition to any storage class by default. + `varies_by_storage_class` - Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier Deep Archive storage classes. By default, all other storage classes will prevent transitions smaller than 128 KB. To customize the minimum object size for any transition you can add a filter that specifies a custom `ObjectSizeGreaterThan` or `ObjectSizeLessThan` in the body of your transition rule. Custom filters always take precedence over the default transition behavior. *Required*: No *Type*: String *Allowed values*: `varies_by_storage_class | all_storage_classes_128K` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Manage the lifecycle for S3 objects The following example template shows an S3 bucket with a lifecycle configuration rule. The rule applies to all objects with the `glacier` key prefix. The objects are transitioned to Glacier after one day, and deleted after one year. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "LifecycleConfiguration": { "Rules": [ { "Id": "GlacierRule", "Prefix": "glacier", "Status": "Enabled", "ExpirationInDays": 365, "Transitions": [ { "TransitionInDays": 1, "StorageClass": "GLACIER" } ] } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private LifecycleConfiguration: Rules: - Id: GlacierRule Prefix: glacier Status: Enabled ExpirationInDays: 365 Transitions: - TransitionInDays: 1 StorageClass: GLACIER Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a lifecycle configuration. ``` # AWS::S3::Bucket LoggingConfiguration Describes where logs are stored and the prefix that Amazon S3 assigns to all log object keys for a bucket. For examples and more information, see [PUT Bucket logging](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlogging.html) in the *Amazon S3 API Reference*. **Note** To successfully complete the `AWS::S3::Bucket LoggingConfiguration` request, you must have `s3:PutObject` and `s3:PutObjectAcl` in your IAM permissions. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DestinationBucketName](#cfn-s3-bucket-loggingconfiguration-destinationbucketname)" : String, "[LogFilePrefix](#cfn-s3-bucket-loggingconfiguration-logfileprefix)" : String, "[TargetObjectKeyFormat](#cfn-s3-bucket-loggingconfiguration-targetobjectkeyformat)" : TargetObjectKeyFormat } ``` ### YAML ``` [DestinationBucketName](#cfn-s3-bucket-loggingconfiguration-destinationbucketname): String [LogFilePrefix](#cfn-s3-bucket-loggingconfiguration-logfileprefix): String [TargetObjectKeyFormat](#cfn-s3-bucket-loggingconfiguration-targetobjectkeyformat): TargetObjectKeyFormat ``` ## Properties `DestinationBucketName` The name of the bucket where Amazon S3 should store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the `LoggingConfiguration` property is defined. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LogFilePrefix` A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TargetObjectKeyFormat` Amazon S3 key format for log objects. Only one format, either PartitionedPrefix or SimplePrefix, is allowed. *Required*: No *Type*: [TargetObjectKeyFormat](aws-properties-s3-bucket-targetobjectkeyformat.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Log access requests for a specific S3 bucket](#aws-properties-s3-bucket-loggingconfiguration--examples--Log_access_requests_for_a_specific_S3_bucket) + [Setting up logging configurations with log prefixes based on event time](#aws-properties-s3-bucket-loggingconfiguration--examples--Setting_up_logging_configurations_with_log_prefixes_based_on_event_time) + [Setting up logging configurations with log prefixes based on delivery time](#aws-properties-s3-bucket-loggingconfiguration--examples--Setting_up_logging_configurations_with_log_prefixes_based_on_delivery_time) + [Setting up logging configurations with a simple prefix](#aws-properties-s3-bucket-loggingconfiguration--examples--Setting_up_logging_configurations_with_a_simple_prefix) ### Log access requests for a specific S3 bucket The following example template creates two S3 buckets. The `LoggingBucket` bucket store the logs from the `S3Bucket` bucket. To receive logs from the `S3Bucket` bucket, the logging bucket requires log delivery write permissions. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "LoggingConfiguration": { "DestinationBucketName": { "Ref": "LoggingBucket" }, "LogFilePrefix": "testing-logs" } } }, "LoggingBucket": { "Type": "AWS::S3::Bucket" }, "S3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "LoggingBucket" }, "PolicyDocument": { "Version": "2012-10-17" , "Statement": [ { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "LoggingBucket" }, "/*" ] ] }, "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "S3Bucket", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Fn::Sub": "${AWS::AccountId}" } } } } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a logging configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: LoggingConfiguration: DestinationBucketName: !Ref LoggingBucket LogFilePrefix: testing-logs LoggingBucket: Type: 'AWS::S3::Bucket' S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref LoggingBucket PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:PutObject' Effect: Allow Principal: Service: logging.s3.amazonaws.com Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref LoggingBucket - /* Condition: ArnLike: 'aws:SourceArn': !GetAtt - S3Bucket - Arn StringEquals: 'aws:SourceAccount': !Sub '${AWS::AccountId}' Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a logging configuration. ``` ### Setting up logging configurations with log prefixes based on event time The following example template configures the `DOC-EXAMPLE-BUCKET` destination bucket with a `logs/` prefix and event time log delivery. #### JSON ``` "LoggingConfiguration": { "DestinationBucketName": "DOC-EXAMPLE-BUCKET", "LogFilePrefix": "logs/", "TargetObjectKeyFormat": { "PartitionedPrefix": { "PartitionDateSource": "EventTime" } } } ``` #### YAML ``` LoggingConfiguration: DestinationBucketName: "DOC-EXAMPLE-BUCKET" LogFilePrefix: logs/ TargetObjectKeyFormat: PartitionedPrefix: PartitionDateSource: EventTime ``` ### Setting up logging configurations with log prefixes based on delivery time The following example template configures the `DOC-EXAMPLE-BUCKET` destination bucket with a `logs/` prefix and delivery time log delivery. #### JSON ``` "LoggingConfiguration": { "DestinationBucketName": "DOC-EXAMPLE-BUCKET", "LogFilePrefix": "logs/", "TargetObjectKeyFormat": { "PartitionedPrefix": { "PartitionDateSource": "DeliveryTime" } } } ``` #### YAML ``` LoggingConfiguration: DestinationBucketName: "DOC-EXAMPLE-BUCKET" LogFilePrefix: logs/ TargetObjectKeyFormat: PartitionedPrefix: PartitionDateSource: DeliveryTime ``` ### Setting up logging configurations with a simple prefix The following example template configures the `DOC-EXAMPLE-BUCKET` destination bucket with a `logs/` prefix and simple prefix delivery. #### JSON ``` "LoggingConfiguration": { "DestinationBucketName": "DOC-EXAMPLE-BUCKET", "LogFilePrefix": "logs/", "TargetObjectKeyFormat": { "SimplePrefix": {} } } ``` #### YAML ``` LoggingConfiguration: DestinationBucketName: "DOC-EXAMPLE-BUCKET" LogFilePrefix: logs/ TargetObjectKeyFormat: SimplePrefix: {} ``` # AWS::S3::Bucket MetadataConfiguration Creates a V2 Amazon S3 Metadata configuration of a general purpose bucket. For more information, see [ Accelerating data discovery with S3 Metadata](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Destination](#cfn-s3-bucket-metadataconfiguration-destination)" : MetadataDestination, "[InventoryTableConfiguration](#cfn-s3-bucket-metadataconfiguration-inventorytableconfiguration)" : InventoryTableConfiguration, "[JournalTableConfiguration](#cfn-s3-bucket-metadataconfiguration-journaltableconfiguration)" : JournalTableConfiguration } ``` ### YAML ``` [Destination](#cfn-s3-bucket-metadataconfiguration-destination): MetadataDestination [InventoryTableConfiguration](#cfn-s3-bucket-metadataconfiguration-inventorytableconfiguration): InventoryTableConfiguration [JournalTableConfiguration](#cfn-s3-bucket-metadataconfiguration-journaltableconfiguration): JournalTableConfiguration ``` ## Properties `Destination` The destination information for the S3 Metadata configuration. *Required*: No *Type*: [MetadataDestination](aws-properties-s3-bucket-metadatadestination.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InventoryTableConfiguration` The inventory table configuration for a metadata configuration. *Required*: No *Type*: [InventoryTableConfiguration](aws-properties-s3-bucket-inventorytableconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `JournalTableConfiguration` The journal table configuration for a metadata configuration. *Required*: Yes *Type*: [JournalTableConfiguration](aws-properties-s3-bucket-journaltableconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Create a metadata configuration The following example creates an S3 Metadata configuration for the specified general purpose bucket. To use this example, replace ` amzn-s3-demo-bucket ` with the name of your general purpose bucket. Also make sure to update the AWS Identity and Access Management (IAM) Amazon Resource Name (ARN) with the name of the IAM role that you want to use. #### JSON ``` { "Resources": { "S3MetadataKMSKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "KMS key for S3 metadata encryption", "EnableKeyRotation": true, "KeyPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName" } }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow S3 Metadata Service", "Effect": "Allow", "Principal": { "Service": [ "maintenance.s3tables.amazonaws.com", "metadata.s3.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ] } } }, "S3MetadataKMSKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/s3-metadata-key", "TargetKeyId": { "Ref": "S3MetadataKMSKey" } } }, "TestMetadataBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "amzn-s3-demo-bucket", "MetadataConfiguration": { "JournalTableConfiguration": { "RecordExpiration": { "Expiration": "ENABLED", "Days": 10 }, "EncryptionConfiguration": { "SseAlgorithm": "aws:kms", "KmsKeyArn": { "Fn::GetAtt": [ "S3MetadataKMSKey", "Arn" ] } } }, "InventoryTableConfiguration": { "ConfigurationState": "ENABLED", "EncryptionConfiguration": { "SseAlgorithm": "aws:kms", "KmsKeyArn": { "Fn::GetAtt": [ "S3MetadataKMSKey", "Arn" ] } } } } } } } } ``` #### YAML ``` Resources: S3MetadataKMSKey: Type: 'AWS::KMS::Key' Properties: Description: 'KMS key for S3 metadata encryption' EnableKeyRotation: true KeyPolicy: Version: '2012-10-17 ' Statement: - Sid: 'Enable IAM User Permissions' Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName' Action: 'kms:*' Resource: '*' - Sid: 'Allow S3 Metadata Service' Effect: Allow Principal: Service: - 'maintenance.s3tables.amazonaws.com' - 'metadata.s3.amazonaws.com' Action: - 'kms:Decrypt' - 'kms:GenerateDataKey' Resource: '*' S3MetadataKMSKeyAlias: Type: 'AWS::KMS::Alias' Properties: AliasName: 'alias/s3-metadata-key' TargetKeyId: !Ref S3MetadataKMSKey TestMetadataBucket: Type: 'AWS::S3::Bucket' Properties: BucketName: amzn-s3-demo-bucket MetadataConfiguration: JournalTableConfiguration: RecordExpiration: Expiration: ENABLED Days: 10 EncryptionConfiguration: SseAlgorithm: aws:kms KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn InventoryTableConfiguration: ConfigurationState: ENABLED EncryptionConfiguration: SseAlgorithm: aws:kms KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn ``` # AWS::S3::Bucket MetadataDestination The destination information for the S3 Metadata configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[TableBucketArn](#cfn-s3-bucket-metadatadestination-tablebucketarn)" : String, "[TableBucketType](#cfn-s3-bucket-metadatadestination-tablebuckettype)" : String, "[TableNamespace](#cfn-s3-bucket-metadatadestination-tablenamespace)" : String } ``` ### YAML ``` [TableBucketArn](#cfn-s3-bucket-metadatadestination-tablebucketarn): String [TableBucketType](#cfn-s3-bucket-metadatadestination-tablebuckettype): String [TableNamespace](#cfn-s3-bucket-metadatadestination-tablenamespace): String ``` ## Properties `TableBucketArn` The Amazon Resource Name (ARN) of the table bucket where the metadata configuration is stored. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableBucketType` The type of the table bucket where the metadata configuration is stored. The `aws` value indicates an AWS managed table bucket, and the `customer` value indicates a customer-managed table bucket. V2 metadata configurations are stored in AWS managed table buckets, and V1 metadata configurations are stored in customer-managed table buckets. *Required*: Yes *Type*: String *Allowed values*: `aws | customer` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableNamespace` The namespace in the table bucket where the metadata tables for a metadata configuration are stored. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket MetadataTableConfiguration **Important** We recommend that you create your S3 Metadata configurations by using the V2 [ MetadataConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.html) resource type. We no longer recommend using the V1 `MetadataTableConfiguration` resource type. If you created your S3 Metadata configuration before July 15, 2025, we recommend that you delete and re-create your configuration by using the [ MetadataConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.html) resource type so that you can expire journal table records and create a live inventory table. Creates a V1 S3 Metadata configuration for a general purpose bucket. For more information, see [Accelerating data discovery with S3 Metadata](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[S3TablesDestination](#cfn-s3-bucket-metadatatableconfiguration-s3tablesdestination)" : S3TablesDestination } ``` ### YAML ``` [S3TablesDestination](#cfn-s3-bucket-metadatatableconfiguration-s3tablesdestination): S3TablesDestination ``` ## Properties `S3TablesDestination` The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket. *Required*: Yes *Type*: [S3TablesDestination](aws-properties-s3-bucket-s3tablesdestination.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Create metadata table configuration The following example creates an S3 Metadata configuration for the specified general purpose bucket. To use this example, replace ` amzn-s3-demo-table-bucket ` with the name of the table bucket where you want to store your metadata table, replace ` amzn-s3-demo-bucket1 ` with the name of your general purpose bucket, and replace `my_metadata_table_name` with the name that you want to use for your metadata table. #### JSON ``` { "Resources": { "S3TableBucket": { "Type": "AWS::S3Tables::TableBucket", "Properties": { "TableBucketName": "amzn-s3-demo-table-bucket" } }, "S3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": "amzn-s3-demo-bucket1", "MetadataTableConfiguration": { "S3TablesDestination": { "TableBucketArn": { "Fn::GetAtt": [ "S3TableBucket", "TableBucketARN" ] }, "TableName": "my_metadata_table_name", "TableNamespace": "aws_s3_metadata" } } } } } } ``` #### YAML ``` Resources: S3TableBucket: Type: AWS::S3Tables::TableBucket Properties: TableBucketName: amzn-s3-demo-table-bucket S3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: BucketName: amzn-s3-demo-bucket1 MetadataTableConfiguration: S3TablesDestination: TableBucketArn: !GetAtt S3TableBucket.TableBucketARN TableName: my_metadata_table_name TableNamespace: aws_s3_metadata ``` # AWS::S3::Bucket MetadataTableEncryptionConfiguration The encryption settings for an S3 Metadata journal table or inventory table configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[KmsKeyArn](#cfn-s3-bucket-metadatatableencryptionconfiguration-kmskeyarn)" : String, "[SseAlgorithm](#cfn-s3-bucket-metadatatableencryptionconfiguration-ssealgorithm)" : String } ``` ### YAML ``` [KmsKeyArn](#cfn-s3-bucket-metadatatableencryptionconfiguration-kmskeyarn): String [SseAlgorithm](#cfn-s3-bucket-metadatatableencryptionconfiguration-ssealgorithm): String ``` ## Properties `KmsKeyArn` If server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) is specified, you must also specify the KMS key Amazon Resource Name (ARN). You must specify a customer-managed KMS key that's located in the same Region as the general purpose bucket that corresponds to the metadata table configuration. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SseAlgorithm` The encryption type specified for a metadata table. To specify server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), use the `aws:kms` value. To specify server-side encryption with Amazon S3 managed keys (SSE-S3), use the `AES256` value. *Required*: Yes *Type*: String *Allowed values*: `aws:kms | AES256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket Metrics A container specifying replication metrics-related settings enabling replication metrics and events. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EventThreshold](#cfn-s3-bucket-metrics-eventthreshold)" : ReplicationTimeValue, "[Status](#cfn-s3-bucket-metrics-status)" : String } ``` ### YAML ``` [EventThreshold](#cfn-s3-bucket-metrics-eventthreshold): ReplicationTimeValue [Status](#cfn-s3-bucket-metrics-status): String ``` ## Properties `EventThreshold` A container specifying the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event. *Required*: No *Type*: [ReplicationTimeValue](aws-properties-s3-bucket-replicationtimevalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` Specifies whether the replication metrics are enabled. *Required*: Yes *Type*: String *Allowed values*: `Disabled | Enabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket MetricsConfiguration Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For examples, see [AWS::S3::Bucket](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples). For more information, see [ PUT Bucket metrics](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html) in the *Amazon S3 API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccessPointArn](#cfn-s3-bucket-metricsconfiguration-accesspointarn)" : String, "[Id](#cfn-s3-bucket-metricsconfiguration-id)" : String, "[Prefix](#cfn-s3-bucket-metricsconfiguration-prefix)" : String, "[TagFilters](#cfn-s3-bucket-metricsconfiguration-tagfilters)" : [ TagFilter, ... ] } ``` ### YAML ``` [AccessPointArn](#cfn-s3-bucket-metricsconfiguration-accesspointarn): String [Id](#cfn-s3-bucket-metricsconfiguration-id): String [Prefix](#cfn-s3-bucket-metricsconfiguration-prefix): String [TagFilters](#cfn-s3-bucket-metricsconfiguration-tagfilters): - TagFilter ``` ## Properties `AccessPointArn` The access point that was used while performing operations on the object. The metrics configuration only includes objects that meet the filter's criteria. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` The ID used to identify the metrics configuration. This can be any value you choose that helps you identify your metrics configuration. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` The prefix that an object must have to be included in the metrics results. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagFilters` Specifies a list of tag filters to use as a metrics configuration filter. The metrics configuration includes only objects that meet the filter's criteria. *Required*: No *Type*: Array of [TagFilter](aws-properties-s3-bucket-tagfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket NoncurrentVersionExpiration Specifies when noncurrent object versions expire. Upon expiration, Amazon S3 permanently deletes the noncurrent object versions. You set this lifecycle configuration action on a bucket that has versioning enabled (or suspended) to request that Amazon S3 delete noncurrent object versions at a specific period in the object's lifetime. For more information about setting a lifecycle rule configuration, see [AWS::S3::Bucket Rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-lifecycleconfig-rule.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[NewerNoncurrentVersions](#cfn-s3-bucket-noncurrentversionexpiration-newernoncurrentversions)" : Integer, "[NoncurrentDays](#cfn-s3-bucket-noncurrentversionexpiration-noncurrentdays)" : Integer } ``` ### YAML ``` [NewerNoncurrentVersions](#cfn-s3-bucket-noncurrentversionexpiration-newernoncurrentversions): Integer [NoncurrentDays](#cfn-s3-bucket-noncurrentversionexpiration-noncurrentdays): Integer ``` ## Properties `NewerNoncurrentVersions` Specifies how many noncurrent versions Amazon S3 will retain. If there are this many more recent noncurrent versions, Amazon S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoncurrentDays` Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates When an Object Became Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. *Required*: Yes *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket NoncurrentVersionTransition Container for the transition rule that describes when noncurrent objects transition to the `STANDARD_IA`, `ONEZONE_IA`, `INTELLIGENT_TIERING`, `GLACIER_IR`, `GLACIER`, or `DEEP_ARCHIVE` storage class. If your bucket is versioning-enabled (or versioning is suspended), you can set this action to request that Amazon S3 transition noncurrent object versions to the `STANDARD_IA`, `ONEZONE_IA`, `INTELLIGENT_TIERING`, `GLACIER_IR`, `GLACIER`, or `DEEP_ARCHIVE` storage class at a specific period in the object's lifetime. If you specify this property, don't specify the `NoncurrentVersionTransitions` property. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[NewerNoncurrentVersions](#cfn-s3-bucket-noncurrentversiontransition-newernoncurrentversions)" : Integer, "[StorageClass](#cfn-s3-bucket-noncurrentversiontransition-storageclass)" : String, "[TransitionInDays](#cfn-s3-bucket-noncurrentversiontransition-transitionindays)" : Integer } ``` ### YAML ``` [NewerNoncurrentVersions](#cfn-s3-bucket-noncurrentversiontransition-newernoncurrentversions): Integer [StorageClass](#cfn-s3-bucket-noncurrentversiontransition-storageclass): String [TransitionInDays](#cfn-s3-bucket-noncurrentversiontransition-transitionindays): Integer ``` ## Properties `NewerNoncurrentVersions` Specifies how many noncurrent versions Amazon S3 will retain. If there are this many more recent noncurrent versions, Amazon S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StorageClass` The class of storage used to store the object. *Required*: Yes *Type*: String *Allowed values*: `DEEP_ARCHIVE | GLACIER | Glacier | GLACIER_IR | INTELLIGENT_TIERING | ONEZONE_IA | STANDARD_IA` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TransitionInDays` Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates How Long an Object Has Been Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. *Required*: Yes *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket NotificationConfiguration Describes the notification configuration for an Amazon S3 bucket. **Note** If you create the target resource and related permissions in the same template, you might have a circular dependency. For example, you might use the `AWS::Lambda::Permission` resource to grant the bucket permission to invoke an AWS Lambda function. However, AWS CloudFormation can't create the bucket until the bucket has permission to invoke the function (AWS CloudFormation checks whether the bucket can invoke the function). If you're using Refs to pass the bucket name, this leads to a circular dependency. To avoid this dependency, you can create all resources without specifying the notification configuration. Then, update the stack with a notification configuration. For more information on permissions, see [AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html) and [Granting Permissions to Publish Event Notification Messages to a Destination](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EventBridgeConfiguration](#cfn-s3-bucket-notificationconfiguration-eventbridgeconfiguration)" : EventBridgeConfiguration, "[LambdaConfigurations](#cfn-s3-bucket-notificationconfiguration-lambdaconfigurations)" : [ LambdaConfiguration, ... ], "[QueueConfigurations](#cfn-s3-bucket-notificationconfiguration-queueconfigurations)" : [ QueueConfiguration, ... ], "[TopicConfigurations](#cfn-s3-bucket-notificationconfiguration-topicconfigurations)" : [ TopicConfiguration, ... ] } ``` ### YAML ``` [EventBridgeConfiguration](#cfn-s3-bucket-notificationconfiguration-eventbridgeconfiguration): EventBridgeConfiguration [LambdaConfigurations](#cfn-s3-bucket-notificationconfiguration-lambdaconfigurations): - LambdaConfiguration [QueueConfigurations](#cfn-s3-bucket-notificationconfiguration-queueconfigurations): - QueueConfiguration [TopicConfigurations](#cfn-s3-bucket-notificationconfiguration-topicconfigurations): - TopicConfiguration ``` ## Properties `EventBridgeConfiguration` Enables delivery of events to Amazon EventBridge. *Required*: No *Type*: [EventBridgeConfiguration](aws-properties-s3-bucket-eventbridgeconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LambdaConfigurations` Describes the AWS Lambda functions to invoke and the events for which to invoke them. *Required*: No *Type*: Array of [LambdaConfiguration](aws-properties-s3-bucket-lambdaconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `QueueConfigurations` The Amazon Simple Queue Service queues to publish messages to and the events for which to publish messages. *Required*: No *Type*: Array of [QueueConfiguration](aws-properties-s3-bucket-queueconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TopicConfigurations` The topic to which notifications are sent and the events for which notifications are generated. *Required*: No *Type*: Array of [TopicConfiguration](aws-properties-s3-bucket-topicconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Receive S3 bucket notifications to an SNS topic The following example template shows an Amazon S3 bucket with a notification configuration that sends an event to the specified SNS topic when S3 has lost all replicas of an object. