This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::S3Express::AccessPoint Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are unique hostnames you create to enforce distinct permissions and network controls for all requests made through an access point. You can create hundreds of access points per bucket, each with a distinct name and permissions customized for each application. Each access point works in conjunction with the bucket policy that is attached to the underlying bucket. For more information, see [Managing access to shared datasets in directory buckets with access points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-directory-buckets.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::S3Express::AccessPoint", "Properties" : { "[Bucket](#cfn-s3express-accesspoint-bucket)" : String, "[BucketAccountId](#cfn-s3express-accesspoint-bucketaccountid)" : String, "[Name](#cfn-s3express-accesspoint-name)" : String, "[Policy](#cfn-s3express-accesspoint-policy)" : Json, "[PublicAccessBlockConfiguration](#cfn-s3express-accesspoint-publicaccessblockconfiguration)" : PublicAccessBlockConfiguration, "[Scope](#cfn-s3express-accesspoint-scope)" : Scope, "[Tags](#cfn-s3express-accesspoint-tags)" : [ Tag, ... ], "[VpcConfiguration](#cfn-s3express-accesspoint-vpcconfiguration)" : VpcConfiguration } } ``` ### YAML ``` Type: AWS::S3Express::AccessPoint Properties: [Bucket](#cfn-s3express-accesspoint-bucket): String [BucketAccountId](#cfn-s3express-accesspoint-bucketaccountid): String [Name](#cfn-s3express-accesspoint-name): String [Policy](#cfn-s3express-accesspoint-policy): Json [PublicAccessBlockConfiguration](#cfn-s3express-accesspoint-publicaccessblockconfiguration): PublicAccessBlockConfiguration [Scope](#cfn-s3express-accesspoint-scope): Scope [Tags](#cfn-s3express-accesspoint-tags): - Tag [VpcConfiguration](#cfn-s3express-accesspoint-vpcconfiguration): VpcConfiguration ``` ## Properties `Bucket` The name of the bucket that you want to associate the access point with. *Required*: Yes *Type*: String *Minimum*: `3` *Maximum*: `255` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `BucketAccountId` The AWS account ID that owns the bucket associated with this access point. *Required*: No *Type*: String *Pattern*: `^\d{12}$` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Name` An access point name consists of a base name you provide, followed by the zoneID (AWS Local Zone) followed by the prefix `--xa-s3`. For example, accesspointname--zoneID--xa-s3. *Required*: No *Type*: String *Pattern*: `^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$` *Minimum*: `3` *Maximum*: `50` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Policy` The access point policy associated with the specified access point. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PublicAccessBlockConfiguration` Public access is blocked by default to access points for directory buckets. *Required*: No *Type*: [PublicAccessBlockConfiguration](aws-properties-s3express-accesspoint-publicaccessblockconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Scope` You can use the access point scope to restrict access to specific prefixes, API operations, or a combination of both. For more information, see [Manage the scope of your access points for directory buckets.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-directory-buckets-manage-scope.html) *Required*: No *Type*: [Scope](aws-properties-s3express-accesspoint-scope.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of tags that you can apply to access points. Tags are key-value pairs of metadata used to categorize your access points and control access. For more information, see [Using tags for attribute-based access control (ABAC)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac). *Required*: No *Type*: Array of [Tag](aws-properties-s3express-accesspoint-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VpcConfiguration` If you include this field, Amazon S3 restricts access to this access point to requests from the specified virtual private cloud (VPC). *Required*: No *Type*: [VpcConfiguration](aws-properties-s3express-accesspoint-vpcconfiguration.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref ### Fn::GetAtt #### `Arn` The ARN of the access point. `NetworkOrigin` The network configuration of the access point. # AWS::S3Express::AccessPoint PublicAccessBlockConfiguration Public access is blocked by default to access points for directory buckets. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BlockPublicAcls](#cfn-s3express-accesspoint-publicaccessblockconfiguration-blockpublicacls)" : Boolean, "[BlockPublicPolicy](#cfn-s3express-accesspoint-publicaccessblockconfiguration-blockpublicpolicy)" : Boolean, "[IgnorePublicAcls](#cfn-s3express-accesspoint-publicaccessblockconfiguration-ignorepublicacls)" : Boolean, "[RestrictPublicBuckets](#cfn-s3express-accesspoint-publicaccessblockconfiguration-restrictpublicbuckets)" : Boolean } ``` ### YAML ``` [BlockPublicAcls](#cfn-s3express-accesspoint-publicaccessblockconfiguration-blockpublicacls): Boolean [BlockPublicPolicy](#cfn-s3express-accesspoint-publicaccessblockconfiguration-blockpublicpolicy): Boolean [IgnorePublicAcls](#cfn-s3express-accesspoint-publicaccessblockconfiguration-ignorepublicacls): Boolean [RestrictPublicBuckets](#cfn-s3express-accesspoint-publicaccessblockconfiguration-restrictpublicbuckets): Boolean ``` ## Properties `BlockPublicAcls` Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior: + PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. + PUT Object calls fail if the request includes a public ACL. + PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BlockPublicPolicy` Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn't affect existing bucket policies. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IgnorePublicAcls` Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RestrictPublicBuckets` Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::AccessPoint Scope You can use the access point scope to restrict access to specific prefixes, API operations, or a combination of both. For more information, see [Manage the scope of your access points for directory buckets.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-directory-buckets-manage-scope.html) ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Permissions](#cfn-s3express-accesspoint-scope-permissions)" : [ String, ... ], "[Prefixes](#cfn-s3express-accesspoint-scope-prefixes)" : [ String, ... ] } ``` ### YAML ``` [Permissions](#cfn-s3express-accesspoint-scope-permissions): - String [Prefixes](#cfn-s3express-accesspoint-scope-prefixes): - String ``` ## Properties `Permissions` You can include one or more API operations as permissions. *Required*: No *Type*: Array of String *Allowed values*: `GetObject | GetObjectAttributes | ListMultipartUploadParts | ListBucket | ListBucketMultipartUploads | PutObject | DeleteObject | AbortMultipartUpload` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefixes` You can specify any amount of prefixes, but the total length of characters of all prefixes must be less than 256 bytes in size. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::AccessPoint Tag A key-value pair that you use to label your access points. You can add tags to new access points when you create them, or you can add tags to existing access points. Tags can help you organize and control access to access points. For more information, see [Using tags for attribute-based access control (ABAC)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-s3express-accesspoint-tag-key)" : String, "[Value](#cfn-s3express-accesspoint-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-s3express-accesspoint-tag-key): String [Value](#cfn-s3express-accesspoint-tag-value): String ``` ## Properties `Key` The key of the tag. Tags are key-value pairs that you use to label your access points. Tags can help you organize and control access to access points. For more information, see [Tagging S3 resources for cost allocation or attribute-based access control (ABAC)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html). *Required*: Yes *Type*: String *Pattern*: `^(?!aws:.*)([\p{L}\p{Z}\p{N}_.:=+\/\-@%]*)$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value of the tag. Tags are key-value pairs that you use to label your access points. Tags can help you organize and control access to access points. For more information, see [Tagging S3 resources for cost allocation or attribute-based access control (ABAC)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html). *Required*: Yes *Type*: String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:=+\/\-@%]*)$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::AccessPoint VpcConfiguration The `VpcConfiguration` property type specifies Property description not available. for an [AWS::S3Express::AccessPoint](aws-resource-s3express-accesspoint.md). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[VpcId](#cfn-s3express-accesspoint-vpcconfiguration-vpcid)" : String } ``` ### YAML ``` [VpcId](#cfn-s3express-accesspoint-vpcconfiguration-vpcid): String ``` ## Properties `VpcId` If this field is specified, this access point will only allow connections from the specified VPC ID. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `1024` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)