AWS Amazon S3 Access Point
This page shows how to write Terraform and CloudFormation for Amazon S3 Access Point and write them securely.
aws_s3_access_point (Terraform)
The Access Point in Amazon S3 can be configured in Terraform with the resource name aws_s3_access_point. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_s3_access_point" "devops_demo_bucket_access" {
bucket = aws_s3_bucket.devops_demo_bucket.id
name = "devopsbucketnepal"
}
resource "aws_s3_access_point" "s3-ap-obl" {
bucket = aws_s3_bucket.s3-obl.id
name = "obl-s3-ap"
vpc_configuration {
vpc_id = aws_vpc.vpc-obl.id
resource "aws_s3_access_point" "this" {
account_id = var.account_id
bucket = var.bucket
name = var.name
policy = var.policy
Parameters
-
account_idoptional computed - string -
arnoptional computed - string -
bucketrequired - string -
domain_nameoptional computed - string -
has_public_access_policyoptional computed - bool -
idoptional computed - string -
namerequired - string -
network_originoptional computed - string -
policyoptional - string -
public_access_block_configurationlist block-
block_public_aclsoptional - bool -
block_public_policyoptional - bool -
ignore_public_aclsoptional - bool -
restrict_public_bucketsoptional - bool
-
-
vpc_configurationlist block-
vpc_idrequired - string
-
Explanation in Terraform Registry
Provides a resource to manage an S3 Access Point. -> Advanced usage: To use a custom API endpoint for this Terraform resource, use the
s3controlendpoint provider configuration, not thes3endpoint provider configuration.
Tips: Best Practices for The Other AWS Amazon S3 Resources
In addition to the aws_s3_bucket_public_access_block, AWS Amazon S3 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_s3_bucket_public_access_block
Ensure S3 bucket-level Public Access Block restricts public bucket policies
It is better to enable S3 bucket-level Public Access Block if you don't need public buckets.
aws_s3_bucket
Ensure S3 bucket access policy is well configured
It is better to configure the S3 bucket access policy properly to limit it unless explicitly required.
AWS::S3::AccessPoint (CloudFormation)
The AccessPoint in S3 can be configured in CloudFormation with the resource name AWS::S3::AccessPoint. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: 'AWS::S3::AccessPoint'
Properties: {}
IAMR3EAWS:
Type: 'AWS::IAM::Role'
Properties: {}
DependsOn:
Type: AWS::S3::AccessPoint
Properties:
Bucket: !Ref bucket
Name: ${self:service}-${self:provider.stage}-ap
lambdaAccessPoint:
Type: AWS::S3::AccessPoint
Properties:
Bucket: !Ref bucket
Name: ${self:service}-${self:provider.stage}-ap
lambdaAccessPoint:
Type: AWS::S3::AccessPoint
Properties:
Bucket: !Ref S3BucketWithPii
Name: bucket-with-pii-access-point
S3LambdaAccessPoint:
Type: AWS::S3::AccessPoint
Properties:
Bucket: !Ref transcriptBucket
Name: !Ref pAdminAccessPointName
NetworkOrigin: Internet
"AWS::S3::AccessPoint.VpcConfiguration": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accesspoint-vpcconfiguration.html",
"Properties": {
"VpcId": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accesspoint-vpcconfiguration.html#cfn-s3-accesspoint-vpcconfiguration-vpcid",
"UpdateType": "Immutable",
"Type" : "AWS::S3::AccessPoint",
"Properties" : {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"Type" : "AWS::S3::AccessPoint",
"Properties" : {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"Type": "AWS::S3::AccessPoint",
"Properties": {
"Bucket": {
"Ref": "bucketLandingPage"
},
"Name": "access-point-landing-page",
"Type": "AWS::S3::AccessPoint",
"Properties": {
"Bucket": {
"Ref": "S3SrcStorage"
},
"Name": "stack-srcstorage-ap",
Parameters
-
Nameoptional - String -
Bucketrequired - String -
VpcConfigurationoptional - VpcConfiguration -
PublicAccessBlockConfigurationoptional - PublicAccessBlockConfiguration -
Policyoptional - Json -
PolicyStatusoptional - Json
Explanation in CloudFormation Registry
The AWS::S3::AccessPoint resource is an Amazon S3 resource type that you can use to access buckets.
Frequently asked questions
What is AWS Amazon S3 Access Point?
AWS Amazon S3 Access Point is a resource for Amazon S3 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon S3 Access Point?
For Terraform, the gtimalsena/DevOps, Franco-Simone/Obligatorio-ISC and niveklabs/aws source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the TheNewThinkTank/AWS-recipes, eoinsha/object-lambda-transform and micheleriso/serverless-aws-s3-object-lambda-image-resize source code examples are useful. See the CloudFormation Example section for further details.
