S3 CloudFormation Template

This CloudFormation template creates the necessary IAM resources for managing S3 event notifications with SNS topics.

Overview

The template provisions:

IAM User with programmatic access
IAM Policy with S3 and SNS permissions
Access Key for the IAM user
AWS Secrets Manager secret to store credentials securely

Resources Created

IAM Policy (`S3EventSubscriptionPolicy`)

Grants permissions for:

S3 Operations: GetBucketNotification, PutBucketNotification, ListAllMyBuckets, GetBucketLocation
SNS Operations: CreateTopic, DeleteTopic, Subscribe, Unsubscribe, ListSubscriptions, ListSubscriptionsByTopic, ListTopics, GetTopicAttributes, SetTopicAttributes, Publish

IAM User (`EventSubscriptionUser`)

Programmatic access user with the above policy attached
Tagged for identification and management

Access Key (`EventSubscriptionUserAccessKey`)

Active access key for the IAM user
Stored securely in AWS Secrets Manager

Secrets Manager Secret (`EventSubscriptionCredentials`)

Stores:

Access Key ID
Secret Access Key
AWS Region

Parameters

Parameter

Description

Default Value

IAMUserName

Name for the IAM user

event-subscription-service-user

PolicyName

Name for the IAM policy

S3EventSubscriptionPolicy

Deployment Instructions

Prerequisites

AWS CLI configured with appropriate permissions
Access to AWS CloudFormation console or CLI

Console Deployment

Navigate to CloudFormation
Create Stack
- Click "Create stack" button
- Select "With new resources (standard)"
Specify Template
- Choose "Upload a template file"
- Upload the s3-event-notifications_CF.yaml file
- Click "Next"
Specify Stack Details
- Enter stack name: s3-event-notifications-cf-test-v1 (or your preferred name)
- Configure parameters:
  - IAMUserName: event-subscription-service-user-v1
  - PolicyName: S3EventSubscriptionPolicy-v1
- Click "Next"
Configure Stack Options
- Add tags (optional)
- Configure additional options as needed
- Click "Next"
Review and Create
- Review all configurations
- Acknowledge IAM resource creation
- Click "Submit"
Monitor Stack Creation
- Wait for stack status to show CREATE_COMPLETE

CLI Deployment

aws cloudformation create-stack \
  --stack-name s3-event-notifications-cf-test \
  --template-body file://s3-event-notifications_CF.yaml \
  --parameters \
    ParameterKey=IAMUserName,ParameterValue=event-subscription-service-user \
    ParameterKey=PolicyName,ParameterValue=S3EventSubscriptionPolicy \
  --capabilities CAPABILITY_NAMED_IAM

Outputs

After successful deployment, the stack provides the following outputs:

Output

Description

IAMUserName

Name of the created IAM user

IAMUserArn

ARN of the IAM user

SecretsManagerSecretName

Name of the Secrets Manager secret containing credentials

Region

AWS Region where resources were created

RetrieveCredentialsCommand

AWS CLI command to retrieve credentials

Retrieving Credentials

From Secrets Manager Console

Navigate to AWS Secrets Manager
Find the secret: event-subscription-service-user-v1-credentials
Click "Retrieve secret value"

Using AWS CLI

Use the command provided in the stack outputs:

aws secretsmanager get-secret-value \
  --secret-id <secret-name> \
  --query SecretString \
  --output text

The secret contains:

{
  "accessKeyId": "AKIA...",
  "secretAccessKey": "...",
  "region": "us-east-1"
}

Stack Management

Updating the Stack

Deleting the Stack

Warning: Deleting the stack will remove all resources including the IAM user, policy, access keys, and the Secrets Manager secret.

Security Considerations

Credential Rotation: Regularly rotate the access keys stored in Secrets Manager
Least Privilege: Review and adjust IAM permissions based on your specific requirements
Secret Access: Restrict access to the Secrets Manager secret using resource policies
Monitoring: Enable CloudTrail logging to monitor API calls made by the IAM user

Troubleshooting

Stack Creation Fails

Ensure you have iam:CreateUser, iam:CreateAccessKey, and secretsmanager:CreateSecret permissions
Check that the IAM user name doesn't already exist
Verify CloudFormation has the CAPABILITY_NAMED_IAM capability

Cannot Retrieve Credentials

Verify you have secretsmanager:GetSecretValue permission
Ensure the secret name matches the stack output
Check the secret hasn't been deleted

