AWS S3 bucket with encryption and backups.
Install Node.js and npm first!
npm i @cfn-modules/s3-bucket---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
Bucket:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
KmsKeyModule: !GetAtt 'Key.Outputs.StackName' # optional
BucketName: '' # optional
Access: Private # optional
Cors: Disabled # optional
Versioning: 'true' # optional
NoncurrentVersionExpirationInDays: '0' # optional
ExpirationInDays: '0' # optional
LambdaEventTargetLambdaModule1: '' # optional
LambdaEventType1: 's3:ObjectCreated:*' # optional
LambdaEventTargetLambdaModule2: '' # optional
LambdaEventType2: 's3:ObjectRemoved:*' # optional
LambdaEventTargetLambdaModule3: '' # optional
LambdaEventType3: 's3:ReducedRedundancyLostObject' # optional
BlockPublicAcls: 'false' # optional
BlockPublicPolicy: 'false' # optional
IgnorePublicAcls: 'false' # optional
RestrictPublicBuckets: 'false' # optional
TemplateURL: './node_modules/@cfn-modules/s3-bucket/module.yml'| Name | Description | Default | Required? | Allowed values |
|---|---|---|---|---|
| KmsKeyModule | Stack name of kms-key module (only works in combination with Access := [Private, PublicRead]) | no | ||
| BucketName | name of the bucket | auto generated value | no | |
| Access | Access policy of the bucket | Private | no | [Private, PublicRead, CloudFrontRead, CloudFrontAccessLogWrite, ElbAccessLogWrite, ConfigWrite, CloudTrailWrite, FlowLogWrite, Custom] |
| Cors | CORS policy of the bucket | Disabled | no | [Disabled, AllowAll] |
| Versioning | Enable versioning to keep a backup if objects change | true | no | [true, false, 'false-but-was-true'] |
| NoncurrentVersionExpirationInDays | Remove noncurrent object versions after days (set to 0 to disable) | 0 | no | [0-N] |
| ExpirationInDays | Remove objects after days (set to 0 to disable). | 0 | no | [0-N] |
| LambdaEventTargetLambdaModule1 | Stack name of lambda-function module to receive events from this S3 bucket. Also grants the Lambda function access to this bucket and this bucket access to the Lambda function. | no | ||
| LambdaEventType1 | S3 bucket events you want to receive (can not be the same as LambdaEventType2 or LambdaEventType3) | s3:ObjectCreated:* | no | Supported event types |
| LambdaEventTargetLambdaModule2 | Stack name of lambda-function module to receive events from this S3 bucket. Also grants the Lambda function access to this bucket and this bucket access to the Lambda function. | no | ||
| LambdaEventType2 | S3 bucket events you want to receive (can not be the same as LambdaEventType1 or LambdaEventType3) | s3:ObjectRemoved:* | no | Supported event types |
| LambdaEventTargetLambdaModule31 | Stack name of lambda-function module to receive events from this S3 bucket. Also grants the Lambda function access to this bucket and this bucket access to the Lambda function. | no | ||
| LambdaEventType3 | S3 bucket events you want to receive (can not be the same as LambdaEventType1 or LambdaEventType2) | s3:ReducedRedundancyLostObject | no | Supported event types |
| BlockPublicAcls | Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. | false | no | [true, false] |
| BlockPublicPolicy | Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. | false | no | [true, false] |
| IgnorePublicAcls | Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. | false | no | [true, false] |
| RestrictPublicBuckets | Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. | false | no | [true, false] |
- Secure: Backups are only per object (you can not easily restore the whole bucket to a specific state)
- Secure: If you connect a Lambda function without setting the
BucketNameparameter the least privilege principle is softened: Invocations to the Lambda function are allowed from all S3 buckets inside your AWS account.