Last active
March 31, 2025 16:39
-
-
Save pmarques/d7778e9fe0622067ffa716a7dd3254ea to your computer and use it in GitHub Desktop.
AWS CloudFormation files with S3 buckets and resources needed for Cross-Account / Region replication with Owner[ship] override
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| Description: > | |
| Create a simple encrypted S3 bucket | |
| Parameters: | |
| BucketName: | |
| Type: String | |
| Default: pmarques1234567890-x-account-replication | |
| SourceAccount: | |
| Type: String | |
| Resources: | |
| S3Bucket: | |
| Type: AWS::S3::Bucket | |
| Properties: | |
| BucketName: !Ref BucketName | |
| BucketEncryption: | |
| ServerSideEncryptionConfiguration: | |
| - ServerSideEncryptionByDefault: | |
| SSEAlgorithm: AES256 | |
| VersioningConfiguration: | |
| Status: Enabled | |
| S3BucketPolicy: | |
| Type: AWS::S3::BucketPolicy | |
| Properties: | |
| Bucket: !Ref S3Bucket | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| AWS: !Sub arn:aws:iam::${SourceAccount}:root | |
| Action: | |
| - s3:ReplicateObject | |
| - s3:ReplicateDelete | |
| - s3:ObjectOwnerOverrideToBucketOwner | |
| Resource: !Sub arn:aws:s3:::${S3Bucket}/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| Description: > | |
| s3 crr testing | |
| Parameters: | |
| DestinationBucket: | |
| Type: String | |
| Default: pmarques1234567890-x-account-replication | |
| DestinationAccount: | |
| Type: String | |
| Resources: | |
| ReplicaRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Statement: | |
| - Action: sts:AssumeRole | |
| Effect: Allow | |
| Principal: | |
| Service: s3.amazonaws.com | |
| ReplicaPolicy: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyDocument: | |
| Statement: | |
| - Action: | |
| - s3:Get* | |
| - s3:ListBucket | |
| Resource: | |
| - !Sub arn:aws:s3:::pmarques1234567890-x-account-replication-source | |
| - !Sub arn:aws:s3:::pmarques1234567890-x-account-replication-source/* | |
| Effect: Allow | |
| - Action: | |
| - s3:ReplicateObject | |
| - s3:ReplicateDelete | |
| - s3:ReplicateTags | |
| - s3:GetObjectVersionTagging | |
| - s3:ObjectOwnerOverrideToBucketOwner | |
| Effect: Allow | |
| Resource: !Sub arn:aws:s3:::${DestinationBucket}/* | |
| PolicyName: ReplicaPolicy | |
| Roles: | |
| - !Ref ReplicaRole | |
| S3Bucket: | |
| Type: AWS::S3::Bucket | |
| DeletionPolicy: Delete | |
| Properties: | |
| BucketEncryption: | |
| ServerSideEncryptionConfiguration: | |
| - ServerSideEncryptionByDefault: | |
| SSEAlgorithm: AES256 | |
| BucketName: pmarques1234567890-x-account-replication-source | |
| ReplicationConfiguration: | |
| Role: !GetAtt [ReplicaRole, Arn] | |
| Rules: | |
| - Destination: | |
| AccessControlTranslation: | |
| Owner: Destination | |
| Account: !Ref DestinationAccount | |
| Bucket: !Sub arn:aws:s3:::${DestinationBucket} | |
| StorageClass: STANDARD | |
| Id: Backup | |
| Prefix: '' | |
| Status: Enabled | |
| VersioningConfiguration: | |
| Status: Enabled |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment