examples/templates/cross-account-bucket.yml

AWSTemplateFormatVersion: '2010-09-09-OC'

# Include file that contains Organization Section.
# The Organization Section describes Accounts, Organizational Units, etc.
Organization: !Include ../organization.yml

# Any Binding that does not explicitly specify a region will default to this.
# Value can be either string or list
DefaultOrganizationBindingRegion: eu-central-1

Parameters:

  resourcePrefix:
    Type: String
    Default: my

  bucketName:
    Type: String

# Section contains a named set of Bindings.
# Bindings determine what resources are deployed where
# These bindings can be !Ref'd from the Resources in the resource section
OrganizationBindings:

  # Binding for: Bucket, BucketPolicy
  BucketAccountBinding:
    Account: !Ref SharedServicesAccount

  # Binding for: S3BucketReadAccessPolicy
  ReadAccessAccountBinding: # null = empty binding

  # Binding for: S3BucketWriteAccessPolicy
  WriteAccessAccountBinding: # null = empty binding

  # Binding for: S3BucketFullAccessPolicy
  FullAccessAccountBinding: # null = empty binding


Conditions:
  CreateReadBucketPolicy: !Not [ !Equals [ Fn::TargetCount ReadAccessAccountBinding, 0 ] ]
  CreateWriteBucketPolicy: !Not [ !Equals [ Fn::TargetCount WriteAccessAccountBinding, 0 ] ]
  CreateFullAccessBucketPolicy: !Not [ !Equals [ Fn::TargetCount FullAccessAccountBinding, 0 ] ]

Resources:

  Bucket:
    Type: AWS::S3::Bucket
    OrganizationBinding: !Ref BucketAccountBinding
    DeletionPolicy: Retain
    Properties:
      BucketName: !Sub '${bucketName}'
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  BucketReadPolicy:
    Type: AWS::S3::BucketPolicy
    OrganizationBinding: !Ref BucketAccountBinding
    Condition: CreateReadBucketPolicy
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Statement:
          - Sid: 'Read operations on bucket'
            Action:
            - s3:Get*
            - s3:List*
            Effect: "Allow"
            Resource:
            - !Sub '${Bucket.Arn}'
            - !Sub '${Bucket.Arn}/*'
            Principal:
              AWS: Fn::EnumTargetAccounts ReadAccessAccountBinding arn:aws:iam::${account}:root

  BucketWritePolicy:
    Type: AWS::S3::BucketPolicy
    OrganizationBinding: !Ref BucketAccountBinding
    Condition: CreateWriteBucketPolicy
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Statement:
          - Sid: 'Write operations on bucket'
            Action:
            - s3:Put*
            Effect: "Allow"
            Resource:
            - !Sub '${Bucket.Arn}'
            - !Sub '${Bucket.Arn}/*'
            Principal:
              AWS: Fn::EnumTargetAccounts WriteAccessAccountBinding arn:aws:iam::${account}:root

  BucketFullAccessPolicy:
    Type: AWS::S3::BucketPolicy
    OrganizationBinding: !Ref BucketAccountBinding
    Condition: CreateFullAccessBucketPolicy
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Statement:
          - Sid: 'Any operation on bucket'
            Action:
            - s3:*
            Effect: "Allow"
            Resource:
            - !Sub '${Bucket.Arn}'
            - !Sub '${Bucket.Arn}/*'
            Principal:
              AWS: Fn::EnumTargetAccounts FullAccessAccountBinding arn:aws:iam::${account}:root

  S3BucketReadAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    OrganizationBinding: !Ref ReadAccessAccountBinding
    Condition: CreateReadBucketPolicy
    Properties:
      ManagedPolicyName: !Sub '${resourcePrefix}-${bucketName}-read-policy'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - s3:Get*
            - s3:List*
            Resource:
            - !Sub '${Bucket.Arn}'
            - !Sub '${Bucket.Arn}/*'

  S3BucketWriteAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    OrganizationBinding: !Ref WriteAccessAccountBinding
    Condition: CreateWriteBucketPolicy
    Properties:
      ManagedPolicyName: !Sub '${resourcePrefix}-${bucketName}-write-policy'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - s3:Put*
            Resource:
            - !Sub '${Bucket.Arn}'
            - !Sub '${Bucket.Arn}/*'

  S3BucketFullAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    OrganizationBinding: !Ref FullAccessAccountBinding
    Condition: CreateFullAccessBucketPolicy
    Properties:
      ManagedPolicyName: !Sub '${resourcePrefix}-${bucketName}-fullaccess-policy'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - s3:*
            Resource:
            - !Sub '${Bucket.Arn}'
            - !Sub '${Bucket.Arn}/*'