4

In Cloudformation, a nested template must supply an https:// URL to an S3 object. It appears s3:// URLs are not supported.

Stack Template Parameter

Is there any way for a nested stack to work with an S3 object that does not have a public read ACL, other than by using a pre-signed URL?

Note it also appears from this related question that pre-signed URLs were not a working option either at one point, but that problem has been fixed. However, the maximum 1-week expiration for pre-signed URLs remains objectionable as the nested stack's URL will likely need to be regenerated for future updates.

How can I specify a signed S3 URL as template in CloudFormation?

kbluck
  • 11,530
  • 4
  • 25
  • 25

1 Answers1

3

The short answer is that a policy or ACL must be specified that allows "anonymous" web requests to GET the templates defining the nested stack.

However, I figured out a little hack that can prevent truly "public" access. It appears CloudFormation makes its HTTP GET from an IP address somewhere within 10.0.0.0/8. (At least in my case, I suppose YMMV since AWS doesn't actually guarantee this anywhere I've found.)

So, you can add a condition to your policy limiting access to that private range, which effectively blocks the Internet at large from reading your templates.

A suitable bucket policy looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::your-cloudformation-bucket-name/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "10.0.0.0/8"
                }
            }
        }
    ]
}
kbluck
  • 11,530
  • 4
  • 25
  • 25
  • This is an interesting answer. AWS does publish a list of ip addresses (CIDR) for AWS services. 10.0.0.0/8 is not on the list. You specified a private network CIDR. You must have something else setup that is allowing this access. https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html – John Hanley Jul 26 '18 at 04:15
  • > You must have something else setup that is allowing this access. No, I don't, no VPC endpoints or anything like that. This is a vanilla new account with no special setup. CloudFormation is not intended to reach out to the world at large and nested stacks won't cross regions, so I don't find it all that surprising that it would be a private CIDR; it has no reason to egress an internet gateway and therefore no reason to have a publicly routable source IP. – kbluck Jul 26 '18 at 22:08
  • You have me thinking on this one and I don't know the answer. Thank you for replying. – John Hanley Jul 26 '18 at 22:26