s3-bucket-glacier.yaml
---

S3 Bucket Glacier CloudFormation Deployment

This CloudFormation template will deploy an S3 bucket with it's own IAM user. This S3 bucket will be transferred to Glacier after indicated number of days.

AWSTemplateFormatVersion: '2010-09-09'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

Name of the bucket.

BucketName: Type: String Description: The name of the S3 Bucket.

Indicates the number of days the S3 bucket will stay in standard mode, then it will be moved to Glacier.

DaysToGlacier: Type: Number Description: Migrate to Glacier After This Many Days. (Minimum 7 days) Default: 30 MinValue: 7

Indicates the number of days the S3 bucket will stay in Glacier, then it will be completely deleted. It must stay in Glacier at a minimum of 120 days.

DaysToDeletion: Type: Number Description: Delete From Glacier After This Many Days. (Minimum 120 days) Default: 120 MinValue: 120

Tags

The following tags are applied to all resources created by this template.

OwnerTag: Type: String Description: The owner or sponsor of this bucket. All resources will be tagged with this as the owner tag. OwnerNetidTag: Type: String Description: The netid of the technical contact. All resources will be tagged with this as the netid tag. ProjectNameTag: Type: String Description: The project name or JIRA ticket for this. All resources will be tagged with this as the projectname tag.

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: S3 Bucket Configuration Parameters: - BucketName - DaysToInfrequentAccess - DaysToGlacier - DaysToDeletion - Label: default: Tagging and Cost Management Parameters: - OwnerTag - OwnerNetidTag - ProjectNameTag ParameterLabels: BucketName: default: 'Bucket Name:' DaysToGlacier: default: 'Days to Glacier:' DaysToDeletion: default: 'Days to Deletion:' IAMUserName: default: 'IAM User Name:' OwnerTag: default: 'Owner''s Name:' OwnerNetidTag: default: 'Technical Contact NetID:' ProjectNameTag: default: 'Project Name:'

Resources

These are all of the resources deployed by this template.

Resources:

S3 Bucket

This deploys the S3 bucket with some tags.

S3Bucket: Type: AWS::S3::Bucket Properties: BucketName: !Ref "BucketName" AccessControl: Private LifecycleConfiguration: Rules: - Id: Archive Status: Enabled ExpirationInDays: !Ref "DaysToDeletion" Transitions: - TransitionInDays: !Ref "DaysToGlacier" StorageClass: GLACIER Tags: - Key: projectname Value: !Ref "ProjectNameTag" - Key: owner Value: !Ref "OwnerTag" - Key: netid Value: !Ref "OwnerNetidTag" - Key: blueprint Value: s3bucket

S3 Bucket User

Creates an IAM user that can only connect to the S3 bucket specified.

S3BucketUser: Type: AWS::IAM::User Properties: Path: "/" Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:List* Resource: - "*" - Effect: Allow Action: - s3:* Resource: !Sub "arn:aws:s3:::${S3Bucket}/*"

S3 Bucket User Access Key

The set of access keys given to the IAM user from above.

S3BucketUserAccessKey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref "S3BucketUser"

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: BucketName: Value: !Ref S3Bucket AccessKeyForUser: Value: !Ref S3BucketUserAccessKey SecretKeyForUser: Value: !GetAtt S3BucketUserAccessKey.SecretAccessKey