AWS::S3::MultiRegionAccessPointPolicy - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Applies an Amazon S3 access policy to an Amazon S3 Multi-Region Access Point.

It is not possible to delete an access policy for a Multi-Region Access Point from the CloudFormation template. When you attempt to delete the policy, CloudFormation updates the policy using DeletionPolicy:Retain and UpdateReplacePolicy:Retain. CloudFormation updates the policy to only allow access to the account that created the bucket.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::S3::MultiRegionAccessPointPolicy", "Properties" : { "MrapName" : String, "Policy" : Json } }


Type: AWS::S3::MultiRegionAccessPointPolicy Properties: MrapName: String Policy: Json



The name of the Multi-Region Access Point.

Required: Yes

Type: String

Pattern: ^[a-z0-9][-a-z0-9]{1,48}[a-z0-9]$

Minimum: 3

Maximum: 50

Update requires: Replacement


The access policy associated with the Multi-Region Access Point.

Required: Yes

Type: Json

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the Multi-Region Access Point.

For more information about using the Ref function, see Ref.


Simple Multi-Region Access Point Policy

The following example grants access permissions to CloudWatch.

It is very important to note where you need to use the name versus the alias for the Multi-Region Access Point. In the following example, the name is DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT, the alias of the Multi-Region Access Point is mfzwi23gnjvgw.mrap, and the Amazon account is 123456789012. For more information about how ARNs for Multi-Region Access Points work, see Making requests using a Multi-Region Access Point in the in the Amazon S3 User Guide.


{ "SampleMultiRegionAccessPointPolicy":{ "Type":"AWS::S3::MultiRegionAccessPointPolicy", "DeletionPolicy":"Retain", "UpdateReplacePolicy":"Retain", "Properties":{ "MrapName":{ "Ref":"DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT" }, "Policy":{ "Statement":[ { "Action":[ "s3:GetObject" ], "Effect":"Allow", "Resource":{ "Fn::Sub":[ "arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*", { "mrapalias":{ "Fn::GetAtt":[ "mfzwi23gnjvgw.mrap", "Alias" ] } } ] }, "Principal":{ "Service":"" } } ] } } } }


SampleMultiRegionAccessPointPolicy: Type: 'AWS::S3::MultiRegionAccessPointPolicy' DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: MrapName: Ref: DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT Policy: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Sub': - 'arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*' - mrapalias: 'Fn::GetAtt': - mfzwi23gnjvgw.mrap - Alias Principal: Service: