# * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. # * # * Permission is hereby granted, free of charge, to any person obtaining a copy of this # * software and associated documentation files (the "Software"), to deal in the Software # * without restriction, including without limitation the rights to use, copy, modify, # * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # * permit persons to whom the Software is furnished to do so. # * # * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. AWSTemplateFormatVersion: 2010-09-09 Description: Service Catalog S3 Product Parameters: BucketName: Type: String Description: Bucket name, must be globaly unique. If not provided CFT will make a unique name. Commented for testing Default: '' KMSId: Description: KMS Encryption Key Id Type: String Default: '' #BlockPublicParam: # Description: Used to enable the Block Public Configuration # Type: String # AllowedValues: [True, False, true, false] # Default: True Tags: Description: The tags to be applied to the resource. Type: String Default: '' #TopicParam: # Description: SNS Topic to send notifications to # Type: String VersioningParam: Description: Determine if versioning is enabled for the bucket Type: String AllowedValues: [Enabled, Suspended] Default: "Enabled" Conditions: HasTags: !Not [!Equals [!Ref Tags, '']] HasBucketName: !Not [!Equals [!Ref BucketName, '']] UseKMSEncryption: !Not [!Equals [!Ref KMSId, '']] Resources: GetTags: Type: "Custom::ResourceCompliance" Condition: HasTags Version: "1.0" Properties: ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sc-resource-compliance'# Action: Name: json Parameters: JSON: !Ref Tags Type: Tags S3Bucket: Type: AWS::S3::Bucket Properties: # Not implemented; AWS recommends Bucket Policies / IAM Policies to grant access # More info: https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/ # AccessControl: String # Not in scope for this soluton AccelerateConfiguration: AccelerationStatus: Enabled # AccelerationStatus: Suspended # Not in scope for this soluton #AnalyticsConfigurations: # - Id: AnalyticsConfigurationId # StorageClassAnalysis: # DataExport: # Destination: # BucketArn: !GetAtt # - Helper # - Arn # Format: CSV # Prefix: AnalyticsDestinationPrefix # OutputSchemaVersion: V_1 # Prefix: AnalyticsConfigurationPrefix # TagFilters: # - Key: AnalyticsTagKey # Value: AnalyticsTagValue BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: !If [UseKMSEncryption, "aws:kms", "AES256"] KMSMasterKeyID: !If [UseKMSEncryption, !Ref KMSId, !Ref "AWS::NoValue"] # If BucketName is not supplied it will be randomly generated BucketName: !If [HasBucketName, !Ref BucketName, !Ref "AWS::NoValue"] # Out of scope for this solution # CorsConfiguration: # Out of scope for this solution #InventoryConfigurations: # - Id: InventoryConfigurationId # Destination: # BucketArn: !GetAtt # - Helper # - Arn # Format: CSV # Prefix: InventoryDestinationPrefix # Enabled: 'true' # IncludedObjectVersions: Current # Prefix: InventoryConfigurationPrefix # ScheduleFrequency: Weekly # Out of scope for this solution #LifecycleConfiguration: # Rules: # - Id: GlacierRule # Prefix: glacier # Status: Enabled # ExpirationInDays: '365' # Transitions: # - TransitionInDays: '1' # StorageClass: Glacier # Out of scope for this solution # LoggingConfiguration: # DestinationBucketName: !Ref 'LoggingBucket' # LogFilePrefix: testing-logs MetricsConfigurations: - Id: EntireBucket # Omit prefix assumes the whole bucket # Prefix: String # TagFilters: # - TagFilter # Out of scope for this solution # NotificationConfiguration: # TopicConfigurations: # - Event: "s3:ReducedRedundancyLostObject" # Topic: !Ref TopicParam PublicAccessBlockConfiguration: # Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior: # PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public. # PUT Object calls fail if the request includes a public ACL. # BlockPublicAcls: !Ref BlockPublicParam BlockPublicAcls: True # Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. # BlockPublicPolicy: !Ref BlockPublicParam BlockPublicPolicy: True # Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. # IgnorePublicAcls: !Ref BlockPublicParam IgnorePublicAcls: True # Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS services and authorized users within this account if the bucket has a public policy. # RestrictPublicBuckets: !Ref BlockPublicParam RestrictPublicBuckets: True # Out of scope for this solution # ReplicationConfiguration: # ReplicationConfiguration Tags: !If [HasTags, !GetAtt GetTags.Json, !Ref "AWS::NoValue"] # Out of scope for this solution VersioningConfiguration: Status: !Ref VersioningParam # Status: Suspended # Out of scope for this solution # WebsiteConfiguration: # WebsiteConfiguration Outputs: S3BucketName: Value: !Ref S3Bucket Export: Name: !Sub ${AWS::StackName}-S3BucketName S3BucketArn: Value: !GetAtt S3Bucket.Arn Export: Name: !Sub ${AWS::StackName}-S3BucketArn S3BucketDomainName: Value: !GetAtt S3Bucket.DomainName Export: Name: !Sub ${AWS::StackName}-S3BucketDomainName