How to Create an S3 Bucket using CloudFormation

Create an S3 Bucket using CloudFormation
Sharing is Caring:

In this post we will see how to create an S3 bucket using CloudFormation template. We will be using AWS CloudFormation console to do this.

After completing this tutorial you should be able to-

  • Know what is CloudFormation
  • Create a CloudFormation template to create an s3 bucket
  • Create a simple S3 bucket using AWS management console
  • Update the stack to enable some of the frequently used features like
    • Versioning
    • Encryption
    • Preventing objects from becoming public
  • Delete the stack to delete S3 bucket

Prerequisite:

  • An AWS Account
  • Stable internet connection
  • Basic YAML/JSON knowledge

Let’s start with understanding CloudFormation.

What is CloudFormation?

  • CloudFormation is an amazing tool/service provided by AWS which allows us to create and manage our entire infrastructure as a code.
  • CloudFormation helps you replicate your application environment easily within a few click.
  • You simply declare your resources in a template and CloudFormation creates them in right order. That’s awesome 🙂

Now ,it’s time to create our first s3 bucket using CloudFormation.

Please be assured that, we will create the stack with very simple bucket and will update our stack gradually to enable some of the frequently used features as mentioned above.

Step 1: Prepare template

Let’s create a simple template for creating an s3 bucket. To create an s3 bucket we need a resource of type AWS::S3::Bucket.

And trust me this one single line is sufficient to create a bucket.

We will need the template ready in a file. So-

  • Open an editor like notepad or nodepad++
  • Copy the content of below code snippet into it. Save the file as firstbucket.yaml or anything of your choice ending with .yaml
  • Jump to step 2.
AWSTemplateFormatVersion: 2010-09-09

Resources:
  S3Bucket:
    Type: AWS::S3::Bucket

Step 2: Create the CloudFormation stack

Login to AWS management console —> Go to CloudFormation console —> Click Create Stack

You will see something like this.

Create an S3 Bucket using CloudFormation

Click on upload a template file. Upload your template and click next.

You will be asked for a Stack name. Provide a stack name here. Leave all the configuration as default and click next next. After reviewing everything, click on Create Stack.

In a matter of seconds(may be a minute) your stack will be created and you can verify your s3 bucket in s3 console.

It was as simple as that. We are done with creation of a simple s3 bucket 🙂

Create an S3 Bucket using CloudFormation

Happy now? 😛 😛

Well let’s be more happier by implementing some of the advanced things.

Before that, Hey -did you notice that we didn’t even provide the name of the bucket?

To be precise, If you don’t provide the name, CloudFormation will generate a unique ID and use that for naming the bucket.

In general it is a good practice to not name your bucket. Otherwise CloudFormation can’t perform update that require replacement of this resource.

As per AWS documentation, If you specify a name, you can’t perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.

However, sometimes we want to control the way we name our bucket. So I will show you how to do that in below template using BucketName property.

AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for s3 bucket 
    
Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Description: Creating Amazon S3 bucket from CloudFormation
    Properties:
      BucketName: i-named-this-bucket
Outputs:
  S3Bucket:
    Description: Bucket Created using this template.
    Value: !Ref S3Bucket

I have also included an output section. It will simply give the bucket name which can be used by other stacks or places.

Well, It’s time to deep dive into some of the features using CloudFormation. Let’s start with versioning.

Enable Versioning on a Bucket

Enabling versioning enables multiple versions of all the objects in the bucket. You should consider enabling versioning-

  • To prevent an object from being deleted or overwritten by mistake.
  • To archive all version so that you can retrieve any version you want at any time

We need to use property VersioningConfiguration to enable versioning on a bucket like –

VersioningConfiguration:
  Status: Enabled

Our overall template will look like below. Save the template and let’s update our CloudFormation stack.

AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for s3 bucket 
    
Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Description: Creating Amazon S3 bucket from CloudFormation
    Properties:
      BucketName: i-named-this-bucket
      VersioningConfiguration:
        Status: Enabled
Outputs:
  S3Bucket:
    Description: Bucket Created using this template.
    Value: !Ref S3Bucket

Click on update, Then select Replace current template.

Upload the newly saved template.Click Next, Next. Leave the Configure stack option to default and click next.

Stack is updated and if you go to S3 console and check your bucket properties. You can see that versioning is enabled on bucket now.

That’s good progress !!! 🙂

Let’s add another feature in our cap by enabling encryption

Enable Encryption on Bucket

Enabling default encryption on a bucket will set the default encryption behavior on a bucket. once set, all new objects are encrypted when you store them in the bucket.

In other terms, S3 encrypts an object before saving it to disk and decrypts it when you download the objects.

Well, there are two options of key when using server side encryption.

  • S3-managed keys (SSE-S3)
  • Customer master keys (CMKs) stored in AWS KMS.

In this example we will use s3 managed key only. for that we will need the parameter setting as below.

BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256

Once you have updated your template with this configuration. Update the stack again and you will see default encryption is enabled now.

By now we have enabled versioning and encryption. You can check your bucket property(In properties tab) to validate that as mentioned in the screenshot. Versioning and encryption are ticked here 🙂

Create an S3 Bucket using CloudFormation

Please note that we used s3 managed key here, however if you need to have KMS managed key, you can have below set of parameters. You will need to create a key in KMS first and then you need to provide the ARN as mentioned below.

BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: aws:kms
            KMSMasterKeyID: "YOUR KMS KEY ARN" 

Lastly let’s try to configure our bucket in a way which will prevent any public access to our objects.

Prevent objects from becoming public

If you will notice the created s3 bucket access, you will see something like “Objects can be public”. What does that mean?

Well it means that although by default bucket is not public but can be public. Anyone with the proper permissions can make objects public.

Let’s make the bucket completely private.

We will use the property AccessControl(Canned ACL) as well as PublicAccessBlockConfiguration as mentioned in the template below.

AccessControl: Private
PublicAccessBlockConfiguration:
   BlockPublicAcls: true
   BlockPublicPolicy: true
   IgnorePublicAcls: true
   RestrictPublicBuckets: true

Add these properties in the template, save it and update your stack again. After the successful update you will see now bucket access is not public.

Delete the CloudFormation Stack

At last, if you are doing this exercise for learning. you can clean up by deleting the stack to delete the bucket.

Please note that there are times when we want the bucket to be retained even if someone deletes the stack.In such cases,you can use the parameter DeletionPolicy: Retain

However, If you need the bucket to be deleted when stack is deleted ,remove the DeletionPolicy: Retain parameter from the template.

For your convenience I have added that as well in the final template.

Final Template to Create an S3 Bucket using CloudFormation in YAML.

AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for s3 bucket
Resources:
  S3Bucket:
    DeletionPolicy: Retain
    Type: 'AWS::S3::Bucket'
    Description: Creating Amazon S3 bucket from CloudFormation
    Properties:
      BucketName: i-named-this-bucket
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled
Outputs:
  S3Bucket:
    Description: Bucket Created using this template.
    Value: !Ref S3Bucket

Final Template to Create an S3 Bucket using CloudFormation in JSON.

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "CloudFormation template for s3 bucket",
    "Resources": {
        "S3Bucket": {
            "DeletionPolicy": "Retain",
            "Type": "AWS::S3::Bucket",
            "Description": "S3 bucket creation",
            "Properties": {
                "BucketName": "i-named-this-bucket",
                "AccessControl": "Private",
                "PublicAccessBlockConfiguration": {
                    "BlockPublicAcls": true,
                    "BlockPublicPolicy": true,
                    "IgnorePublicAcls": true,
                    "RestrictPublicBuckets": true
                },
                "BucketEncryption": {
                    "ServerSideEncryptionConfiguration": [
                        {
                            "ServerSideEncryptionByDefault": {
                                "SSEAlgorithm": "AES256"
                            }
                        }
                    ]
                },
                "VersioningConfiguration": {
                    "Status": "Enabled"
                }
            }
        }
    },
    "Outputs": {
        "S3Bucket": {
            "Description": "Bucket Created using this template.",
            "Value": {
                "Ref": "S3Bucket"
            }
        }
    }
}

Conclusion

In this article we created an S3 bucket using CloudFormation template. We created the basic stack and then updated the stack gradually to enable some of the features like

  • Versioning
  • Encryption
  • Preventing public access to bucket

I know there are many other things like cors configuration and others that we can do in a bucket.

But I wanted to keep it simple and limited to most common requirements. You can ask me in comment if you want me to cover other features as well.

I hope you were able to work up with me and able to create the s3 bucket. If you get stuck at any time feel free to add a comment. I will reply to your query asap.

Well, That was my take on “How to Create an S3 Bucket using CloudFormation“. Please feel free to share your feedback.

Enjoyed the content?

Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.

Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.

If you liked reading my post, you can motivate me by-

  • Adding a comment below on what you liked and what can be improved.
  • Follow us on 
  • Subscribe to our newsletter to get notified each time we post new content.
  • Share this post with your friends and colleagues.

Also Read:

Sharing is Caring:

4 thoughts on “How to Create an S3 Bucket using CloudFormation

    1. Hi Rajeev, Thank you for your comment. YAML script is there in the post as well. However for your convenience I am providing it here as well. Hope you find it useful

      AWSTemplateFormatVersion: 2010-09-09
      Description: CloudFormation template for s3 bucket
      Resources:
        S3Bucket:
          DeletionPolicy: Retain
          Type: 'AWS::S3::Bucket'
          Description: Creating Amazon S3 bucket from CloudFormation
          Properties:
            BucketName: i-named-this-bucket
            AccessControl: Private
            PublicAccessBlockConfiguration:
              BlockPublicAcls: true
              BlockPublicPolicy: true
              IgnorePublicAcls: true
              RestrictPublicBuckets: true
            BucketEncryption:
              ServerSideEncryptionConfiguration:
                - ServerSideEncryptionByDefault:
                    SSEAlgorithm: AES256
            VersioningConfiguration:
              Status: Enabled
      Outputs:
        S3Bucket:
          Description: Bucket Created using this template.
          Value: !Ref S3Bucket

  1. Hi, Thanks for sharing. Just want to know how we provide the access to specific IAM user group only, please?

    1. Thank you Karikalan. You can go to IAM dashboard, navigate to the group you want to give permission to and attach a policy to the group. That’s it. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *