S3 CloudFormation Template
This CloudFormation template creates the necessary IAM resources for managing S3 event notifications with SNS topics.
Overview
The template provisions:
IAM User with programmatic access
IAM Policy with S3 and SNS permissions
Access Key for the IAM user
AWS Secrets Manager secret to store credentials securely
Resources Created
IAM Policy (S3EventSubscriptionPolicy)
S3EventSubscriptionPolicy)Grants permissions for:
S3 Operations: GetBucketNotification, PutBucketNotification, ListAllMyBuckets, GetBucketLocation
SNS Operations: CreateTopic, DeleteTopic, Subscribe, Unsubscribe, ListSubscriptions, ListSubscriptionsByTopic, ListTopics, GetTopicAttributes, SetTopicAttributes, Publish
IAM User (EventSubscriptionUser)
EventSubscriptionUser)Programmatic access user with the above policy attached
Tagged for identification and management
Access Key (EventSubscriptionUserAccessKey)
EventSubscriptionUserAccessKey)Active access key for the IAM user
Stored securely in AWS Secrets Manager
Secrets Manager Secret (EventSubscriptionCredentials)
EventSubscriptionCredentials)Stores:
Access Key ID
Secret Access Key
AWS Region
Parameters
IAMUserName
Name for the IAM user
event-subscription-service-user
PolicyName
Name for the IAM policy
S3EventSubscriptionPolicy
Deployment Instructions
Prerequisites
AWS CLI configured with appropriate permissions
Access to AWS CloudFormation console or CLI
Console Deployment
Navigate to CloudFormation
Create Stack
Click "Create stack" button
Select "With new resources (standard)"
Specify Template
Choose "Upload a template file"
Upload the
s3-event-notifications_CF.yamlfileClick "Next"
Specify Stack Details
Enter stack name:
s3-event-notifications-cf-test-v1(or your preferred name)Configure parameters:
IAMUserName:
event-subscription-service-user-v1PolicyName:
S3EventSubscriptionPolicy-v1
Click "Next"
Configure Stack Options
Add tags (optional)
Configure additional options as needed
Click "Next"
Review and Create
Review all configurations
Acknowledge IAM resource creation
Click "Submit"
Monitor Stack Creation
Wait for stack status to show
CREATE_COMPLETE
CLI Deployment
aws cloudformation create-stack \
--stack-name s3-event-notifications-cf-test \
--template-body file://s3-event-notifications_CF.yaml \
--parameters \
ParameterKey=IAMUserName,ParameterValue=event-subscription-service-user \
ParameterKey=PolicyName,ParameterValue=S3EventSubscriptionPolicy \
--capabilities CAPABILITY_NAMED_IAMOutputs
After successful deployment, the stack provides the following outputs:
IAMUserName
Name of the created IAM user
IAMUserArn
ARN of the IAM user
SecretsManagerSecretName
Name of the Secrets Manager secret containing credentials
Region
AWS Region where resources were created
RetrieveCredentialsCommand
AWS CLI command to retrieve credentials
Retrieving Credentials
From Secrets Manager Console
Navigate to AWS Secrets Manager
Find the secret:
event-subscription-service-user-v1-credentialsClick "Retrieve secret value"
Using AWS CLI
Use the command provided in the stack outputs:
aws secretsmanager get-secret-value \
--secret-id <secret-name> \
--query SecretString \
--output textThe secret contains:
{
"accessKeyId": "AKIA...",
"secretAccessKey": "...",
"region": "us-east-1"
}Stack Management
Updating the Stack
Deleting the Stack
Warning: Deleting the stack will remove all resources including the IAM user, policy, access keys, and the Secrets Manager secret.
Security Considerations
Credential Rotation: Regularly rotate the access keys stored in Secrets Manager
Least Privilege: Review and adjust IAM permissions based on your specific requirements
Secret Access: Restrict access to the Secrets Manager secret using resource policies
Monitoring: Enable CloudTrail logging to monitor API calls made by the IAM user
Troubleshooting
Stack Creation Fails
Ensure you have
iam:CreateUser,iam:CreateAccessKey, andsecretsmanager:CreateSecretpermissionsCheck that the IAM user name doesn't already exist
Verify CloudFormation has the
CAPABILITY_NAMED_IAMcapability
Cannot Retrieve Credentials
Verify you have
secretsmanager:GetSecretValuepermissionEnsure the secret name matches the stack output
Check the secret hasn't been deleted
Template Structure
Resources:
├── S3EventSubscriptionPolicy (IAM::ManagedPolicy)
├── EventSubscriptionUser (IAM::User)
├── EventSubscriptionUserAccessKey (IAM::AccessKey)
└── EventSubscriptionCredentials (SecretsManager::Secret)Support
For issues or questions:
Review CloudFormation stack events for error messages
Check CloudWatch Logs for detailed error information
Verify IAM permissions are correctly configured
License
This template is provided as-is for use in your AWS environment.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation template for S3 Event Notifications - Creates IAM user with S3 and SNS permissions'
Parameters:
IAMUserName:
Type: String
Description: Name for the IAM user
Default: event-subscription-service-user
PolicyName:
Type: String
Description: Name for the IAM policy
Default: S3EventSubscriptionPolicy
Resources:
# IAM Policy for S3 and SNS operations
S3EventSubscriptionPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Ref PolicyName
Description: Allows S3 event notification configuration and SNS topic management
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: S3NotificationPermissions
Effect: Allow
Action:
- s3:GetBucketNotification
- s3:PutBucketNotification
- s3:ListAllMyBuckets
- s3:GetBucketLocation
Resource: '*'
- Sid: SNSPermissions
Effect: Allow
Action:
- sns:CreateTopic
- sns:DeleteTopic
- sns:Subscribe
- sns:Unsubscribe
- sns:ListSubscriptions
- sns:ListSubscriptionsByTopic
- sns:ListTopics
- sns:GetTopicAttributes
- sns:SetTopicAttributes
- sns:Publish
Resource: '*'
# IAM User
EventSubscriptionUser:
Type: AWS::IAM::User
Properties:
UserName: !Ref IAMUserName
ManagedPolicyArns:
- !Ref S3EventSubscriptionPolicy
Tags:
- Key: Purpose
Value: S3EventSubscription
- Key: ManagedBy
Value: CloudFormation
# Access Key for the IAM User
EventSubscriptionUserAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName: !Ref EventSubscriptionUser
Status: Active
# Secret to store credentials securely
EventSubscriptionCredentials:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub '${IAMUserName}-credentials'
Description: Credentials for S3 Event Subscription Service
SecretString: !Sub |
{
"accessKeyId": "${EventSubscriptionUserAccessKey}",
"secretAccessKey": "${EventSubscriptionUserAccessKey.SecretAccessKey}",
"region": "${AWS::Region}"
}
Tags:
- Key: Purpose
Value: S3EventSubscription
- Key: ManagedBy
Value: CloudFormation
Outputs:
IAMUserName:
Description: Name of the IAM user
Value: !Ref EventSubscriptionUser
Export:
Name: !Sub '${AWS::StackName}-IAMUserName'
IAMUserArn:
Description: ARN of the IAM user
Value: !GetAtt EventSubscriptionUser.Arn
Export:
Name: !Sub '${AWS::StackName}-IAMUserArn'
SecretsManagerSecretName:
Description: Name of the Secrets Manager secret containing credentials
Value: !Ref EventSubscriptionCredentials
Export:
Name: !Sub '${AWS::StackName}-SecretName'
Region:
Description: AWS Region where resources were created
Value: !Ref AWS::Region
RetrieveCredentialsCommand:
Description: AWS CLI command to retrieve credentials from Secrets Manager
Value: !Sub |
aws secretsmanager get-secret-value --secret-id ${EventSubscriptionCredentials} --query SecretString --output textLast updated
Was this helpful?