Syntax Properties Return values Examples

AWS::S3::MultiRegionAccessPointPolicy

Applies an Amazon S3 access policy to an Amazon S3 Multi-Region Access Point.

It is not possible to delete an access policy for a Multi-Region Access Point from the CloudFormation template. When you attempt to delete the policy, CloudFormation updates the policy using DeletionPolicy:Retain and UpdateReplacePolicy:Retain. CloudFormation updates the policy to only allow access to the account that created the bucket.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::S3::MultiRegionAccessPointPolicy",
  "Properties" : {
      "MrapName" : String,
      "Policy" : Json
    }
}

YAML


Type: AWS::S3::MultiRegionAccessPointPolicy
Properties:
  MrapName: String
  Policy: Json

Properties

MrapName

The name of the Multi-Region Access Point.

Required: Yes

Type: String

Pattern: ^[a-z0-9][-a-z0-9]{1,48}[a-z0-9]$

Minimum: 3

Maximum: 50

Update requires: Replacement

Policy

The access policy associated with the Multi-Region Access Point.

Required: Yes

Type: Json

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the Multi-Region Access Point.

For more information about using the Ref function, see Ref.

Examples

Simple Multi-Region Access Point Policy

The following example grants access permissions to CloudWatch.

It is very important to note where you need to use the name versus the alias for the Multi-Region Access Point. In the following example, the name is DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT, the alias of the Multi-Region Access Point is mfzwi23gnjvgw.mrap, and the Amazon account is 123456789012. For more information about how ARNs for Multi-Region Access Points work, see Making requests using a Multi-Region Access Point in the in the Amazon S3 User Guide.

JSON


{
   "SampleMultiRegionAccessPointPolicy":{
      "Type":"AWS::S3::MultiRegionAccessPointPolicy",
      "DeletionPolicy":"Retain",
      "UpdateReplacePolicy":"Retain",
      "Properties":{
         "MrapName":{
            "Ref":"DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT"
         },
         "Policy":{
            "Statement":[
               {
                  "Action":[
                     "s3:GetObject"
                  ],
                  "Effect":"Allow",
                  "Resource":{
                     "Fn::Sub":[
                        "arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*",
                        {
                           "mrapalias":{
                              "Fn::GetAtt":[
                                 "mfzwi23gnjvgw.mrap",
                                 "Alias"
                              ]
                           }
                        }
                     ]
                  },
                  "Principal":{
                     "Service":"cloudwatch.amazonaws.com"
                  }
               }
            ]
         }
      }
   }
}

YAML


SampleMultiRegionAccessPointPolicy:
  Type: 'AWS::S3::MultiRegionAccessPointPolicy'
  DeletionPolicy: Retain
  UpdateReplacePolicy: Retain
  Properties:
    MrapName:
      Ref: DOC-EXAMPLE-MULTI-REGION-ACCESS-POINT
    Policy:
      Statement:
        - Action:
            - 's3:GetObject'
          Effect: Allow
          Resource:
            'Fn::Sub':
              - 'arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/*'
              - mrapalias:
                  'Fn::GetAtt':
                    - mfzwi23gnjvgw.mrap
                    - Alias
          Principal:
            Service: cloudwatch.amazonaws.com

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Region

PolicyStatus