AWS::S3::MultiRegionAccessPointPolicy
Applies an Amazon S3 access policy to an Amazon S3 Multi-Region Access Point.
It is not possible to delete an access policy for a Multi-Region Access Point from the
CloudFormation template. When you attempt to delete the policy, CloudFormation updates the
policy using DeletionPolicy:Retain
and UpdateReplacePolicy:Retain
.
CloudFormation updates the policy to only allow access to the account that created the
bucket.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::S3::MultiRegionAccessPointPolicy", "Properties" : { "MrapName" :
String
, "Policy" :Json
} }
Properties
MrapName
-
The name of the Multi-Region Access Point.
Required: Yes
Type: String
Pattern:
^[a-z0-9][-a-z0-9]{1,48}[a-z0-9]$
Minimum:
3
Maximum:
50
Update requires: Replacement
Policy
-
The access policy associated with the Multi-Region Access Point.
Required: Yes
Type: Json
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the name of the Multi-Region Access Point.
For more information about using the Ref
function, see Ref
.
Examples
Simple Multi-Region Access Point Policy
The following example grants access permissions to CloudWatch.
It is very important to note where you need to use the name versus the alias for the
Multi-Region Access Point. In the following example, the name is
DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT
, the alias of the Multi-Region Access
Point is mfzwi23gnjvgw.mrap
, and the AWS account is
123456789012
. For more information about how ARNs for Multi-Region Access
Points work, see Making requests
using a Multi-Region Access Point in the in the Amazon S3 User
Guide.
JSON
{ "SampleMultiRegionAccessPointPolicy":{ "Type":"AWS::S3::MultiRegionAccessPointPolicy", "DeletionPolicy":"Retain", "UpdateReplacePolicy":"Retain", "Properties":{ "MrapName":{ "Ref":"DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT" }, "Policy":{ "Statement":[ { "Action":[ "s3:GetObject" ], "Effect":"Allow", "Resource":{ "Fn::Sub":[ "arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*", { "mrapalias":{ "Fn::GetAtt":[ "mfzwi23gnjvgw.mrap", "Alias" ] } } ] }, "Principal":{ "Service":"cloudwatch.amazonaws.com" } } ] } } } }
YAML
SampleMultiRegionAccessPointPolicy: Type: 'AWS::S3::MultiRegionAccessPointPolicy' DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: MrapName: Ref: DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT Policy: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Sub': - 'arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*' - mrapalias: 'Fn::GetAtt': - mfzwi23gnjvgw.mrap - Alias Principal: Service: cloudwatch.amazonaws.com