Deployment Guide

Prerequisites

Before deploying the CloudFormation template, ensure you have:

  • AWS account with permissions to create IAM roles and CloudFormation stacks

  • AWS CLI installed and configured, or access to AWS Console

  • List of S3 bucket names that e6data needs to access

  • Required account IDs and External IDs will be provided by e6data

Note: External ID, e6data AWS Account ID, and VPC Endpoint ID will be provided directly by e6data.

Deployment Parameters

Parameter
Value
Description

Stack name

<your-chosen-stack-name>

e.g., e6data-s3-access-prod

BucketNames

<comma-separated-bucket-names>

List your buckets, e.g., bucket1,bucket2 or * for all buckets

e6dataAccountId

<E6DATA_ACCOUNT_ID>

e6data AWS Account ID (pre-filled)

ExternalId

<EXTERNAL_ID>

Security token for cross-account access (pre-filled)

VPCEndpointId

<VPC_ENDPOINT_ID>

Your VPC Endpoint ID for S3 (pre-filled)

Deployment Options

Option 1: AWS Console (Recommended)

  1. Access CloudFormation Console

    • Log in → CloudFormation → Create stack → With new resources (standard)

  2. Upload Template

    • Select Upload a template file → Choose your CloudFormation YAML → Next

  3. Configure Parameters

    • Stack name, BucketNames, E6dataAccountId, ExternalId, VPCEndpointId

    • Click Next

  4. Configure Options (Optional)

    • Add tags if needed

    • Leave other settings default → Next

  5. Review & Create

    • Acknowledge IAM resources creation

    • Click Submit

  6. Monitor Deployment

    • Wait for CREATE_COMPLETE status (2–5 minutes)

Option 2: AWS CLI

  1. Create Parameters File (parameters.json)

  1. Deploy Stack

  1. Monitor Deployment

Wait until CREATE_COMPLETE.

Post-Deployment: Outputs

  • RoleArn: IAM role ARN (e.g., arn:aws:iam::<account-id>:role/...)

  • FailedBuckets: Buckets where policy application failed (should be empty)

Via CLI

Info to Send to e6data

  • CloudFormation Stack Name

  • IAM Role ARN

  • AWS Region

Email Template Example:

Verification

  1. Verify IAM Role

  1. Verify Lambda Function

  1. Check CloudWatch Logs

  1. Verify S3 Bucket Policies

Troubleshooting

  • Insufficient permissions → Check IAM permissions for CloudFormation, Lambda, S3

  • FailedBuckets not empty → Bucket policy conflicts, size limits, or cross-region issues

  • Lambda timeout → Increase timeout or deploy in batches

  • VPC Endpoint issues → Verify endpoint is active

Updating the Stack

  • Via Console: CloudFormation → Select stack → Update → Modify BucketNames → Submit

  • Via CLI:

Deleting the Stack

  • Removes IAM role, policies, Lambda, VPC endpoint policies

  • Does not delete your S3 buckets or data

Via Console: CloudFormation → Select stack → Delete Via CLI:

Security Best Practices

  1. Monitor Role usage (CloudTrail, CloudWatch alarms)

  2. Regular audits of bucket access

  3. Keep External ID secure; rotate periodically

  4. Grant access only to necessary buckets

Support

  • Template deployment → Check CloudFormation events & CloudWatch logs

  • e6data platform → Contact support with Stack Name and Role ARN

  • AWS services → Refer to AWS docs or AWS Support

PreviousOverviewNextCloudFormation Script

Last updated