templates/s3-bucket.yaml

AWSTemplateFormatVersion: 2010-09-09

Description: >-
  This S3 bucket will be used for development and production,
  and for storing partly or fully processed data

Parameters:

  BucketName:
    Type: String
    Description: Name of the bucket.
    Default: ''

  ConnectToSynapse:
    Type: String
    Description: Whether to grant Synapse read/write permissions on the bucket.
    AllowedValues:
      - "true"
      - "false"
    Default: "false"

Conditions:
  HasBucketName: !Not [!Equals [!Ref BucketName, ""]]
  ConnectToSynapse:
    !Equals [!Ref ConnectToSynapse, "true"]

Resources:
  Bucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Delete
    Properties:
      BucketName: !If [HasBucketName, !Ref BucketName, !Ref 'AWS::NoValue']
      AccessControl: Private
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced
      BucketEncryption:
        ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls : true
        BlockPublicPolicy : true
        IgnorePublicAcls : true
        RestrictPublicBuckets : true

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AccountRead
            Effect: Allow
            Principal:
              AWS:
                - !Sub '${AWS::AccountId}'
                - 'arn:aws:sts::526515999252:assumed-role/AWSReservedSSO_S3ExternalCollab_40c062f682e7f3f5/phil.snyder@sagebase.org'
                - 'arn:aws:sts::526515999252:assumed-role/AWSReservedSSO_S3ExternalCollab_40c062f682e7f3f5/rixing.xu@sagebase.org'
            Action:
              - 's3:Get*'
              - 's3:List*'
            Resource:
              - !Sub 'arn:aws:s3:::${Bucket}'
              - !Sub 'arn:aws:s3:::${Bucket}/*'
          - !If
            - ConnectToSynapse
            - Sid: SynapseBucketAccess
              Effect: Allow
              Principal:
                AWS: '325565585839'
              Action:
                - 's3:ListBucket*'
                - 's3:GetBucketLocation'
              Resource: !Sub ${Bucket.Arn}
            - !Ref AWS::NoValue
          - !If
            - ConnectToSynapse
            - Sid: SynapseObjectAccess
              Effect: Allow
              Principal:
                AWS: '325565585839'
              Action:
                - 's3:*Object*'
                - 's3:*MultipartUpload*'
              Resource: !Sub ${Bucket.Arn}/*
            - !Ref AWS::NoValue
          - !If
            - ConnectToSynapse
            - Sid: RestrictAccessByRegion
              Effect: Deny
              NotAction:
                - 'iam:*'
                - 'support:*'
              Principal: '*'
              Resource: !Sub ${Bucket.Arn}/*
              Condition:
                StringNotEquals:
                  aws:RequestedRegion: 'us-east-1'
            - !Ref AWS::NoValue

Outputs:

  BucketName:
    Value: !Ref Bucket
    Export:
      Name: !Sub '${AWS::Region}-${AWS::StackName}-BucketName'

  BucketArn:
    Value: !GetAtt Bucket.Arn
    Export:
      Name: !Sub '${AWS::Region}-${AWS::StackName}-BucketArn'