Template Structure

Resources:
├── S3EventSubscriptionPolicy (IAM::ManagedPolicy)
├── EventSubscriptionUser (IAM::User)
├── EventSubscriptionUserAccessKey (IAM::AccessKey)
└── EventSubscriptionCredentials (SecretsManager::Secret)

Support

For issues or questions:

Review CloudFormation stack events for error messages
Check CloudWatch Logs for detailed error information
Verify IAM permissions are correctly configured

License

This template is provided as-is for use in your AWS environment.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation template for S3 Event Notifications - Creates IAM user with S3 and SNS permissions'

Parameters:
  IAMUserName:
    Type: String
    Description: Name for the IAM user
    Default: event-subscription-service-user

  PolicyName:
    Type: String
    Description: Name for the IAM policy
    Default: S3EventSubscriptionPolicy

Resources:
  # IAM Policy for S3 and SNS operations
  S3EventSubscriptionPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Ref PolicyName
      Description: Allows S3 event notification configuration and SNS topic management
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: S3NotificationPermissions
            Effect: Allow
            Action:
              - s3:GetBucketNotification
              - s3:PutBucketNotification
              - s3:ListAllMyBuckets
              - s3:GetBucketLocation
            Resource: '*'
          - Sid: SNSPermissions
            Effect: Allow
            Action:
              - sns:CreateTopic
              - sns:DeleteTopic
              - sns:Subscribe
              - sns:Unsubscribe
              - sns:ListSubscriptions
              - sns:ListSubscriptionsByTopic
              - sns:ListTopics
              - sns:GetTopicAttributes
              - sns:SetTopicAttributes
              - sns:Publish
            Resource: '*'

  # IAM User
  EventSubscriptionUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Ref IAMUserName
      ManagedPolicyArns:
        - !Ref S3EventSubscriptionPolicy
      Tags:
        - Key: Purpose
          Value: S3EventSubscription
        - Key: ManagedBy
          Value: CloudFormation

  # Access Key for the IAM User
  EventSubscriptionUserAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref EventSubscriptionUser
      Status: Active

  # Secret to store credentials securely
  EventSubscriptionCredentials:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub '${IAMUserName}-credentials'
      Description: Credentials for S3 Event Subscription Service
      SecretString: !Sub |
        {
          "accessKeyId": "${EventSubscriptionUserAccessKey}",
          "secretAccessKey": "${EventSubscriptionUserAccessKey.SecretAccessKey}",
          "region": "${AWS::Region}"
        }
      Tags:
        - Key: Purpose
          Value: S3EventSubscription
        - Key: ManagedBy
          Value: CloudFormation

Outputs:
  IAMUserName:
    Description: Name of the IAM user
    Value: !Ref EventSubscriptionUser
    Export:
      Name: !Sub '${AWS::StackName}-IAMUserName'

  IAMUserArn:
    Description: ARN of the IAM user
    Value: !GetAtt EventSubscriptionUser.Arn
    Export:
      Name: !Sub '${AWS::StackName}-IAMUserArn'

  SecretsManagerSecretName:
    Description: Name of the Secrets Manager secret containing credentials
    Value: !Ref EventSubscriptionCredentials
    Export:
      Name: !Sub '${AWS::StackName}-SecretName'

  Region:
    Description: AWS Region where resources were created
    Value: !Ref AWS::Region

  RetrieveCredentialsCommand:
    Description: AWS CLI command to retrieve credentials from Secrets Manager
    Value: !Sub |
      aws secretsmanager get-secret-value --secret-id ${EventSubscriptionCredentials} --query SecretString --output text

PreviousConfiguring Event Notifiers NextAzure Event Grid Setup Guide

Last updated 2 months ago

Was this helpful?

hashtagOverview

hashtagResources Created

hashtagIAM Policy (S3EventSubscriptionPolicy)

hashtagIAM User (EventSubscriptionUser)

hashtagAccess Key (EventSubscriptionUserAccessKey)

hashtagSecrets Manager Secret (EventSubscriptionCredentials)

hashtagParameters

hashtagDeployment Instructions

hashtagPrerequisites

hashtagConsole Deployment

hashtagCLI Deployment

hashtagOutputs

hashtagRetrieving Credentials

hashtagFrom Secrets Manager Console

hashtagUsing AWS CLI

hashtagStack Management

hashtagUpdating the Stack

hashtagDeleting the Stack

hashtagSecurity Considerations

hashtagTroubleshooting

hashtagStack Creation Fails

hashtagCannot Retrieve Credentials

hashtagTemplate Structure

hashtagSupport

hashtagLicense