How to Create an S3 Bucket using CloudFormation with JSON and YAML Example
In one of my posts, you have seen how to create an S3 bucket using the AWS console. Today, I’ll cover how to create an S3 bucket using CloudFormation.
Related: How to Create an S3 Bucket using Terraform
Looking for the best course to master AWS CloudFormation? Here is what I used to get myself kickstarted: AWS CloudFormation Master Class
After completing this tutorial you should be able to-
- Know what is CloudFormation
- Create a CloudFormation template to create an s3 bucket
- Create a simple S3 bucket using the AWS management console
- Update the stack to enable some of the frequently used features like
- Versioning
- Encryption
- Preventing objects from becoming public
- Delete the stack to delete the S3 bucket
Prerequisite:
- An AWS Account: How to Setup Free Tier AWS Account in Right Way
- Basic S3 Knowledge
- Basic YAML/JSON knowledge
Let’s start with understanding CloudFormation.
Don’t want to miss any posts from us? join us on our Facebook group, and follow us on Facebook, Twitter, LinkedIn, and Instagram. You can also subscribe to our newsletter below to not miss any updates from us.
What is CloudFormation?
- CloudFormation is an amazing tool/service provided by AWS that allows us to create and manage our entire infrastructure as a code.
- CloudFormation helps you replicate your application environment easily within a few clicks.
- You simply declare your resources in a template and CloudFormation creates them in the right order. That’s awesome 🙂
Now, it’s time to create our first S3 bucket using CloudFormation.
Please be assured that we will create the stack with a very simple bucket and will update our stack gradually to enable some of the frequently used features as mentioned above.
Steps to Create an S3 Bucket using CloudFormation
- Step 1: Prepare the template
- Step 2: Create the CloudFormation stack
- Step 3: Enable Versioning on a Bucket
- Step 4: Enable Encryption on Bucket
- Step 5: Prevent objects from becoming public
- Step 6: Delete the CloudFormation Stack(Optional)
Step 1: Prepare the template
Let’s create a simple template for creating an S3 bucket. To create an s3 bucket we need a resource of the type AWS::S3::Bucket.
And trust me this one single line is sufficient to create a bucket.
We will need the template ready in a file. So-
- Open an editor like Notepad or Nodepad++
- Copy the content of the below code snippet into it. Save the file as firstbucket.yaml or anything of your choice ending with .yaml
- Jump to step 2.
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Step 2: Create the CloudFormation stack
In this section, we are creating the stack using the AWS console. However, there is a better way to do it. And it is by leveraging AWS CLI. See how to deploy a CloudFormation Template using AWS CLI.
Login to AWS management console —> Go to CloudFormation console —> Click Create Stack
You will see something like this.
Click on Upload a template file. Upload your template and click next.
You will be asked for a Stack name. Provide a stack name here. Leave all the configurations as default and click next. After reviewing everything, click on Create Stack.
In a matter of seconds(maybe a minute) your stack will be created and you can verify your S3 bucket in the S3 console.
It was as simple as that. We are done with the creation of a simple S3 bucket 🙂
Happy now? 😛 😛
Advanced
Well, let’s be happier by implementing some of the advanced things.
Before that, Hey -did you notice that we didn’t even provide the name of the bucket?
To be precise, If you don’t provide the name, CloudFormation will generate a unique ID and use that for naming the bucket.
In general, it is a good practice to not name your bucket. Otherwise, CloudFormation can’t perform updates that require the replacement of this resource.
As per AWS documentation, If you specify a name, you can’t perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
However, sometimes we want to control the way we name our bucket. So I will show you how to do that below template using the BucketName property.
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for s3 bucket
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Description: Creating Amazon S3 bucket from CloudFormation
Properties:
BucketName: i-named-this-bucket
Outputs:
S3Bucket:
Description: Bucket Created using this template.
Value: !Ref S3Bucket
Note: S3 bucket name is unique globally across all accounts. So be mindful while choosing a name for your bucket. Meanwhile, check This is Why S3 Bucket Names are Unique Globally
I have also included an output section. It will simply give the bucket name which can be used by other stacks or places.
Well, It’s time to deep dive into some of the features using CloudFormation. Let’s start with versioning.
Step 3: Enable Versioning on a Bucket
Enabling versioning enables multiple versions of all the objects in the bucket. You should consider enabling versioning-
- To prevent an object from being deleted or overwritten by mistake.
- To archive all versions so that you can retrieve any version you want at any time
We need to use property VersioningConfiguration to enable versioning on a bucket like –
VersioningConfiguration:
Status: Enabled
Our overall template will look like the one below. Save the template and let’s update our CloudFormation stack.
CloudFormation Template to Enable Versioning on a Bucket
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for s3 bucket
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Description: Creating Amazon S3 bucket from CloudFormation
Properties:
BucketName: i-named-this-bucket
VersioningConfiguration:
Status: Enabled
Outputs:
S3Bucket:
Description: Bucket Created using this template.
Value: !Ref S3Bucket
Click on update, Then select Replace current template.
Upload the newly saved template. Click Next, Next. Leave the Configure stack option to default and click next.
The stack is updated and if you go to the S3 console and check your bucket properties. You can see that versioning is enabled on the bucket now.
Related: How to Check If Versioning is Enabled on an S3 Bucket
That’s good progress !!! 🙂
Let’s add another feature to our cap by enabling encryption
Step 4: Enable Encryption on Bucket
Enabling default encryption on a bucket will set the default encryption behaviour on a bucket. once set, all new objects are encrypted when you store them in the bucket.
In other terms, S3 encrypts an object before saving it to disk and decrypts it when you download the objects.
Related: Amazon S3 Encryption: All You Need to Know
Encryption on S3
Well, there are two options for keys when using server-side encryption.
- S3-managed keys (SSE-S3)
- Customer master keys (CMKs) are stored in AWS KMS.
In this example we will use s3 managed key only. for that we will need the parameter setting as below.
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Once you have updated your template with this configuration. Update the stack again and you will see default encryption is enabled now.
By now we have enabled versioning and encryption. You can check your bucket property(In the properties tab) to validate that as mentioned in the screenshot. Versioning and encryption are ticked here 🙂
Please note that we used S3 managed key here, however, if you need to have a KMS-managed key, you can have the below set of parameters. You will need to create a key in KMS first and then you need to provide the ARN as mentioned below.
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: "YOUR KMS KEY ARN"
Lastly, let’s try to configure our bucket in a way that will prevent any public access to our objects.
Step 5: Prevent objects from becoming public
If you notice the created S3 bucket access, you will see something like “Objects can be public“. What does that mean?
Well, it means that, by default, the bucket is not public but can be public. Anyone with the proper permissions can make objects public.
Let’s make the bucket completely private.
We will use the property AccessControl(Canned ACL) as well as PublicAccessBlockConfiguration as mentioned in the template below.
AccessControl: Private
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Add these properties to the template, save it and update your stack again. After the successful update, you will see now bucket access is not public.
Step 6: Delete the CloudFormation Stack(Optional)
At last, if you are doing this exercise for learning. you can clean up by deleting the stack to delete the bucket.
Please note that there are times when we want the bucket to be retained even if someone deletes the stack. In such cases, you can use the parameter DeletionPolicy: Retain.
However, If you need the bucket to be deleted when the stack is deleted, remove the DeletionPolicy: Retain parameter from the template.
For your convenience, I have also added that in the final template.
Final Template to Create an S3 Bucket using CloudFormation in YAML.
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for s3 bucket
Resources:
S3Bucket:
DeletionPolicy: Retain
Type: 'AWS::S3::Bucket'
Description: Creating Amazon S3 bucket from CloudFormation
Properties:
BucketName: i-named-this-bucket
AccessControl: Private
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
Outputs:
S3Bucket:
Description: Bucket Created using this template.
Value: !Ref S3Bucket
Final Template to Create an S3 Bucket using CloudFormation in JSON.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "CloudFormation template for s3 bucket",
"Resources": {
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Description": "S3 bucket creation",
"Properties": {
"BucketName": "i-named-this-bucket",
"AccessControl": "Private",
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
}
}
},
"Outputs": {
"S3Bucket": {
"Description": "Bucket Created using this template.",
"Value": {
"Ref": "S3Bucket"
}
}
}
}
Related: How to Convert a CloudFormation Template From JSON to YAML and Vice Versa
Conclusion
In this article, we created an S3 bucket using the CloudFormation template. We created the basic stack and then updated the stack gradually to enable some of the features like
- Versioning
- Encryption
- Preventing public access to the bucket
I know there are many other things like cors configuration and others that we can do in a bucket.
But I wanted to keep it simple and limited to the most common requirements. You can read those features here.
- How to Create S3 Bucket Policy using CloudFormation
- Create S3 Bucket Policy using Terraform
- Setup CORS Configuration of an S3 Bucket using CloudFormation
- S3 Lifecycle Management using CloudFormation
I hope you were able to work with me and able to create the S3 bucket. Do let me know in the comment section.
That was my take on “How to Create an S3 Bucket using CloudFormation“. Please feel free to share your feedback.
Enjoyed the content?
Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.
If you liked reading my post, you can motivate me by-
- Follow us on
- Subscribe to our newsletter to get notified each time we post new content.
- Share this post with your friends and colleagues.
Also Read:
6 thoughts on “How to Create an S3 Bucket using CloudFormation”
That was very helpful thank you.
You are welcome – Glad that it was helpful
Can we get this Script in YAML format?
Hi Rajeev, Thank you for your comment. YAML script is there in the post as well. However for your convenience I am providing it here as well. Hope you find it useful
Hi, Thanks for sharing. Just want to know how we provide the access to specific IAM user group only, please?
Thank you Karikalan. You can go to IAM dashboard, navigate to the group you want to give permission to and attach a policy to the group. That’s it. 🙂