Summary Prerequisites and limitations Architecture Epics Related resources Attachments

Successfully import an S3 bucket as an AWS CloudFormation stack

Created by Ram Kandaswamy (AWS)

Summary

If you use Amazon Web Services (AWS) resources, such as Amazon Simple Storage Service (Amazon S3) buckets, and want to use an infrastructure as code (IaC) approach, then you can import your resources into AWS CloudFormation and manage them as a stack.

This pattern provides steps to successfully import an S3 bucket as an AWS CloudFormation stack. By using this pattern's approach, you can avoid possible errors that might occur if you import your S3 bucket in a single action.

Prerequisites and limitations

Prerequisites

An active AWS account.
An existing S3 bucket and S3 bucket policy. For more information about this, see What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only in the AWS Knowledge Center.
An existing AWS Key Management Service (AWS KMS) key and its alias. For more information about this, see Working with aliases in the AWS KMS documentation.
The sample CloudFormation-template-S3-bucket AWS CloudFormation template (attached), downloaded to your local computer.

Architecture

Workflow to use CloudFormation template to create a CloudFormation stack to import an S3 bucket.

The diagram shows the following workflow:

The user creates a JSON or YAML-formatted AWS CloudFormation template.
The template creates an AWS CloudFormation stack to import the S3 bucket.
The AWS CloudFormation stack manages the S3 bucket that you specified in the template.

Technology stack

AWS CloudFormation
AWS Identity and Access Management (IAM)
AWS KMS
Amazon S3

Tools

AWS CloudFormation – AWS CloudFormation helps you to create and provision AWS infrastructure deployments predictably and repeatedly.
AWS Identity and Access Management (IAM) – IAM is a web service for securely controlling access to AWS services.
AWS KMS – AWS Key Management Service (AWS KMS) is an encryption and key management service scaled for the cloud.
Amazon S3 – Amazon Simple Storage Service (Amazon S3) is storage for the Internet.

Epics

Task	Description	Skills required
Create a template to import the S3 bucket and KMS key.	On your local computer, create a template to import your S3 bucket and KMS key by using the following sample template: AWSTemplateFormatVersion: 2010-09-09 Parameters: bucketName: Type: String Resources: S3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: BucketName: !Ref bucketName BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: !GetAtt - KMSS3Encryption - Arn KMSS3Encryption: Type: 'AWS::KMS::Key' DeletionPolicy: Retain Properties: Enabled: true KeyPolicy: !Sub \|- { "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::${AWS::AccountId}:root"] }, "Action": "kms:", "Resource": "" } } ] } EnableKeyRotation: true	AWS DevOps
Create the stack.	Sign in to the AWS Management Console, open the AWS CloudFormation console, choose View stack, choose Create stack, and then choose With existing resources (import resources). Choose Upload a template file and then upload the template file that you created earlier. Enter a name for your stack and configure the remaining options according to your requirements. Choose Create stack and wait for the stack’s status to change to `IMPORT_COMPLETE`.	AWS DevOps
Create the KMS key alias.	On the AWS CloudFormation console, choose Stacks, choose the name of the stack that you created earlier, choose the Template pane, and then choose View in Designer. Add the following snippet to the `Resource` section of your template, and then choose Create stack and complete the wizard: `KMSS3EncryptionAlias: Type: 'AWS::KMS::Alias' DeletionPolicy: Retain Properties: AliasName: alias/S3BucketKey TargetKeyId: !Ref KMSS3Encryption` For more information about this, see AWS CloudFormation stack updates in the AWS CloudFormation documentation.	AWS DevOps
Update the stack to include the S3 bucket policy.	On the AWS CloudFormation console, choose Stacks, choose the name of the stack that you created earlier, choose the Template pane, and then choose View in Designer. Add the following snippet to the `Resource` section of the template, and then choose Create stack and complete the wizard: `S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref S3Bucket PolicyDocument: !Sub \|- { "Version": "2008-10-17", "Id": "restricthttp", "Statement": [ { "Sid": "denyhttp", "Effect": "Deny", "Principal": { "AWS": "" }, "Action": "s3:", "Resource": ["arn:aws:s3:::${S3Bucket}","arn:aws:s3:::${S3Bucket}/*"], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }` Note This S3 bucket policy has a deny statement that restricts API calls that are not secure.	AWS DevOps
Update the key policy.	On the AWS CloudFormation console, choose Stacks, choose the name of the stack that you created earlier, choose the Template pane, and then choose View in Designer. Modify the template’s KMS resource to include the key policy that allows administrators to administer the KMS key. Choose Create stack, choose Next, and then complete the wizard according to your requirements. For more information, see Key policies in AWS KMS in the AWS KMS documentation.	AWS administrator
Add resource-level tags.	On the AWS CloudFormation console, choose Stacks, choose the name of the stack that you created earlier, choose the Template pane, and then choose View in Designer. Add the following snippet to the Amazon S3 resource `Properties` section of the template, and then choose Create stack and complete the wizard: `Tags: - Key: createdBy Value: Cloudformation`	AWS DevOps

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Set up disaster recovery for Oracle JD Edwards EnterpriseOne

Synchronize Amazon EFS file systems in different Regions