{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Content Sentinel: Creates a private S3 bucket and an IAM user with s3:GetObject and s3:ListBucket permissions.", "Parameters": { "BucketName": { "Type": "String", "Description": "A globally unique name for your private S3 bucket (e.g., 'my-company-sentinel-files'). All lowercase, no spaces.", "MinLength": "3" } }, "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Ref": "BucketName" }, "AccessControl": "Private", "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "CorsConfiguration": { "CorsRules": [ { "AllowedHeaders": ["*"], "AllowedMethods": ["GET", "HEAD"], "AllowedOrigins": ["*"], "MaxAge": 3000 } ] } } }, "S3User": { "Type": "AWS::IAM::User", "Properties": { "UserName": { "Fn::Sub": "ContentSentinelUser-${BucketName}" } } }, "S3UserPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "ContentSentinelPolicy", "Users": [ { "Ref": "S3User" } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": { "Fn::Sub": "arn:aws:s3:::${BucketName}/*" } }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": { "Fn::Sub": "arn:aws:s3:::${BucketName}" } } ] } } }, "S3UserKeys": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "S3User" } } } }, "Outputs": { "BucketName": { "Description": "S3 Bucket Name", "Value": { "Ref": "BucketName" } }, "AccessKeyId": { "Description": "Access Key ID for the Content Sentinel user", "Value": { "Ref": "S3UserKeys" } }, "SecretAccessKey": { "Description": "Secret Access Key for the Content Sentinel user", "Value": { "Fn::GetAtt": [ "S3UserKeys", "SecretAccessKey" ] } }, "Region": { "Description": "The AWS Region this stack was deployed in. Enter this in the plugin settings.", "Value": { "Ref": "AWS::Region" } } } }