AWS::S3Express::BucketPolicy - Amazon CloudFormation
SyntaxProperties
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::S3Express::BucketPolicy

Applies an Amazon S3 bucket policy to an Amazon S3 directory bucket.

Permissions

If you are using an identity other than the root user of the Amazon Web Services account that owns the bucket, the calling identity must both have the required permissions on the specified bucket and belong to the bucket owner's account in order to use this operation. For more information about directory bucket policies and permissions, see Amazon Identity and Access Management (IAM) for S3 Express One Zone in the Amazon S3 User Guide.

Important

To ensure that bucket owners don't inadvertently lock themselves out of their own buckets, the root principal in a bucket owner's Amazon Web Services account can perform the GetBucketPolicy, PutBucketPolicy, and DeleteBucketPolicy API actions, even if their bucket policy explicitly denies the root principal's access. Bucket owner root principals can only be blocked from performing these API actions by VPC endpoint policies and Amazon Organizations policies.

The required permissions for CloudFormation to use are based on the operations that are performed on the stack.

  • Create

    • s3express:GetBucketPolicy

    • s3express:PutBucketPolicy

  • Read

    • s3express:GetBucketPolicy

  • Update

    • s3express:GetBucketPolicy

    • s3express:PutBucketPolicy

  • Delete

    • s3express:GetBucketPolicy

    • s3express:DeleteBucketPolicy

  • List

    • s3express:GetBucketPolicy

    • s3express:ListAllMyDirectoryBuckets

For more information about example bucket policies, see Example bucket policies for S3 Express One Zone in the Amazon S3 User Guide.

The following operations are related to AWS::S3Express::BucketPolicy:

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::S3Express::BucketPolicy",
  "Properties" : {
      "Bucket" : String,
      "PolicyDocument" : Json
    }
}

YAML

Type: AWS::S3Express::BucketPolicy
Properties:
  Bucket: String
  PolicyDocument: Json

Properties

Bucket

The name of the S3 directory bucket to which the policy applies.

Required: Yes

Type: String

Update requires: Replacement

PolicyDocument

A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy PolicyDocument resource description in this guide and Policies and Permissions in Amazon S3 in the Amazon S3 User Guide.

Required: Yes

Type: Json

Update requires: No interruption