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "NotificationConfiguration": { "TopicConfigurations": [ { "Topic": "arn:aws:sns:us-east-1:123456789012:TestTopic", "Event": "s3:ReducedRedundancyLostObject" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a notification configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private NotificationConfiguration: TopicConfigurations: - Topic: 'arn:aws:sns:us-east-1:123456789012:TestTopic' Event: 's3:ReducedRedundancyLostObject' Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a notification configuration. ``` # AWS::S3::Bucket NotificationFilter Specifies object key name filtering rules. For information about key name filtering, see [Configuring event notifications using object key name filtering](https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[S3Key](#cfn-s3-bucket-notificationfilter-s3key)" : S3KeyFilter } ``` ### YAML ``` [S3Key](#cfn-s3-bucket-notificationfilter-s3key): S3KeyFilter ``` ## Properties `S3Key` A container for object key name prefix and suffix filtering rules. *Required*: Yes *Type*: [S3KeyFilter](aws-properties-s3-bucket-s3keyfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket ObjectLockConfiguration Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ObjectLockEnabled](#cfn-s3-bucket-objectlockconfiguration-objectlockenabled)" : String, "[Rule](#cfn-s3-bucket-objectlockconfiguration-rule)" : ObjectLockRule } ``` ### YAML ``` [ObjectLockEnabled](#cfn-s3-bucket-objectlockconfiguration-objectlockenabled): String [Rule](#cfn-s3-bucket-objectlockconfiguration-rule): ObjectLockRule ``` ## Properties `ObjectLockEnabled` Indicates whether this bucket has an Object Lock configuration enabled. Enable `ObjectLockEnabled` when you apply `ObjectLockConfiguration` to a bucket. *Required*: No *Type*: String *Allowed values*: `Enabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Rule` Specifies the Object Lock rule for the specified object. Enable this rule when you apply `ObjectLockConfiguration` to a bucket. If Object Lock is turned on, bucket settings require both `Mode` and a period of either `Days` or `Years`. You cannot specify `Days` and `Years` at the same time. For more information, see [ObjectLockRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-objectlockrule.html) and [DefaultRetention](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-defaultretention.html). *Required*: Conditional *Type*: [ObjectLockRule](aws-properties-s3-bucket-objectlockrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket ObjectLockRule Specifies the Object Lock rule for the specified object. Enable the this rule when you apply `ObjectLockConfiguration` to a bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DefaultRetention](#cfn-s3-bucket-objectlockrule-defaultretention)" : DefaultRetention } ``` ### YAML ``` [DefaultRetention](#cfn-s3-bucket-objectlockrule-defaultretention): DefaultRetention ``` ## Properties `DefaultRetention` The default Object Lock retention mode and period that you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, bucket settings require both `Mode` and a period of either `Days` or `Years`. You cannot specify `Days` and `Years` at the same time. For more information about allowable values for mode and period, see [DefaultRetention](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-defaultretention.html). *Required*: Conditional *Type*: [DefaultRetention](aws-properties-s3-bucket-defaultretention.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket OwnershipControls Specifies the container element for Object Ownership rules. S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to disable access control lists (ACLs) and take ownership of every object in your bucket, simplifying access management for data stored in Amazon S3. For more information, see [Controlling ownership of objects and disabling ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Rules](#cfn-s3-bucket-ownershipcontrols-rules)" : [ OwnershipControlsRule, ... ] } ``` ### YAML ``` [Rules](#cfn-s3-bucket-ownershipcontrols-rules): - OwnershipControlsRule ``` ## Properties `Rules` Specifies the container element for Object Ownership rules. *Required*: Yes *Type*: Array of [OwnershipControlsRule](aws-properties-s3-bucket-ownershipcontrolsrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Object ownership - BucketOwnerEnforced](#aws-properties-s3-bucket-ownershipcontrols--examples--Object_ownership_-_BucketOwnerEnforced) + [Object Ownership - BucketOwnerPreferred](#aws-properties-s3-bucket-ownershipcontrols--examples--Object_Ownership_-_BucketOwnerPreferred) ### Object ownership - BucketOwnerEnforced The following examples show Object Ownership set to `BucketOwnerEnforced`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced" } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: OwnershipControls: Rules: - ObjectOwnership: BucketOwnerEnforced ``` ### Object Ownership - BucketOwnerPreferred The following examples show Object Ownership set to `BucketOwnerPreferred`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred" } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred ``` # AWS::S3::Bucket OwnershipControlsRule Specifies an Object Ownership rule. S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to disable access control lists (ACLs) and take ownership of every object in your bucket, simplifying access management for data stored in Amazon S3. For more information, see [Controlling ownership of objects and disabling ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ObjectOwnership](#cfn-s3-bucket-ownershipcontrolsrule-objectownership)" : String } ``` ### YAML ``` [ObjectOwnership](#cfn-s3-bucket-ownershipcontrolsrule-objectownership): String ``` ## Properties `ObjectOwnership` Specifies an object ownership rule. *Required*: No *Type*: String *Allowed values*: `ObjectWriter | BucketOwnerPreferred | BucketOwnerEnforced` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Object Ownership - BucketOwnerEnforced](#aws-properties-s3-bucket-ownershipcontrolsrule--examples--Object_Ownership_-_BucketOwnerEnforced) + [Object Ownership - BucketOwnerPreferred](#aws-properties-s3-bucket-ownershipcontrolsrule--examples--Object_Ownership_-_BucketOwnerPreferred) ### Object Ownership - BucketOwnerEnforced The following examples show Object Ownership set to `BucketOwnerEnforced`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced" } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: OwnershipControls: Rules: - ObjectOwnership: BucketOwnerEnforced ``` ### Object Ownership - BucketOwnerPreferred The following examples show Object Ownership set to `BucketOwnerPreferred`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred" } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred ``` # AWS::S3::Bucket PartitionedPrefix Amazon S3 keys for log objects are partitioned in the following format: `[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]` PartitionedPrefix defaults to EventTime delivery when server access logs are delivered. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PartitionDateSource](#cfn-s3-bucket-partitionedprefix-partitiondatesource)" : String } ``` ### YAML ``` [PartitionDateSource](#cfn-s3-bucket-partitionedprefix-partitiondatesource): String ``` ## Properties `PartitionDateSource` Specifies the partition date source for the partitioned prefix. `PartitionDateSource` can be `EventTime` or `DeliveryTime`. For `DeliveryTime`, the time in the log file names corresponds to the delivery time for the log files. For `EventTime`, The logs delivered are for a specific day only. The year, month, and day correspond to the day on which the event occurred, and the hour, minutes and seconds are set to 00 in the key. *Required*: No *Type*: String *Allowed values*: `EventTime | DeliveryTime` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket PublicAccessBlockConfiguration The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. Bucket-level settings work alongside account-level settings (which may inherit from organization-level policies). For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of "Public"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BlockPublicAcls](#cfn-s3-bucket-publicaccessblockconfiguration-blockpublicacls)" : Boolean, "[BlockPublicPolicy](#cfn-s3-bucket-publicaccessblockconfiguration-blockpublicpolicy)" : Boolean, "[IgnorePublicAcls](#cfn-s3-bucket-publicaccessblockconfiguration-ignorepublicacls)" : Boolean, "[RestrictPublicBuckets](#cfn-s3-bucket-publicaccessblockconfiguration-restrictpublicbuckets)" : Boolean } ``` ### YAML ``` [BlockPublicAcls](#cfn-s3-bucket-publicaccessblockconfiguration-blockpublicacls): Boolean [BlockPublicPolicy](#cfn-s3-bucket-publicaccessblockconfiguration-blockpublicpolicy): Boolean [IgnorePublicAcls](#cfn-s3-bucket-publicaccessblockconfiguration-ignorepublicacls): Boolean [RestrictPublicBuckets](#cfn-s3-bucket-publicaccessblockconfiguration-restrictpublicbuckets): Boolean ``` ## Properties `BlockPublicAcls` Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior: + PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. + PUT Object calls fail if the request includes a public ACL. + PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BlockPublicPolicy` Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn't affect existing bucket policies. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IgnorePublicAcls` Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RestrictPublicBuckets` Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket QueueConfiguration Specifies the configuration for publishing messages to an Amazon Simple Queue Service (Amazon SQS) queue when Amazon S3 detects specified events. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Event](#cfn-s3-bucket-queueconfiguration-event)" : String, "[Filter](#cfn-s3-bucket-queueconfiguration-filter)" : NotificationFilter, "[Queue](#cfn-s3-bucket-queueconfiguration-queue)" : String } ``` ### YAML ``` [Event](#cfn-s3-bucket-queueconfiguration-event): String [Filter](#cfn-s3-bucket-queueconfiguration-filter): NotificationFilter [Queue](#cfn-s3-bucket-queueconfiguration-queue): String ``` ## Properties `Event` The Amazon S3 bucket event about which you want to publish messages to Amazon SQS. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` The filtering rules that determine which objects trigger notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a `.jpg` extension are added to the bucket. For more information, see [Configuring event notifications using object key name filtering](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/notification-how-to-filtering.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: [NotificationFilter](aws-properties-s3-bucket-notificationfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Queue` The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3 publishes a message when it detects events of the specified type. FIFO queues are not allowed when enabling an SQS queue as the event notification destination. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket RecordExpiration The journal table record expiration settings for a journal table in an S3 Metadata configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Days](#cfn-s3-bucket-recordexpiration-days)" : Integer, "[Expiration](#cfn-s3-bucket-recordexpiration-expiration)" : String } ``` ### YAML ``` [Days](#cfn-s3-bucket-recordexpiration-days): Integer [Expiration](#cfn-s3-bucket-recordexpiration-expiration): String ``` ## Properties `Days` If you enable journal table record expiration, you can set the number of days to retain your journal table records. Journal table records must be retained for a minimum of 7 days. To set this value, specify any whole number from `7` to `2147483647`. For example, to retain your journal table records for one year, set this value to `365`. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Expiration` Specifies whether journal table record expiration is enabled or disabled. *Required*: Yes *Type*: String *Allowed values*: `ENABLED | DISABLED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket RedirectAllRequestsTo Specifies the redirect behavior of all requests to a website endpoint of an Amazon S3 bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[HostName](#cfn-s3-bucket-redirectallrequeststo-hostname)" : String, "[Protocol](#cfn-s3-bucket-redirectallrequeststo-protocol)" : String } ``` ### YAML ``` [HostName](#cfn-s3-bucket-redirectallrequeststo-hostname): String [Protocol](#cfn-s3-bucket-redirectallrequeststo-protocol): String ``` ## Properties `HostName` Name of the host where requests are redirected. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Protocol` Protocol to use when redirecting requests. The default is the protocol that is used in the original request. *Required*: No *Type*: String *Allowed values*: `http | https` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket RedirectRule Specifies how requests are redirected. In the event of an error, you can specify a different error code to return. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[HostName](#cfn-s3-bucket-redirectrule-hostname)" : String, "[HttpRedirectCode](#cfn-s3-bucket-redirectrule-httpredirectcode)" : String, "[Protocol](#cfn-s3-bucket-redirectrule-protocol)" : String, "[ReplaceKeyPrefixWith](#cfn-s3-bucket-redirectrule-replacekeyprefixwith)" : String, "[ReplaceKeyWith](#cfn-s3-bucket-redirectrule-replacekeywith)" : String } ``` ### YAML ``` [HostName](#cfn-s3-bucket-redirectrule-hostname): String [HttpRedirectCode](#cfn-s3-bucket-redirectrule-httpredirectcode): String [Protocol](#cfn-s3-bucket-redirectrule-protocol): String [ReplaceKeyPrefixWith](#cfn-s3-bucket-redirectrule-replacekeyprefixwith): String [ReplaceKeyWith](#cfn-s3-bucket-redirectrule-replacekeywith): String ``` ## Properties `HostName` The host name to use in the redirect request. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `HttpRedirectCode` The HTTP redirect code to use on the response. Not required if one of the siblings is present. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Protocol` Protocol to use when redirecting requests. The default is the protocol that is used in the original request. *Required*: No *Type*: String *Allowed values*: `http | https` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ReplaceKeyPrefixWith` The object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix `docs/` (objects in the `docs/` folder) to `documents/`, you can set a condition block with `KeyPrefixEquals` set to `docs/` and in the Redirect set `ReplaceKeyPrefixWith` to `/documents`. Not required if one of the siblings is present. Can be present only if `ReplaceKeyWith` is not provided. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [ XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ReplaceKeyWith` The specific object key to use in the redirect request. For example, redirect request to `error.html`. Not required if one of the siblings is present. Can be present only if `ReplaceKeyPrefixWith` is not provided. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [ XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Configure a static website with a routing rule In this example, `AWS::S3::Bucket's Fn::GetAtt` values are used to provide outputs. If an HTTP 404 error occurs, the routing rule redirects requests to an EC2 instance and inserts the object key prefix `report-404/` in the redirect. For example, if you request a page called `out1/ExamplePage.html` and it results in an HTTP 404 error, the request is routed to a page called `report-404/ExamplePage.html` on the specified instance. For all other HTTP error codes, `error.html` is returned. This example also specifies a metrics configuration called `EntireBucket` that enables CloudWatch request metrics at the bucket level. #### JSON ``` { "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "BucketName": "public-bucket", "MetricsConfigurations": [ { "Id": "EntireBucket" } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain" } }, "Outputs": { "WebsiteURL": { "Value": { "Fn::GetAtt": [ "S3Bucket", "WebsiteURL" ] }, "Description": "URL for website hosted on S3" }, "S3BucketSecureURL": { "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "S3Bucket", "DomainName" ] } ] ] }, "Description": "Name of S3 bucket to hold website content" } } } ``` #### YAML ``` Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead BucketName: public-bucket MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt - S3Bucket - WebsiteURL Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join - '' - - 'https://' - !GetAtt - S3Bucket - DomainName Description: Name of S3 bucket to hold website content ``` # AWS::S3::Bucket ReplicaModifications A filter that you can specify for selection for modifications on replicas. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Status](#cfn-s3-bucket-replicamodifications-status)" : String } ``` ### YAML ``` [Status](#cfn-s3-bucket-replicamodifications-status): String ``` ## Properties `Status` Specifies whether Amazon S3 replicates modifications on replicas. *Allowed values*: `Enabled` \$1 `Disabled` *Required*: Yes *Type*: String *Allowed values*: `Enabled | Disabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket ReplicationConfiguration A container for replication rules. You can add up to 1,000 rules. The maximum size of a replication configuration is 2 MB. The latest version of the replication configuration XML is V2. For more information about XML V2 replication configurations, see [Replication configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-add-config.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Role](#cfn-s3-bucket-replicationconfiguration-role)" : String, "[Rules](#cfn-s3-bucket-replicationconfiguration-rules)" : [ ReplicationRule, ... ] } ``` ### YAML ``` [Role](#cfn-s3-bucket-replicationconfiguration-role): String [Rules](#cfn-s3-bucket-replicationconfiguration-rules): - ReplicationRule ``` ## Properties `Role` The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that Amazon S3 assumes when replicating objects. For more information, see [How to Set Up Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-how-setup.html) in the *Amazon S3 User Guide*. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Rules` A container for one or more replication rules. A replication configuration must have at least one rule and can contain a maximum of 1,000 rules. *Required*: Yes *Type*: Array of [ReplicationRule](aws-properties-s3-bucket-replicationrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Associate a replication configuration IAM role with an S3 bucket](#aws-properties-s3-bucket-replicationconfiguration--examples--Associate_a_replication_configuration_IAM_role_with_an_S3_bucket) + [Enable versioning and replicate objects](#aws-properties-s3-bucket-replicationconfiguration--examples--Enable_versioning_and_replicate_objects) ### Associate a replication configuration IAM role with an S3 bucket The following example creates an S3 bucket and grants it permission to write to a replication bucket by using an AWS Identity and Access Management (IAM) role. To avoid a circular dependency, the role's policy is declared as a separate resource. The bucket depends on the `WorkItemBucketBackupRole` role. If the policy is included in the role, the role also depends on the bucket. #### JSON ``` { "Resources": { "RecordServiceS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "ReplicationConfiguration": { "Role": { "Fn::GetAtt": [ "WorkItemBucketBackupRole", "Arn" ] }, "Rules": [ { "Destination": { "Bucket": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] } ] ] }, "StorageClass": "STANDARD" }, "Id": "Backup", "Prefix": "", "Status": "Enabled" } ] }, "VersioningConfiguration": { "Status": "Enabled" } } }, "WorkItemBucketBackupRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "s3.amazonaws.com" ] } } ] } } }, "BucketBackupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" } ] ] } ] }, { "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" }, "/*" ] ] } ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] }, "/*" ] ] } ] } ] }, "PolicyName": "BucketBackupPolicy", "Roles": [ { "Ref": "WorkItemBucketBackupRole" } ] } } } } ``` #### YAML ``` Resources: RecordServiceS3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: ReplicationConfiguration: Role: !GetAtt - WorkItemBucketBackupRole - Arn Rules: - Destination: Bucket: !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket StorageClass: STANDARD Id: Backup Prefix: '' Status: Enabled VersioningConfiguration: Status: Enabled WorkItemBucketBackupRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - s3.amazonaws.com BucketBackupPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyDocument: Statement: - Action: - 's3:GetReplicationConfiguration' - 's3:ListBucket' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - Action: - 's3:GetObjectVersion' - 's3:GetObjectVersionAcl' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - /* - Action: - 's3:ReplicateObject' - 's3:ReplicateDelete' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket - /* PolicyName: BucketBackupPolicy Roles: - !Ref WorkItemBucketBackupRole ``` ### Enable versioning and replicate objects The following example enables versioning and two replication rules. The rules copy objects prefixed with either `MyPrefix` and `MyOtherPrefix` and stores the copied objects in a bucket named `my-replication-bucket`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "VersioningConfiguration": { "Status": "Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::123456789012:role/replication_role", "Rules": [ { "Id": "MyRule1", "Status": "Enabled", "Prefix": "MyPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket", "StorageClass": "STANDARD" } }, { "Status": "Enabled", "Prefix": "MyOtherPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket" } } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: VersioningConfiguration: Status: Enabled ReplicationConfiguration: Role: 'arn:aws:iam::123456789012:role/replication_role' Rules: - Id: MyRule1 Status: Enabled Prefix: MyPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' StorageClass: STANDARD - Status: Enabled Prefix: MyOtherPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' ``` # AWS::S3::Bucket ReplicationDestination A container for information about the replication destination and its configurations including enabling the S3 Replication Time Control (S3 RTC). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccessControlTranslation](#cfn-s3-bucket-replicationdestination-accesscontroltranslation)" : AccessControlTranslation, "[Account](#cfn-s3-bucket-replicationdestination-account)" : String, "[Bucket](#cfn-s3-bucket-replicationdestination-bucket)" : String, "[EncryptionConfiguration](#cfn-s3-bucket-replicationdestination-encryptionconfiguration)" : EncryptionConfiguration, "[Metrics](#cfn-s3-bucket-replicationdestination-metrics)" : Metrics, "[ReplicationTime](#cfn-s3-bucket-replicationdestination-replicationtime)" : ReplicationTime, "[StorageClass](#cfn-s3-bucket-replicationdestination-storageclass)" : String } ``` ### YAML ``` [AccessControlTranslation](#cfn-s3-bucket-replicationdestination-accesscontroltranslation): AccessControlTranslation [Account](#cfn-s3-bucket-replicationdestination-account): String [Bucket](#cfn-s3-bucket-replicationdestination-bucket): String [EncryptionConfiguration](#cfn-s3-bucket-replicationdestination-encryptionconfiguration): EncryptionConfiguration [Metrics](#cfn-s3-bucket-replicationdestination-metrics): Metrics [ReplicationTime](#cfn-s3-bucket-replicationdestination-replicationtime): ReplicationTime [StorageClass](#cfn-s3-bucket-replicationdestination-storageclass): String ``` ## Properties `AccessControlTranslation` Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. *Required*: No *Type*: [AccessControlTranslation](aws-properties-s3-bucket-accesscontroltranslation.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Account` Destination bucket owner account ID. In a cross-account scenario, if you direct Amazon S3 to change replica ownership to the AWS account that owns the destination bucket by specifying the `AccessControlTranslation` property, this is the account ID of the destination bucket owner. For more information, see [Cross-Region Replication Additional Configuration: Change Replica Owner](https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-change-owner.html) in the *Amazon S3 User Guide*. If you specify the `AccessControlTranslation` property, the `Account` property is required. *Required*: Conditional *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Bucket` The Amazon Resource Name (ARN) of the bucket where you want Amazon S3 to store the results. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EncryptionConfiguration` Specifies encryption-related information. *Required*: No *Type*: [EncryptionConfiguration](aws-properties-s3-bucket-encryptionconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Metrics` A container specifying replication metrics-related settings enabling replication metrics and events. *Required*: No *Type*: [Metrics](aws-properties-s3-bucket-metrics.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ReplicationTime` A container specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a `Metrics` block. *Required*: No *Type*: [ReplicationTime](aws-properties-s3-bucket-replicationtime.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StorageClass` The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. For valid values, see the `StorageClass` element of the [PUT Bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) action in the *Amazon S3 API Reference*. `FSX_OPENZFS` is not an accepted value when replicating objects. *Required*: No *Type*: String *Allowed values*: `DEEP_ARCHIVE | GLACIER | GLACIER_IR | INTELLIGENT_TIERING | ONEZONE_IA | REDUCED_REDUNDANCY | STANDARD | STANDARD_IA` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket ReplicationRule Specifies which Amazon S3 objects to replicate and where to store the replicas. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DeleteMarkerReplication](#cfn-s3-bucket-replicationrule-deletemarkerreplication)" : DeleteMarkerReplication, "[Destination](#cfn-s3-bucket-replicationrule-destination)" : ReplicationDestination, "[Filter](#cfn-s3-bucket-replicationrule-filter)" : ReplicationRuleFilter, "[Id](#cfn-s3-bucket-replicationrule-id)" : String, "[Prefix](#cfn-s3-bucket-replicationrule-prefix)" : String, "[Priority](#cfn-s3-bucket-replicationrule-priority)" : Integer, "[SourceSelectionCriteria](#cfn-s3-bucket-replicationrule-sourceselectioncriteria)" : SourceSelectionCriteria, "[Status](#cfn-s3-bucket-replicationrule-status)" : String } ``` ### YAML ``` [DeleteMarkerReplication](#cfn-s3-bucket-replicationrule-deletemarkerreplication): DeleteMarkerReplication [Destination](#cfn-s3-bucket-replicationrule-destination): ReplicationDestination [Filter](#cfn-s3-bucket-replicationrule-filter): ReplicationRuleFilter [Id](#cfn-s3-bucket-replicationrule-id): String [Prefix](#cfn-s3-bucket-replicationrule-prefix): String [Priority](#cfn-s3-bucket-replicationrule-priority): Integer [SourceSelectionCriteria](#cfn-s3-bucket-replicationrule-sourceselectioncriteria): SourceSelectionCriteria [Status](#cfn-s3-bucket-replicationrule-status): String ``` ## Properties `DeleteMarkerReplication` Specifies whether Amazon S3 replicates delete markers. If you specify a `Filter` in your replication configuration, you must also include a `DeleteMarkerReplication` element. If your `Filter` includes a `Tag` element, the `DeleteMarkerReplication``Status` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config). For more information about delete marker replication, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/delete-marker-replication.html). If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see [Backward Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations). *Required*: No *Type*: [DeleteMarkerReplication](aws-properties-s3-bucket-deletemarkerreplication.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Destination` A container for information about the replication destination and its configurations including enabling the S3 Replication Time Control (S3 RTC). *Required*: Yes *Type*: [ReplicationDestination](aws-properties-s3-bucket-replicationdestination.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` A filter that identifies the subset of objects to which the replication rule applies. A `Filter` must specify exactly one `Prefix`, `TagFilter`, or an `And` child element. The use of the filter field indicates that this is a V2 replication configuration. This field isn't supported in a V1 replication configuration. V1 replication configuration only supports filtering by key prefix. To filter using a V1 replication configuration, add the `Prefix` directly as a child element of the `Rule` element. *Required*: No *Type*: [ReplicationRuleFilter](aws-properties-s3-bucket-replicationrulefilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` A unique identifier for the rule. The maximum value is 255 characters. If you don't specify a value, AWS CloudFormation generates a random ID. When using a V2 replication configuration this property is capitalized as "ID". *Required*: No *Type*: String *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` An object key name prefix that identifies the object or objects to which the rule applies. The maximum prefix length is 1,024 characters. To include all objects in a bucket, specify an empty string. To filter using a V1 replication configuration, add the `Prefix` directly as a child element of the `Rule` element. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [ XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). *Required*: No *Type*: String *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Priority` The priority indicates which rule has precedence whenever two or more replication rules conflict. Amazon S3 will attempt to replicate objects according to all replication rules. However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority. For more information, see [Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceSelectionCriteria` A container that describes additional filters for identifying the source objects that you want to replicate. You can choose to enable or disable the replication of these objects. *Required*: No *Type*: [SourceSelectionCriteria](aws-properties-s3-bucket-sourceselectioncriteria.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` Specifies whether the rule is enabled. *Required*: Yes *Type*: String *Allowed values*: `Disabled | Enabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Associate a replication configuration IAM role with an S3 bucket](#aws-properties-s3-bucket-replicationrule--examples--Associate_a_replication_configuration_IAM_role_with_an_S3_bucket) + [Enable versioning and replicate objects](#aws-properties-s3-bucket-replicationrule--examples--Enable_versioning_and_replicate_objects) ### Associate a replication configuration IAM role with an S3 bucket The following example creates an S3 bucket and grants it permission to write to a replication bucket by using an AWS Identity and Access Management (IAM) role. To avoid a circular dependency, the role's policy is declared as a separate resource. The bucket depends on the `WorkItemBucketBackupRole` role. If the policy is included in the role, the role also depends on the bucket. #### JSON ``` { "Resources": { "RecordServiceS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "ReplicationConfiguration": { "Role": { "Fn::GetAtt": [ "WorkItemBucketBackupRole", "Arn" ] }, "Rules": [ { "Destination": { "Bucket": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] } ] ] }, "StorageClass": "STANDARD" }, "Id": "Backup", "Prefix": "", "Status": "Enabled" } ] }, "VersioningConfiguration": { "Status": "Enabled" } } }, "WorkItemBucketBackupRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "s3.amazonaws.com" ] } } ] } } }, "BucketBackupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" } ] ] } ] }, { "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "RecordServiceS3Bucket" }, "/*" ] ] } ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" }, "replicationbucket" ] ] }, "/*" ] ] } ] } ] }, "PolicyName": "BucketBackupPolicy", "Roles": [ { "Ref": "WorkItemBucketBackupRole" } ] } } } } ``` #### YAML ``` Resources: RecordServiceS3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: ReplicationConfiguration: Role: !GetAtt - WorkItemBucketBackupRole - Arn Rules: - Destination: Bucket: !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket StorageClass: STANDARD Id: Backup Prefix: '' Status: Enabled VersioningConfiguration: Status: Enabled WorkItemBucketBackupRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - s3.amazonaws.com BucketBackupPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyDocument: Statement: - Action: - 's3:GetReplicationConfiguration' - 's3:ListBucket' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - Action: - 's3:GetObjectVersion' - 's3:GetObjectVersionAcl' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref RecordServiceS3Bucket - /* - Action: - 's3:ReplicateObject' - 's3:ReplicateDelete' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Join - '-' - - !Ref 'AWS::Region' - !Ref 'AWS::StackName' - replicationbucket - /* PolicyName: BucketBackupPolicy Roles: - !Ref WorkItemBucketBackupRole ``` ### Enable versioning and replicate objects The following example enables versioning and two replication rules. The rules copy objects prefixed with either `MyPrefix` and `MyOtherPrefix` and stores the copied objects in a bucket named `my-replication-bucket`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "VersioningConfiguration": { "Status": "Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::123456789012:role/replication_role", "Rules": [ { "Id": "MyRule1", "Status": "Enabled", "Prefix": "MyPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket", "StorageClass": "STANDARD" } }, { "Status": "Enabled", "Prefix": "MyOtherPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket" } } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: VersioningConfiguration: Status: Enabled ReplicationConfiguration: Role: 'arn:aws:iam::123456789012:role/replication_role' Rules: - Id: MyRule1 Status: Enabled Prefix: MyPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' StorageClass: STANDARD - Status: Enabled Prefix: MyOtherPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' ``` # AWS::S3::Bucket ReplicationRuleAndOperator A container for specifying rule filters. The filters determine the subset of objects to which the rule applies. This element is required only if you specify more than one filter. For example: + If you specify both a `Prefix` and a `TagFilter`, wrap these filters in an `And` tag. + If you specify a filter based on multiple tags, wrap the `TagFilter` elements in an `And` tag ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Prefix](#cfn-s3-bucket-replicationruleandoperator-prefix)" : String, "[TagFilters](#cfn-s3-bucket-replicationruleandoperator-tagfilters)" : [ TagFilter, ... ] } ``` ### YAML ``` [Prefix](#cfn-s3-bucket-replicationruleandoperator-prefix): String [TagFilters](#cfn-s3-bucket-replicationruleandoperator-tagfilters): - TagFilter ``` ## Properties `Prefix` An object key name prefix that identifies the subset of objects to which the rule applies. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagFilters` An array of tags containing key and value pairs. *Required*: No *Type*: Array of [TagFilter](aws-properties-s3-bucket-tagfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket ReplicationRuleFilter A filter that identifies the subset of objects to which the replication rule applies. A `Filter` must specify exactly one `Prefix`, `TagFilter`, or an `And` child element. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[And](#cfn-s3-bucket-replicationrulefilter-and)" : ReplicationRuleAndOperator, "[Prefix](#cfn-s3-bucket-replicationrulefilter-prefix)" : String, "[TagFilter](#cfn-s3-bucket-replicationrulefilter-tagfilter)" : TagFilter } ``` ### YAML ``` [And](#cfn-s3-bucket-replicationrulefilter-and): ReplicationRuleAndOperator [Prefix](#cfn-s3-bucket-replicationrulefilter-prefix): String [TagFilter](#cfn-s3-bucket-replicationrulefilter-tagfilter): TagFilter ``` ## Properties `And` A container for specifying rule filters. The filters determine the subset of objects to which the rule applies. This element is required only if you specify more than one filter. For example: + If you specify both a `Prefix` and a `TagFilter`, wrap these filters in an `And` tag. + If you specify a filter based on multiple tags, wrap the `TagFilter` elements in an `And` tag. *Required*: No *Type*: [ReplicationRuleAndOperator](aws-properties-s3-bucket-replicationruleandoperator.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` An object key name prefix that identifies the subset of objects to which the rule applies. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [ XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagFilter` A container for specifying a tag key and value. The rule applies only to objects that have the tag in their tag set. *Required*: No *Type*: [TagFilter](aws-properties-s3-bucket-tagfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket ReplicationTime A container specifying S3 Replication Time Control (S3 RTC) related information, including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a `Metrics` block. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Status](#cfn-s3-bucket-replicationtime-status)" : String, "[Time](#cfn-s3-bucket-replicationtime-time)" : ReplicationTimeValue } ``` ### YAML ``` [Status](#cfn-s3-bucket-replicationtime-status): String [Time](#cfn-s3-bucket-replicationtime-time): ReplicationTimeValue ``` ## Properties `Status` Specifies whether the replication time is enabled. *Required*: Yes *Type*: String *Allowed values*: `Disabled | Enabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Time` A container specifying the time by which replication should be complete for all objects and operations on objects. *Required*: Yes *Type*: [ReplicationTimeValue](aws-properties-s3-bucket-replicationtimevalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Enable S3 Replication Time Control The following example creates a replication configuration with S3 Replication Time Control (S3 RTC) enabled. To use this example, replace *amzn-s3-demo-source-bucket* with the name of your source bucket and replace *amzn-s3-demo-destination-bucket* with the name of your destination bucket. Make sure to update the AWS Identity and Access Management (IAM) role and the replication rule as needed. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Template for S3 Bucket Replication", "Resources": { "MyS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "amzn-s3-demo-source-bucket", "VersioningConfiguration": { "Status": "Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::account:role/s3-replication-role", "Rules": [ { "Id": "ReplicationRule1", "Status": "Enabled", "Filter": { "Prefix": "" }, "Destination": { "Bucket": "arn:aws:s3:::amzn-s3-demo-destination-bucket", "ReplicationTime": { "Status": "Enabled", "Time": { "Minutes": 15 } }, "Metrics": { "Status": "Enabled", "EventThreshold": { "Minutes": 15 } } }, "Priority": 1, "DeleteMarkerReplication": { "Status": "Enabled" }, "SourceSelectionCriteria": { "ReplicaModifications": { "Status": "Disabled" } } } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Description: 'AWS CloudFormation Template for S3 Bucket Replication' Resources: MyS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: 'amzn-s3-demo-source-bucket' VersioningConfiguration: Status: 'Enabled' ReplicationConfiguration: Role: 'arn:aws:iam::account:role/s3-replication-role' Rules: - Id: 'ReplicationRule1' Status: 'Enabled' Filter: Prefix: "" Destination: Bucket: 'arn:aws:s3:::amzn-s3-demo-destination-bucket' ReplicationTime: Status: Enabled Time: Minutes: 15 Metrics: Status: Enabled EventThreshold: Minutes: 15 Priority: 1 DeleteMarkerReplication: Status: Enabled SourceSelectionCriteria: ReplicaModifications: Status: Disabled ``` # AWS::S3::Bucket ReplicationTimeValue A container specifying the time value for S3 Replication Time Control (S3 RTC) and replication metrics `EventThreshold`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Minutes](#cfn-s3-bucket-replicationtimevalue-minutes)" : Integer } ``` ### YAML ``` [Minutes](#cfn-s3-bucket-replicationtimevalue-minutes): Integer ``` ## Properties `Minutes` Contains an integer specifying time in minutes. Valid value: 15 *Required*: Yes *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket RoutingRule Specifies the redirect behavior and when a redirect is applied. For more information about routing rules, see [Configuring advanced conditional redirects](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html#advanced-conditional-redirects) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RedirectRule](#cfn-s3-bucket-routingrule-redirectrule)" : RedirectRule, "[RoutingRuleCondition](#cfn-s3-bucket-routingrule-routingrulecondition)" : RoutingRuleCondition } ``` ### YAML ``` [RedirectRule](#cfn-s3-bucket-routingrule-redirectrule): RedirectRule [RoutingRuleCondition](#cfn-s3-bucket-routingrule-routingrulecondition): RoutingRuleCondition ``` ## Properties `RedirectRule` Container for redirect information. You can redirect requests to another host, to another page, or with another protocol. In the event of an error, you can specify a different error code to return. *Required*: Yes *Type*: [RedirectRule](aws-properties-s3-bucket-redirectrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoutingRuleCondition` A container for describing a condition that must be met for the specified redirect to apply. For example, 1. If request is for pages in the `/docs` folder, redirect to the `/documents` folder. 2. If request results in HTTP error 4xx, redirect request to another host where you might process the error. *Required*: No *Type*: [RoutingRuleCondition](aws-properties-s3-bucket-routingrulecondition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Configure a static website with a routing rule In this example, `AWS::S3::Bucket's Fn::GetAtt` values are used to provide outputs. If an HTTP 404 error occurs, the routing rule redirects requests to an EC2 instance and inserts the object key prefix `report-404/` in the redirect. For example, if you request a page called `out1/ExamplePage.html` and it results in an HTTP 404 error, the request is routed to a page called `report-404/ExamplePage.html` on the specified instance. For all other HTTP error codes, `error.html` is returned. This example also specifies a metrics configuration called `EntireBucket` that enables CloudWatch request metrics at the bucket level. #### JSON ``` { "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "BucketName": "public-bucket", "MetricsConfigurations": [ { "Id": "EntireBucket" } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain" } }, "Outputs": { "WebsiteURL": { "Value": { "Fn::GetAtt": [ "S3Bucket", "WebsiteURL" ] }, "Description": "URL for website hosted on S3" }, "S3BucketSecureURL": { "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "S3Bucket", "DomainName" ] } ] ] }, "Description": "Name of S3 bucket to hold website content" } } } ``` #### YAML ``` Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead BucketName: public-bucket MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt - S3Bucket - WebsiteURL Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join - '' - - 'https://' - !GetAtt - S3Bucket - DomainName Description: Name of S3 bucket to hold website content ``` # AWS::S3::Bucket RoutingRuleCondition A container for describing a condition that must be met for the specified redirect to apply. For example, 1. If request is for pages in the `/docs` folder, redirect to the `/documents` folder. 2. If request results in HTTP error 4xx, redirect request to another host where you might process the error. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[HttpErrorCodeReturnedEquals](#cfn-s3-bucket-routingrulecondition-httperrorcodereturnedequals)" : String, "[KeyPrefixEquals](#cfn-s3-bucket-routingrulecondition-keyprefixequals)" : String } ``` ### YAML ``` [HttpErrorCodeReturnedEquals](#cfn-s3-bucket-routingrulecondition-httperrorcodereturnedequals): String [KeyPrefixEquals](#cfn-s3-bucket-routingrulecondition-keyprefixequals): String ``` ## Properties `HttpErrorCodeReturnedEquals` The HTTP error code when the redirect is applied. In the event of an error, if the error code equals this value, then the specified redirect is applied. Required when parent element `Condition` is specified and sibling `KeyPrefixEquals` is not specified. If both are specified, then both must be true for the redirect to be applied. *Required*: Conditional *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyPrefixEquals` The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html`, the key prefix will be `ExamplePage.html`. To redirect request for all pages with the prefix `docs/`, the key prefix will be `docs/`, which identifies all objects in the docs/ folder. Required when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied. *Required*: Conditional *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Configure a static website with a routing rule In this example, `AWS::S3::Bucket's Fn::GetAtt` values are used to provide outputs. If an HTTP 404 error occurs, the routing rule redirects requests to an EC2 instance and inserts the object key prefix `report-404/` in the redirect. For example, if you request a page called `out1/ExamplePage.html` and it results in an HTTP 404 error, the request is routed to a page called `report-404/ExamplePage.html` on the specified instance. For all other HTTP error codes, `error.html` is returned. This example also specifies a metrics configuration called `EntireBucket` that enables CloudWatch request metrics at the bucket level. #### JSON ``` { "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "BucketName": "public-bucket", "MetricsConfigurations": [ { "Id": "EntireBucket" } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain" } }, "Outputs": { "WebsiteURL": { "Value": { "Fn::GetAtt": [ "S3Bucket", "WebsiteURL" ] }, "Description": "URL for website hosted on S3" }, "S3BucketSecureURL": { "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "S3Bucket", "DomainName" ] } ] ] }, "Description": "Name of S3 bucket to hold website content" } } } ``` #### YAML ``` Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead BucketName: public-bucket MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt - S3Bucket - WebsiteURL Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join - '' - - 'https://' - !GetAtt - S3Bucket - DomainName Description: Name of S3 bucket to hold website content ``` # AWS::S3::Bucket Rule Specifies lifecycle rules for an Amazon S3 bucket. For more information, see [Put Bucket Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlifecycle.html) in the *Amazon S3 API Reference*. You must specify at least one of the following properties: `AbortIncompleteMultipartUpload`, `ExpirationDate`, `ExpirationInDays`, `NoncurrentVersionExpirationInDays`, `NoncurrentVersionTransition`, `NoncurrentVersionTransitions`, `Transition`, or `Transitions`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AbortIncompleteMultipartUpload](#cfn-s3-bucket-rule-abortincompletemultipartupload)" : AbortIncompleteMultipartUpload, "[ExpirationDate](#cfn-s3-bucket-rule-expirationdate)" : String, "[ExpirationInDays](#cfn-s3-bucket-rule-expirationindays)" : Integer, "[ExpiredObjectDeleteMarker](#cfn-s3-bucket-rule-expiredobjectdeletemarker)" : Boolean, "[Id](#cfn-s3-bucket-rule-id)" : String, "[NoncurrentVersionExpiration](#cfn-s3-bucket-rule-noncurrentversionexpiration)" : NoncurrentVersionExpiration, "[NoncurrentVersionExpirationInDays](#cfn-s3-bucket-rule-noncurrentversionexpirationindays)" : Integer, "[NoncurrentVersionTransition](#cfn-s3-bucket-rule-noncurrentversiontransition)" : NoncurrentVersionTransition, "[NoncurrentVersionTransitions](#cfn-s3-bucket-rule-noncurrentversiontransitions)" : [ NoncurrentVersionTransition, ... ], "[ObjectSizeGreaterThan](#cfn-s3-bucket-rule-objectsizegreaterthan)" : String, "[ObjectSizeLessThan](#cfn-s3-bucket-rule-objectsizelessthan)" : String, "[Prefix](#cfn-s3-bucket-rule-prefix)" : String, "[Status](#cfn-s3-bucket-rule-status)" : String, "[TagFilters](#cfn-s3-bucket-rule-tagfilters)" : [ TagFilter, ... ], "[Transition](#cfn-s3-bucket-rule-transition)" : Transition, "[Transitions](#cfn-s3-bucket-rule-transitions)" : [ Transition, ... ] } ``` ### YAML ``` [AbortIncompleteMultipartUpload](#cfn-s3-bucket-rule-abortincompletemultipartupload): AbortIncompleteMultipartUpload [ExpirationDate](#cfn-s3-bucket-rule-expirationdate): String [ExpirationInDays](#cfn-s3-bucket-rule-expirationindays): Integer [ExpiredObjectDeleteMarker](#cfn-s3-bucket-rule-expiredobjectdeletemarker): Boolean [Id](#cfn-s3-bucket-rule-id): String [NoncurrentVersionExpiration](#cfn-s3-bucket-rule-noncurrentversionexpiration): NoncurrentVersionExpiration [NoncurrentVersionExpirationInDays](#cfn-s3-bucket-rule-noncurrentversionexpirationindays): Integer [NoncurrentVersionTransition](#cfn-s3-bucket-rule-noncurrentversiontransition): NoncurrentVersionTransition [NoncurrentVersionTransitions](#cfn-s3-bucket-rule-noncurrentversiontransitions): - NoncurrentVersionTransition [ObjectSizeGreaterThan](#cfn-s3-bucket-rule-objectsizegreaterthan): String [ObjectSizeLessThan](#cfn-s3-bucket-rule-objectsizelessthan): String [Prefix](#cfn-s3-bucket-rule-prefix): String [Status](#cfn-s3-bucket-rule-status): String [TagFilters](#cfn-s3-bucket-rule-tagfilters): - TagFilter [Transition](#cfn-s3-bucket-rule-transition): Transition [Transitions](#cfn-s3-bucket-rule-transitions): - Transition ``` ## Properties `AbortIncompleteMultipartUpload` Specifies a lifecycle rule that stops incomplete multipart uploads to an Amazon S3 bucket. *Required*: Conditional *Type*: [AbortIncompleteMultipartUpload](aws-properties-s3-bucket-abortincompletemultipartupload.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExpirationDate` Indicates when objects are deleted from Amazon S3 and Amazon S3 Glacier. The date value must be in ISO 8601 format. The time is always midnight UTC. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. *Required*: Conditional *Type*: String *Pattern*: `^(\d{4})-(0[0-9]|1[0-2])-([0-2]\d|3[01])T([01]\d|2[0-4]):([0-5]\d):([0-6]\d)((\.\d{3})?)Z$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExpirationInDays` Indicates the number of days after creation when objects are deleted from Amazon S3 and Amazon S3 Glacier. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. *Required*: Conditional *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExpiredObjectDeleteMarker` Indicates whether Amazon S3 will remove a delete marker without any noncurrent versions. If set to true, the delete marker will be removed if there are no noncurrent versions. This cannot be specified with `ExpirationInDays`, `ExpirationDate`, or `TagFilters`. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` Unique identifier for the rule. The value can't be longer than 255 characters. *Required*: No *Type*: String *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoncurrentVersionExpiration` Specifies when noncurrent object versions expire. Upon expiration, Amazon S3 permanently deletes the noncurrent object versions. You set this lifecycle configuration action on a bucket that has versioning enabled (or suspended) to request that Amazon S3 delete noncurrent object versions at a specific period in the object's lifetime. *Required*: No *Type*: [NoncurrentVersionExpiration](aws-properties-s3-bucket-noncurrentversionexpiration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoncurrentVersionExpirationInDays` (Deprecated.) For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time. *Required*: Conditional *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoncurrentVersionTransition` (Deprecated.) For buckets with versioning enabled (or suspended), specifies when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the `NoncurrentVersionTransitions` property. *Required*: Conditional *Type*: [NoncurrentVersionTransition](aws-properties-s3-bucket-noncurrentversiontransition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoncurrentVersionTransitions` For buckets with versioning enabled (or suspended), one or more transition rules that specify when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the `NoncurrentVersionTransition` property. *Required*: Conditional *Type*: Array of [NoncurrentVersionTransition](aws-properties-s3-bucket-noncurrentversiontransition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ObjectSizeGreaterThan` Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. *Required*: No *Type*: String *Pattern*: `[0-9]+` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ObjectSizeLessThan` Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. *Required*: No *Type*: String *Pattern*: `[0-9]+` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` Object key prefix that identifies one or more objects to which this rule applies. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [ XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` If `Enabled`, the rule is currently being applied. If `Disabled`, the rule is not currently being applied. *Required*: Yes *Type*: String *Allowed values*: `Enabled | Disabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagFilters` Tags to use to identify a subset of objects to which the lifecycle rule applies. *Required*: No *Type*: Array of [TagFilter](aws-properties-s3-bucket-tagfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Transition` (Deprecated.) Specifies when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don't specify the `Transitions` property. *Required*: Conditional *Type*: [Transition](aws-properties-s3-bucket-transition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Transitions` One or more transition rules that specify when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don't specify the `Transition` property. *Required*: Conditional *Type*: Array of [Transition](aws-properties-s3-bucket-transition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Manage the lifecycle for S3 objects The following example template shows an S3 bucket with a lifecycle configuration rule. The rule applies to all objects with the `glacier` key prefix. The objects are transitioned to Glacier after one day, and deleted after one year. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "LifecycleConfiguration": { "Rules": [ { "Id": "GlacierRule", "Prefix": "glacier", "Status": "Enabled", "ExpirationInDays": 365, "Transitions": [ { "TransitionInDays": 1, "StorageClass": "GLACIER" } ] } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private LifecycleConfiguration: Rules: - Id: GlacierRule Prefix: glacier Status: Enabled ExpirationInDays: 365 Transitions: - TransitionInDays: 1 StorageClass: GLACIER Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a lifecycle configuration. ``` ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket S3KeyFilter A container for object key name prefix and suffix filtering rules. For more information about object key name filtering, see [Configuring event notifications using object key name filtering](https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html) in the *Amazon S3 User Guide*. **Note** The same type of filter rule cannot be used more than once. For example, you cannot specify two prefix rules. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Rules](#cfn-s3-bucket-s3keyfilter-rules)" : [ FilterRule, ... ] } ``` ### YAML ``` [Rules](#cfn-s3-bucket-s3keyfilter-rules): - FilterRule ``` ## Properties `Rules` A list of containers for the key-value pair that defines the criteria for the filter rule. *Required*: Yes *Type*: Array of [FilterRule](aws-properties-s3-bucket-filterrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket S3TablesDestination The destination information for a V1 S3 Metadata configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[TableArn](#cfn-s3-bucket-s3tablesdestination-tablearn)" : String, "[TableBucketArn](#cfn-s3-bucket-s3tablesdestination-tablebucketarn)" : String, "[TableName](#cfn-s3-bucket-s3tablesdestination-tablename)" : String, "[TableNamespace](#cfn-s3-bucket-s3tablesdestination-tablenamespace)" : String } ``` ### YAML ``` [TableArn](#cfn-s3-bucket-s3tablesdestination-tablearn): String [TableBucketArn](#cfn-s3-bucket-s3tablesdestination-tablebucketarn): String [TableName](#cfn-s3-bucket-s3tablesdestination-tablename): String [TableNamespace](#cfn-s3-bucket-s3tablesdestination-tablenamespace): String ``` ## Properties `TableArn` The Amazon Resource Name (ARN) for the metadata table in the metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableBucketArn` The Amazon Resource Name (ARN) for the table bucket that's specified as the destination in the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableName` The name for the metadata table in your metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TableNamespace` The table bucket namespace for the metadata table in your metadata table configuration. This value is always `aws_s3_metadata`. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket ServerSideEncryptionByDefault Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html). **Note** **General purpose buckets** - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key (`aws/s3`) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. **Directory buckets** - Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket's lifetime. The [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) (`aws/s3`) isn't supported. **Directory buckets** - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[KMSMasterKeyID](#cfn-s3-bucket-serversideencryptionbydefault-kmsmasterkeyid)" : String, "[SSEAlgorithm](#cfn-s3-bucket-serversideencryptionbydefault-ssealgorithm)" : String } ``` ### YAML ``` [KMSMasterKeyID](#cfn-s3-bucket-serversideencryptionbydefault-kmsmasterkeyid): String [SSEAlgorithm](#cfn-s3-bucket-serversideencryptionbydefault-ssealgorithm): String ``` ## Properties `KMSMasterKeyID` AWS Key Management Service (KMS) customer managed key ID to use for the default encryption. + **General purpose buckets** - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`. + **Directory buckets** - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms`. You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. + Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab` + Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` + Key Alias: `alias/alias-name` If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy). + **General purpose buckets** - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. + **Directory buckets** - When you specify an [AWS KMS customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SSEAlgorithm` Server-side encryption algorithm to use for the default encryption. For directory buckets, there are only two supported values for server-side encryption: `AES256` and `aws:kms`. *Required*: Yes *Type*: String *Allowed values*: `aws:kms | AES256 | aws:kms:dsse` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Create a bucket with default encryption The following example creates a bucket with server-side bucket encryption configured. This example uses encryption with AWS KMS keys (SSE-KMS). You can use dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) by specifying `aws:kms:dsse` for `SSEAlgorithm`. You can also use server-side encryption with S3-managed keys (SSE-S3) by modifying the [Amazon S3 Bucket ServerSideEncryptionByDefault](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html) property to specify `AES256` for `SSEAlgorithm`. For more information, see [Using SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the *Amazon S3 User Guide*. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "KMS-KEY-ARN" } } ] } }, "DeletionPolicy": "Delete" } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN DeletionPolicy: Delete ``` # AWS::S3::Bucket ServerSideEncryptionRule Specifies the default server-side encryption configuration. **Note** **General purpose buckets** - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. **Directory buckets** - When you specify an [AWS KMS customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BlockedEncryptionTypes](#cfn-s3-bucket-serversideencryptionrule-blockedencryptiontypes)" : BlockedEncryptionTypes, "[BucketKeyEnabled](#cfn-s3-bucket-serversideencryptionrule-bucketkeyenabled)" : Boolean, "[ServerSideEncryptionByDefault](#cfn-s3-bucket-serversideencryptionrule-serversideencryptionbydefault)" : ServerSideEncryptionByDefault } ``` ### YAML ``` [BlockedEncryptionTypes](#cfn-s3-bucket-serversideencryptionrule-blockedencryptiontypes): BlockedEncryptionTypes [BucketKeyEnabled](#cfn-s3-bucket-serversideencryptionrule-bucketkeyenabled): Boolean [ServerSideEncryptionByDefault](#cfn-s3-bucket-serversideencryptionrule-serversideencryptionbydefault): ServerSideEncryptionByDefault ``` ## Properties `BlockedEncryptionTypes` A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block `PutObject`, `CopyObject`, `PostObject`, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see [Blocking or unblocking SSE-C for a general purpose bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html). Currently, this parameter only supports blocking or unblocking server-side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see [Using server-side encryption with customer-provided keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html). *Required*: No *Type*: [BlockedEncryptionTypes](aws-properties-s3-bucket-blockedencryptiontypes.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BucketKeyEnabled` Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the `BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. For more information, see [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ServerSideEncryptionByDefault` Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. *Required*: No *Type*: [ServerSideEncryptionByDefault](aws-properties-s3-bucket-serversideencryptionbydefault.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Create a bucket with default encryption](#aws-properties-s3-bucket-serversideencryptionrule--examples--Create_a_bucket_with_default_encryption) + [Create a bucket using KMS server-side encryption with an S3 Bucket Key](#aws-properties-s3-bucket-serversideencryptionrule--examples--Create_a_bucket_using_KMS_server-side_encryption_with_an_S3_Bucket_Key) ### Create a bucket with default encryption The following example creates a bucket with server-side bucket encryption configured. This example uses encryption with KMS keys (SSE-KMS). You can use dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) by specifying `aws:kms:dsse` for `SSEAlgorithm`. You can also use server-side encryption with S3-managed keys (SSE-S3) by modifying the [Amazon S3 Bucket ServerSideEncryptionByDefault](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html) property to specify `AES256` for `SSEAlgorithm`. For more information, see [Using SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the *Amazon S3 User Guide*. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "KMS-KEY-ARN" } } ] } }, "DeletionPolicy": "Delete" } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN DeletionPolicy: Delete ``` ### Create a bucket using KMS server-side encryption with an S3 Bucket Key The following example creates a bucket that specifies default encryption using AWS KMS server-side encryption with an S3 Bucket Key. The example uses a customer managed AWS KMS key. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption using SSE-KMS with an S3 Bucket Key", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "KMS-KEY-ARN" }, "BucketKeyEnabled": true } ] } }, "DeletionPolicy": "Delete" } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption using SSE-KMS with an S3 Bucket Key Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN BucketKeyEnabled: true DeletionPolicy: Delete ``` # AWS::S3::Bucket SourceSelectionCriteria A container that describes additional filters for identifying the source objects that you want to replicate. You can choose to enable or disable the replication of these objects. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ReplicaModifications](#cfn-s3-bucket-sourceselectioncriteria-replicamodifications)" : ReplicaModifications, "[SseKmsEncryptedObjects](#cfn-s3-bucket-sourceselectioncriteria-ssekmsencryptedobjects)" : SseKmsEncryptedObjects } ``` ### YAML ``` [ReplicaModifications](#cfn-s3-bucket-sourceselectioncriteria-replicamodifications): ReplicaModifications [SseKmsEncryptedObjects](#cfn-s3-bucket-sourceselectioncriteria-ssekmsencryptedobjects): SseKmsEncryptedObjects ``` ## Properties `ReplicaModifications` A filter that you can specify for selection for modifications on replicas. *Required*: No *Type*: [ReplicaModifications](aws-properties-s3-bucket-replicamodifications.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SseKmsEncryptedObjects` A container for filter information for the selection of Amazon S3 objects encrypted with AWS KMS. *Required*: No *Type*: [SseKmsEncryptedObjects](aws-properties-s3-bucket-ssekmsencryptedobjects.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket SseKmsEncryptedObjects A container for filter information for the selection of S3 objects encrypted with AWS KMS. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Status](#cfn-s3-bucket-ssekmsencryptedobjects-status)" : String } ``` ### YAML ``` [Status](#cfn-s3-bucket-ssekmsencryptedobjects-status): String ``` ## Properties `Status` Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service. *Required*: Yes *Type*: String *Allowed values*: `Disabled | Enabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket StorageClassAnalysis Specifies data related to access patterns to be collected and made available to analyze the tradeoffs between different storage classes for an Amazon S3 bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DataExport](#cfn-s3-bucket-storageclassanalysis-dataexport)" : DataExport } ``` ### YAML ``` [DataExport](#cfn-s3-bucket-storageclassanalysis-dataexport): DataExport ``` ## Properties `DataExport` Specifies how data related to the storage class analysis for an Amazon S3 bucket should be exported. *Required*: No *Type*: [DataExport](aws-properties-s3-bucket-dataexport.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket Tag A container of a key value name pair. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-s3-bucket-tag-key)" : String, "[Value](#cfn-s3-bucket-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-s3-bucket-tag-key): String [Value](#cfn-s3-bucket-tag-value): String ``` ## Properties `Key` Name of the object key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` Value of the tag. *Required*: Yes *Type*: String *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket TagFilter Specifies tags to use to identify a subset of objects for an Amazon S3 bucket. For more information, see [Categorizing your storage using tags](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html) in the *Amazon Simple Storage Service User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-s3-bucket-tagfilter-key)" : String, "[Value](#cfn-s3-bucket-tagfilter-value)" : String } ``` ### YAML ``` [Key](#cfn-s3-bucket-tagfilter-key): String [Value](#cfn-s3-bucket-tagfilter-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket TargetObjectKeyFormat Amazon S3 key format for log objects. Only one format, PartitionedPrefix or SimplePrefix, is allowed. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PartitionedPrefix](#cfn-s3-bucket-targetobjectkeyformat-partitionedprefix)" : PartitionedPrefix, "[SimplePrefix](#cfn-s3-bucket-targetobjectkeyformat-simpleprefix)" : Json } ``` ### YAML ``` [PartitionedPrefix](#cfn-s3-bucket-targetobjectkeyformat-partitionedprefix): PartitionedPrefix [SimplePrefix](#cfn-s3-bucket-targetobjectkeyformat-simpleprefix): Json ``` ## Properties `PartitionedPrefix` Partitioned S3 key for log objects. *Required*: No *Type*: [PartitionedPrefix](aws-properties-s3-bucket-partitionedprefix.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SimplePrefix` To use the simple format for S3 keys for log objects. To specify SimplePrefix format, set SimplePrefix to \$1\$1. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket Tiering The S3 Intelligent-Tiering storage class is designed to optimize storage costs by automatically moving data to the most cost-effective storage access tier, without additional operational overhead. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccessTier](#cfn-s3-bucket-tiering-accesstier)" : String, "[Days](#cfn-s3-bucket-tiering-days)" : Integer } ``` ### YAML ``` [AccessTier](#cfn-s3-bucket-tiering-accesstier): String [Days](#cfn-s3-bucket-tiering-days): Integer ``` ## Properties `AccessTier` S3 Intelligent-Tiering access tier. See [Storage class for automatically optimizing frequently and infrequently accessed objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-dynamic-data-access) for a list of access tiers in the S3 Intelligent-Tiering storage class. *Required*: Yes *Type*: String *Allowed values*: `ARCHIVE_ACCESS | DEEP_ARCHIVE_ACCESS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Days` The number of consecutive days of no access after which an object will be eligible to be transitioned to the corresponding tier. The minimum number of days specified for Archive Access tier must be at least 90 days and Deep Archive Access tier must be at least 180 days. The maximum can be up to 2 years (730 days). *Required*: Yes *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3::Bucket TopicConfiguration A container for specifying the configuration for publication of messages to an Amazon Simple Notification Service (Amazon SNS) topic when Amazon S3 detects specified events. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Event](#cfn-s3-bucket-topicconfiguration-event)" : String, "[Filter](#cfn-s3-bucket-topicconfiguration-filter)" : NotificationFilter, "[Topic](#cfn-s3-bucket-topicconfiguration-topic)" : String } ``` ### YAML ``` [Event](#cfn-s3-bucket-topicconfiguration-event): String [Filter](#cfn-s3-bucket-topicconfiguration-filter): NotificationFilter [Topic](#cfn-s3-bucket-topicconfiguration-topic): String ``` ## Properties `Event` The Amazon S3 bucket event about which to send notifications. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` The filtering rules that determine for which objects to send notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a `.jpg` extension are added to the bucket. *Required*: No *Type*: [NotificationFilter](aws-properties-s3-bucket-notificationfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Topic` The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon S3 publishes a message when it detects events of the specified type. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Receive S3 bucket notifications to an SNS topic The following example template shows an Amazon S3 bucket with a notification configuration that sends an event to the specified SNS topic when S3 has lost all replicas of an object. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "NotificationConfiguration": { "TopicConfigurations": [ { "Topic": "arn:aws:sns:us-east-1:123456789012:TestTopic", "Event": "s3:ReducedRedundancyLostObject" } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3Bucket" }, "Description": "Name of the sample Amazon S3 bucket with a notification configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: Private NotificationConfiguration: TopicConfigurations: - Topic: 'arn:aws:sns:us-east-1:123456789012:TestTopic' Event: 's3:ReducedRedundancyLostObject' Outputs: BucketName: Value: !Ref S3Bucket Description: Name of the sample Amazon S3 bucket with a notification configuration. ``` # AWS::S3::Bucket Transition Specifies when an object transitions to a specified storage class. For more information about Amazon S3 lifecycle configuration rules, see [Transitioning Objects Using Amazon S3 Lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/dev/lifecycle-transition-general-considerations.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[StorageClass](#cfn-s3-bucket-transition-storageclass)" : String, "[TransitionDate](#cfn-s3-bucket-transition-transitiondate)" : String, "[TransitionInDays](#cfn-s3-bucket-transition-transitionindays)" : Integer } ``` ### YAML ``` [StorageClass](#cfn-s3-bucket-transition-storageclass): String [TransitionDate](#cfn-s3-bucket-transition-transitiondate): String [TransitionInDays](#cfn-s3-bucket-transition-transitionindays): Integer ``` ## Properties `StorageClass` The storage class to which you want the object to transition. *Required*: Yes *Type*: String *Allowed values*: `DEEP_ARCHIVE | GLACIER | Glacier | GLACIER_IR | INTELLIGENT_TIERING | ONEZONE_IA | STANDARD_IA` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TransitionDate` Indicates when objects are transitioned to the specified storage class. The date value must be in ISO 8601 format. The time is always midnight UTC. *Required*: Conditional *Type*: String *Pattern*: `^(\d{4})-(0[0-9]|1[0-2])-([0-2]\d|3[01])T([01]\d|2[0-4]):([0-5]\d):([0-6]\d)((\.\d{3})?)Z$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TransitionInDays` Indicates the number of days after creation when objects are transitioned to the specified storage class. If the specified storage class is `INTELLIGENT_TIERING`, `GLACIER_IR`, `GLACIER`, or `DEEP_ARCHIVE`, valid values are `0` or positive integers. If the specified storage class is `STANDARD_IA` or `ONEZONE_IA`, valid values are positive integers greater than `30`. Be aware that some storage classes have a minimum storage duration and that you're charged for transitioning objects before their minimum storage duration. For more information, see [ Constraints and considerations for transitions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html#lifecycle-configuration-constraints) in the *Amazon S3 User Guide*. *Required*: Conditional *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + AWS::S3::Bucket [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples) # AWS::S3::Bucket VersioningConfiguration Describes the versioning state of an Amazon S3 bucket. For more information, see [PUT Bucket versioning](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTVersioningStatus.html) in the *Amazon S3 API Reference*. Keep the following timing in mind when enabling, suspending, or transitioning between versioning states: + **Enabling versioning** - Changes may take up to 15 minutes to propagate across all AWS regions for full consistency. + **Suspending versioning** - Takes effect immediately with no propagation delay. + **Transitioning between states** - Any change from Suspended to Enabled has a 15-minute delay. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Status](#cfn-s3-bucket-versioningconfiguration-status)" : String } ``` ### YAML ``` [Status](#cfn-s3-bucket-versioningconfiguration-status): String ``` ## Properties `Status` The versioning state of the bucket. *Required*: Yes *Type*: String *Allowed values*: `Enabled | Suspended` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) ## Examples ### Enable versioning and replicate objects The following example enables versioning and two replication rules. The rules copy objects prefixed with either `MyPrefix` and `MyOtherPrefix` and stores the copied objects in a bucket named `my-replication-bucket`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "VersioningConfiguration": { "Status": "Enabled" }, "ReplicationConfiguration": { "Role": "arn:aws:iam::123456789012:role/replication_role", "Rules": [ { "Id": "MyRule1", "Status": "Enabled", "Prefix": "MyPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket", "StorageClass": "STANDARD" } }, { "Status": "Enabled", "Prefix": "MyOtherPrefix", "Destination": { "Bucket": "arn:aws:s3:::my-replication-bucket" } } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: VersioningConfiguration: Status: Enabled ReplicationConfiguration: Role: 'arn:aws:iam::123456789012:role/replication_role' Rules: - Id: MyRule1 Status: Enabled Prefix: MyPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' StorageClass: STANDARD - Status: Enabled Prefix: MyOtherPrefix Destination: Bucket: 'arn:aws:s3:::my-replication-bucket' ``` # AWS::S3::Bucket WebsiteConfiguration Specifies website configuration parameters for an Amazon S3 bucket. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ErrorDocument](#cfn-s3-bucket-websiteconfiguration-errordocument)" : String, "[IndexDocument](#cfn-s3-bucket-websiteconfiguration-indexdocument)" : String, "[RedirectAllRequestsTo](#cfn-s3-bucket-websiteconfiguration-redirectallrequeststo)" : RedirectAllRequestsTo, "[RoutingRules](#cfn-s3-bucket-websiteconfiguration-routingrules)" : [ RoutingRule, ... ] } ``` ### YAML ``` [ErrorDocument](#cfn-s3-bucket-websiteconfiguration-errordocument): String [IndexDocument](#cfn-s3-bucket-websiteconfiguration-indexdocument): String [RedirectAllRequestsTo](#cfn-s3-bucket-websiteconfiguration-redirectallrequeststo): RedirectAllRequestsTo [RoutingRules](#cfn-s3-bucket-websiteconfiguration-routingrules): - RoutingRule ``` ## Properties `ErrorDocument` The name of the error document for the website. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IndexDocument` The name of the index document for the website. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RedirectAllRequestsTo` The redirect behavior for every request to this bucket's website endpoint. If you specify this property, you can't specify any other property. *Required*: No *Type*: [RedirectAllRequestsTo](aws-properties-s3-bucket-redirectallrequeststo.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoutingRules` Rules that define when a redirect is applied and the redirect behavior. *Required*: No *Type*: Array of [RoutingRule](aws-properties-s3-bucket-routingrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Configure a static website with a routing rule In this example, `AWS::S3::Bucket's Fn::GetAtt` values are used to provide outputs. If an HTTP 404 error occurs, the routing rule redirects requests to an EC2 instance and inserts the object key prefix `report-404/` in the redirect. For example, if you request a page called `out1/ExamplePage.html` and it results in an HTTP 404 error, the request is routed to a page called `report-404/ExamplePage.html` on the specified instance. For all other HTTP error codes, `error.html` is returned. This example also specifies a metrics configuration called `EntireBucket` that enables CloudWatch request metrics at the bucket level. #### JSON ``` { "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "BucketName": "public-bucket", "MetricsConfigurations": [ { "Id": "EntireBucket" } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain" } }, "Outputs": { "WebsiteURL": { "Value": { "Fn::GetAtt": [ "S3Bucket", "WebsiteURL" ] }, "Description": "URL for website hosted on S3" }, "S3BucketSecureURL": { "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "S3Bucket", "DomainName" ] } ] ] }, "Description": "Name of S3 bucket to hold website content" } } } ``` #### YAML ``` Resources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead BucketName: public-bucket MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain Outputs: WebsiteURL: Value: !GetAtt - S3Bucket - WebsiteURL Description: URL for website hosted on S3 S3BucketSecureURL: Value: !Join - '' - - 'https://' - !GetAtt - S3Bucket - DomainName Description: Name of S3 bucket to hold website content ```