generated from VeeamHub/veeamhub-template
/
cf-veeam-s3-immutability.yaml
126 lines (114 loc) · 4.17 KB
/
cf-veeam-s3-immutability.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
---
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates an S3 bucket and IAM user to be used with Veeam Capacity Tier. Object Lock is enabled on the S3 bucket - Immutability Enabled.
Parameters:
BucketName:
Description: Bucket name. Bucket names must be globally unique.
Type: String
MinLength: 3
MaxLength: 63
AllowedPattern: '[a-z0-9][a-z0-9\-]*'
ConstraintDescription: Refer to AWS S3 documentation for name requirements and character limits. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
Username:
Default: veeam-s3-user
Description: IAM user name.
Type: String
MinLength: 1
MaxLength: 64
AllowedPattern: '[a-zA-Z][a-zA-Z0-9\-]*'
ConstraintDescription: Refer to AWS IAM documentation for name requirements and character limits. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
OutputCredentialLocation:
Default: "CloudFormation"
Description: "Location to output the IAM user credentials. Options: CloudFormation, SecretsManager. Additional costs associated with SecretsManager"
Type: String
AllowedValues:
- CloudFormation
- SecretsManager
Conditions:
UseSecretsManager: !Equals [!Ref OutputCredentialLocation, "SecretsManager"]
Resources:
VeeamS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref BucketName
ObjectLockEnabled: true
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
IAMUser:
Type: AWS::IAM::User
DependsOn:
- VeeamS3Bucket
Properties:
Path: /
UserName: !Ref Username
Policies:
- PolicyName: veeam-s3-immutability-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:GetBucketLocation
- s3:GetBucketObjectLockConfiguration
- s3:GetBucketVersioning
- s3:GetObject
- s3:GetObjectLegalHold
- s3:GetObjectRetention
- s3:GetObjectVersion
- s3:ListBucketVersions
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${BucketName}/*"
- !Sub "arn:${AWS::Partition}:s3:::${BucketName}"
- Effect: Allow
Action:
- s3:ListAllMyBuckets
- s3:ListBucket
Resource: "*"
IAMAccessKey:
Type: AWS::IAM::AccessKey
DependsOn:
- IAMUser
Properties:
UserName: !Ref Username
# Consider storing the IAM secret key in AWS Secrets Manager for secure storage and access.
# This option is not enabled by default because secrets stored in AWS Secrets Manager incur a monthly cost. Refer to AWS documentation for details.
# To enable it set the OutputCredentialLocation parameter to "SecretsManager".
IAMSecretAccessKey:
Type: AWS::SecretsManager::Secret
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Condition: UseSecretsManager
Properties:
Name: VeeamS3AccessKey
Description: Access key used by Veeam to access S3.
SecretString: !Sub '{"AccessKey":"${IAMAccessKey}","SecretAccessKey":"${IAMAccessKey.SecretAccessKey}"}'
Outputs:
Region:
Value: !Ref AWS::Region
Description: AWS Region
User:
Value: !Ref IAMUser
Description: Veeam S3 IAM user
AccessKey:
Value: !If
- UseSecretsManager
- !Sub "SecretKey stored in AWS Secrets Manager ${IAMSecretAccessKey}"
- !Ref IAMAccessKey
Description: Access key ID of new user
SecretKey:
Value: !If
- UseSecretsManager
- "SecretKey stored in AWS Secrets Manager"
- !GetAtt IAMAccessKey.SecretAccessKey
Description: Secret access key of new user
VeeamS3Bucket:
Value: !Ref VeeamS3Bucket
Description: Veeam S3 bucket (object lock / immutability is enabled)