s3-bucket-archive.yaml
---

S3 Bucket Archive CloudFormation Deployment

This CloudFormation template will deploy an S3 bucket with it's own IAM user. This S3 bucket will be transferred from a standard S3 bucket to an S3 bucket with Infrequent Access and then be transferred to Glacier.

AWSTemplateFormatVersion: '2010-09-09'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

Name of the bucket.

BucketName: Type: String Description: The name of the S3 Bucket.

Indicates the number of days the S3 bucket will stay in standard mode, then it will be moved to Infrequent Access mode.

DaysToInfrequentAccess: Type: Number Description: Migrate to Infrequent Access After This Many Days. (Minimum 30 days) Default: 30 MinValue: 30

Indicates the number of the days the S3 bucket will stay in infrequent access mode, then it will be moved to Glacier.

DaysToGlacier: Type: Number Description: Migrate to Glacier After This Many Days. (Minimum 60 days) Default: 60 MinValue: 60

Indicates the number of days the S3 will bucket will stay in Glacier, then it will be completely deleted. It must stay in Glacier at a minimim of 150 days.

DaysToDeletion: Type: Number Description: Delete From Glacier After This Many Days. (Minimum 150 days) Default: 150 MinValue: 150

Tags

The following tags are applied to all resources created by this template.

OwnerTag: Type: String Description: The owner or sponsor of this bucket. All resources will be tagged with this as the owner tag. OwnerNetidTag: Type: String Description: The netid of the technical contact. All resources will be tagged with this as the netid tag. ProjectNameTag: Type: String Description: The project name or JIRA ticket for this. All resources will be tagged with this as the projectname tag.

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: S3 Bucket Configuration Parameters: - BucketName - DaysToInfrequentAccess - DaysToGlacier - DaysToDeletion - Label: default: Tagging and Cost Management Parameters: - OwnerTag - OwnerNetidTag - ProjectNameTag ParameterLabels: BucketName: default: 'Bucket Name:' DaysToInfrequentAccess: default: 'Days to Infq Access:' DaysToGlacier: default: 'Days to Glacier:' DaysToDeletion: default: 'Days to Deletion:' IAMUserName: default: 'IAM User Name:' OwnerTag: default: 'Owner''s Name:' OwnerNetidTag: default: 'Technical Contact NetID:' ProjectNameTag: default: 'Project Name:'

Resources

These are all of the resources deployed by this template.

Resources:

S3 Bucket

This deploys the S3 bucket with some tags.

S3Bucket: Type: AWS::S3::Bucket Properties: BucketName: !Ref "BucketName" AccessControl: Private LifecycleConfiguration: Rules: - Id: Archive Status: Enabled ExpirationInDays: !Ref "DaysToDeletion" Transitions: - TransitionInDays: !Ref "DaysToInfrequentAccess" StorageClass: STANDARD_IA - TransitionInDays: !Ref "DaysToGlacier" StorageClass: GLACIER Tags: - Key: projectname Value: !Ref "ProjectNameTag" - Key: owner Value: !Ref "OwnerTag" - Key: netid Value: !Ref "OwnerNetidTag" - Key: blueprint Value: s3bucket

S3 Bucket User

Creates an IAM user that can only connect to the S3 bucket specified.

S3BucketUser: Type: AWS::IAM::User Properties: Path: "/" Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:List* Resource: - "*" - Effect: Allow Action: - s3:* Resource: !Sub "arn:aws:s3:::${S3Bucket}/*"

S3 Bucket User Access Key

The set of access keys given to the IAM user from above.

S3BucketUserAccessKey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref "S3BucketUser"

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: BucketName: Value: !Ref S3Bucket AccessKeyForUser: Value: !Ref S3BucketUserAccessKey SecretKeyForUser: Value: !GetAtt S3BucketUserAccessKey.SecretAccessKey