koladilip · May 11, 2022 04:22
diff --git a/aws-s3-cfn.yaml b/aws-s3-cfn.yaml
 AWSTemplateFormatVersion: 2010-09-09
 Description: S3 Bucket
 Parameters: 
  BucketName:
    Description: Name of the Bucket
    Type: String
  StorageClass:
    Description: Storage class of the Bucket
    Type: String
    Default: Standard
    AllowedValues:
      - Standard
      - Standard-Infrequent-Access
      - One-Zone-Infrequent-Access
      - Intelligent-Tiering
      - Glacier-Instant-Retrieval
      - Glacier-Flexible-Retrieval
      - Glacier-Deep-Archive 
  Versioning:
    Description: "Should we enable versioning on the Bucket"
    Type: String
    Default: No
    AllowedValues:
      - Yes
      - No
  EncryptAtRest:
    Type: String
    Description: "Should we enable encryption at rest for the Bucket"
    Default: Yes
    AllowedValues:
      - Yes
      - No
  PreventDeletion:
    Type: String
    Description: "Should we prevent deletion of the Bucket"
    Default: Yes
    AllowedValues:
      - Yes
      - No
  EncryptInTransit:
    Type: String
    Description: "Should we enable encryption during the transit"
    Default: Yes
    AllowedValues:
      - Yes
      - No

 Mappings:
  StorageClassMap: 
      Standard:
        Name: STANDARD
        TransitionInDays: 1
      "Standard-Infrequent-Access":
        Name: STANDARD_IA
        TransitionInDays: 30
      "One-Zone-Infrequent-Access":
        Name: ONEZONE_IA
        TransitionInDays: 30
      "Intelligent-Tiering":
        Name: INTELLIGENT_TIERING
        TransitionInDays: 1
      "Glacier-Instant-Retrieval":
        Name: GLACIER_IR
        TransitionInDays: 1
      "Glacier-Flexible-Retrieval":
        Name: GLACIER
        TransitionInDays: 1
      "Glacier-Deep-Archive":
        Name: DEEP_ARCHIVE
        TransitionInDays: 1

 Conditions:
  UseBucketEncryption: !Equals [!Ref EncryptAtRest, Yes]
  UseBucketVersioning: !Equals [!Ref Versioning, Yes]
  UseBucketPreventDeletion: !Equals [!Ref PreventDeletion, Yes]
  UseEncryptInTransit: !Equals [!Ref EncryptInTransit, Yes]
  CreateBucketPolicy: !Or [Condition: UseBucketPreventDeletion, Condition: UseEncryptInTransit]
  UseLifeCyclePolicy: !Not [!Equals [!Ref StorageClass, Standard]] 

 Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties: 
      BucketName: !Ref BucketName
      VersioningConfiguration: 
        !If
        - UseBucketVersioning
        - 
          Status: Enabled
        - !Ref "AWS::NoValue"
      BucketEncryption: 
        !If
        - UseBucketEncryption
        -
          ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
        - !Ref "AWS::NoValue"
      LifecycleConfiguration:
        !If
        - UseLifeCyclePolicy
        -
          Rules:
          - Status: Enabled
            Transitions:
              - TransitionInDays: !FindInMap
                  - StorageClassMap
                  - !Ref StorageClass
                  - TransitionInDays
                StorageClass: !FindInMap
                  - StorageClassMap
                  - !Ref StorageClass
                  - Name
        - !Ref "AWS::NoValue"
        

  S3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: CreateBucketPolicy
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - !If
            - UseBucketPreventDeletion
            - Action:
                - 's3:DeleteBucket'
              Effect: Deny
              Resource: !Join
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
              Principal: '*'
            - !Ref "AWS::NoValue"
          - !If
            - UseEncryptInTransit
            - Action:
                - 's3:GetObject'
              Effect: Deny
              Resource: !Join
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
                  - /*
              Condition:
                Bool:
                  'aws:SecureTransport': false
              Principal: '*'
            - !Ref "AWS::NoValue"

 Outputs:
  S3Bucket: 
    Description: S3 Bucket
    Value: !Ref S3Bucket
	AWSTemplateFormatVersion: 2010-09-09
	Description: S3 Bucket
	Parameters:
	BucketName:
	Description: Name of the Bucket
	Type: String
	StorageClass:
	Description: Storage class of the Bucket
	Type: String
	Default: Standard
	AllowedValues:
	- Standard
	- Standard-Infrequent-Access
	- One-Zone-Infrequent-Access
	- Intelligent-Tiering
	- Glacier-Instant-Retrieval
	- Glacier-Flexible-Retrieval
	- Glacier-Deep-Archive
	Versioning:
	Description: "Should we enable versioning on the Bucket"
	Type: String
	Default: No
	AllowedValues:
	- Yes
	- No
	EncryptAtRest:
	Type: String
	Description: "Should we enable encryption at rest for the Bucket"
	Default: Yes
	AllowedValues:
	- Yes
	- No
	PreventDeletion:
	Type: String
	Description: "Should we prevent deletion of the Bucket"
	Default: Yes
	AllowedValues:
	- Yes
	- No
	EncryptInTransit:
	Type: String
	Description: "Should we enable encryption during the transit"
	Default: Yes
	AllowedValues:
	- Yes
	- No

	Mappings:
	StorageClassMap:
	Standard:
	Name: STANDARD
	TransitionInDays: 1
	"Standard-Infrequent-Access":
	Name: STANDARD_IA
	TransitionInDays: 30
	"One-Zone-Infrequent-Access":
	Name: ONEZONE_IA
	TransitionInDays: 30
	"Intelligent-Tiering":
	Name: INTELLIGENT_TIERING
	TransitionInDays: 1
	"Glacier-Instant-Retrieval":
	Name: GLACIER_IR
	TransitionInDays: 1
	"Glacier-Flexible-Retrieval":
	Name: GLACIER
	TransitionInDays: 1
	"Glacier-Deep-Archive":
	Name: DEEP_ARCHIVE
	TransitionInDays: 1

	Conditions:
	UseBucketEncryption: !Equals [!Ref EncryptAtRest, Yes]
	UseBucketVersioning: !Equals [!Ref Versioning, Yes]
	UseBucketPreventDeletion: !Equals [!Ref PreventDeletion, Yes]
	UseEncryptInTransit: !Equals [!Ref EncryptInTransit, Yes]
	CreateBucketPolicy: !Or [Condition: UseBucketPreventDeletion, Condition: UseEncryptInTransit]
	UseLifeCyclePolicy: !Not [!Equals [!Ref StorageClass, Standard]]

	Resources:
	S3Bucket:
	Type: AWS::S3::Bucket
	Properties:
	BucketName: !Ref BucketName
	VersioningConfiguration:
	!If
	- UseBucketVersioning
	-
	Status: Enabled
	- !Ref "AWS::NoValue"
	BucketEncryption:
	!If
	- UseBucketEncryption
	-
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	- !Ref "AWS::NoValue"
	LifecycleConfiguration:
	!If
	- UseLifeCyclePolicy
	-
	Rules:
	- Status: Enabled
	Transitions:
	- TransitionInDays: !FindInMap
	- StorageClassMap
	- !Ref StorageClass
	- TransitionInDays
	StorageClass: !FindInMap
	- StorageClassMap
	- !Ref StorageClass
	- Name
	- !Ref "AWS::NoValue"


	S3BucketPolicy:
	Type: AWS::S3::BucketPolicy
	Condition: CreateBucketPolicy
	Properties:
	Bucket: !Ref S3Bucket
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- !If
	- UseBucketPreventDeletion
	- Action:
	- 's3:DeleteBucket'
	Effect: Deny
	Resource: !Join
	- ''
	- - 'arn:aws:s3:::'
	- !Ref S3Bucket
	Principal: '*'
	- !Ref "AWS::NoValue"
	- !If
	- UseEncryptInTransit
	- Action:
	- 's3:GetObject'
	Effect: Deny
	Resource: !Join
	- ''
	- - 'arn:aws:s3:::'
	- !Ref S3Bucket
	- /*
	Condition:
	Bool:
	'aws:SecureTransport': false
	Principal: '*'
	- !Ref "AWS::NoValue"

	Outputs:
	S3Bucket:
	Description: S3 Bucket
	Value: !Ref S3Bucket