# Successfully import an S3 bucket as an AWS CloudFormation stack
*Ram Kandaswamy, Amazon Web Services*
## Summary
If you use Amazon Web Services (AWS) resources, such as Amazon Simple Storage Service (Amazon S3) buckets, and want to use an infrastructure as code (IaC) approach, then you can import your resources into AWS CloudFormation and manage them as a stack.
This pattern provides steps to successfully import an S3 bucket as an AWS CloudFormation stack. By using this pattern's approach, you can avoid possible errors that might occur if you import your S3 bucket in a single action.
## Prerequisites and limitations
**Prerequisites **
+ An active AWS account.
+ An existing S3 bucket and S3 bucket policy. For more information about this, see [What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only](https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/) in the AWS Knowledge Center.
+ An existing AWS Key Management Service (AWS KMS) key and its alias. For more information about this, see [Working with aliases](https://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html) in the AWS KMS documentation.
+ The sample `CloudFormation-template-S3-bucket` AWS CloudFormation template (attached), downloaded to your local computer.
## Architecture
The diagram shows the following workflow:
1. The user creates a JSON or YAML-formatted AWS CloudFormation template.
1. The template creates an AWS CloudFormation stack to import the S3 bucket.
1. The AWS CloudFormation stack manages the S3 bucket that you specified in the template.
**Technology stack**
+ AWS CloudFormation
+ AWS Identity and Access Management (IAM)
+ AWS KMS
+ Amazon S3
**Tools**
+ [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) – AWS CloudFormation helps you to create and provision AWS infrastructure deployments predictably and repeatedly.
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) – IAM is a web service for securely controlling access to AWS services.
+ [AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) – AWS Key Management Service (AWS KMS) is an encryption and key management service scaled for the cloud.
+ [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) – Amazon Simple Storage Service (Amazon S3) is storage for the Internet.
## Epics
### Import an S3 bucket with AWS KMS key-based encryption as an AWS CloudFormation stack
| Task | Description | Skills required |
| --- | --- | --- |
| Create a template to import the S3 bucket and KMS key. | On your local computer, create a template to import your S3 bucket and KMS key by using the following sample template:AWSTemplateFormatVersion: 2010-09-09
Parameters:
bucketName:
Type: String
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
BucketName: !Ref bucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: !GetAtt
- KMSS3Encryption
- Arn
KMSS3Encryption:
Type: 'AWS::KMS::Key'
DeletionPolicy: Retain
Properties:
Enabled: true
KeyPolicy: !Sub |-
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::${AWS::AccountId}:root"]
},
"Action": "kms:*",
"Resource": "*"
}
}
]
}
EnableKeyRotation: true
| AWS DevOps |
| Create the stack. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/successfully-import-an-s3-bucket-as-an-aws-cloudformation-stack.html) | AWS DevOps |
| Create the KMS key alias. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/successfully-import-an-s3-bucket-as-an-aws-cloudformation-stack.html)KMSS3EncryptionAlias:
Type: 'AWS::KMS::Alias'
DeletionPolicy: Retain
Properties:
AliasName: alias/S3BucketKey
TargetKeyId: !Ref KMSS3Encryption
For more information about this, see [AWS CloudFormation stack updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) in the AWS CloudFormation documentation. | AWS DevOps |
| Update the stack to include the S3 bucket policy. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/successfully-import-an-s3-bucket-as-an-aws-cloudformation-stack.html)S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
PolicyDocument: !Sub |-
{
"Version": "2008-10-17",
"Id": "restricthttp",
"Statement": [
{
"Sid": "denyhttp",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::${S3Bucket}","arn:aws:s3:::${S3Bucket}/*"],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
This S3 bucket policy has a deny statement that restricts API calls that are not secure. | AWS DevOps |
| Update the key policy. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/successfully-import-an-s3-bucket-as-an-aws-cloudformation-stack.html)For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the AWS KMS documentation. | AWS administrator |
| Add resource-level tags. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/successfully-import-an-s3-bucket-as-an-aws-cloudformation-stack.html)Tags:
- Key: createdBy
Value: Cloudformation
| AWS DevOps |
## Related resources
+ [Bringing existing resources into AWS CloudFormation management ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html)
+ [AWS re:Invent 2017: Deep dive on AWS CloudFormation](https://www.youtube.com/watch?v=01hy48R9Kr8) (video)
## Attachments
To access additional content that is associated with this document, unzip the following file: [attachment.zip](samples/p-attach/aea7f6fe-8e67-46c4-8b90-1ab06b879111/attachments/attachment.zip)