Parameters: App: Type: String Description: Your application's name. Env: Type: String Description: The environment name your service, job, or workflow is being deployed to. Name: Type: String Description: Your workload's name. Resources: cqlreplicatorBucket: Metadata: 'aws:copilot:description': 'An Amazon S3 bucket to store and retrieve objects for cqlreplicator' Type: AWS::S3::Bucket Properties: AccessControl: Private BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true OwnershipControls: Rules: - ObjectOwnership: BucketOwnerEnforced cqlreplicatorBucketPolicy: Metadata: 'aws:copilot:description': 'A bucket policy to deny unencrypted access to the bucket and its contents' Type: AWS::S3::BucketPolicy DeletionPolicy: Retain Properties: PolicyDocument: Version: '2012-10-17' Statement: - Sid: ForceHTTPS Effect: Deny Principal: '*' Action: 's3:*' Resource: - !Sub ${ cqlreplicatorBucket.Arn}/* - !Sub ${ cqlreplicatorBucket.Arn} Condition: Bool: "aws:SecureTransport": false Bucket: !Ref cqlreplicatorBucket cqlreplicatorAccessPolicy: Metadata: 'aws:copilot:description': 'An IAM ManagedPolicy for your service to access the cqlreplicator bucket' Type: AWS::IAM::ManagedPolicy Properties: Description: !Sub - Grants CRUD access to the S3 bucket ${Bucket} - { Bucket: !Ref cqlreplicatorBucket } PolicyDocument: Version: '2012-10-17' Statement: - Sid: S3ObjectActions Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectACL - s3:PutObjectTagging - s3:DeleteObject - s3:RestoreObject Resource: !Sub ${ cqlreplicatorBucket.Arn}/* - Sid: S3ListAction Effect: Allow Action: s3:ListBucket Resource: !Sub ${ cqlreplicatorBucket.Arn} Outputs: cqlreplicatorName: Description: "The name of a user-defined bucket." Value: !Ref cqlreplicatorBucket cqlreplicatorAccessPolicy: Description: "The IAM::ManagedPolicy to attach to the task role" Value: !Ref cqlreplicatorAccessPolicy