Deployment Guide

Prerequisites

Before deploying the CloudFormation template, ensure you have:

  • AWS account with permissions to create IAM roles and CloudFormation stacks

  • AWS CLI installed and configured, or access to AWS Console

  • List of S3 bucket names that e6data needs to access

  • Required account IDs and External IDs will be provided by e6data

Note: External ID, e6data AWS Account ID, and VPC Endpoint ID will be provided directly by e6data.

Deployment Parameters

Parameter
Value
Description

Stack name

<your-chosen-stack-name>

e.g., e6data-s3-access-prod

BucketNames

<comma-separated-bucket-names>

List your buckets, e.g., bucket1,bucket2 or * for all buckets

e6dataAccountId

<E6DATA_ACCOUNT_ID>

e6data AWS Account ID (pre-filled)

ExternalId

<EXTERNAL_ID>

Security token for cross-account access (pre-filled)

VPCEndpointId

<VPC_ENDPOINT_ID>

Your VPC Endpoint ID for S3 (pre-filled)

Deployment Options

Option 1: AWS Console (Recommended)

  1. Access CloudFormation Console

    • Log in → CloudFormation → Create stack → With new resources (standard)

  2. Upload Template

    • Select Upload a template file → Choose your CloudFormation YAML → Next

  3. Configure Parameters

    • Stack name, BucketNames, E6dataAccountId, ExternalId, VPCEndpointId

    • Click Next

  4. Configure Options (Optional)

    • Add tags if needed

    • Leave other settings default → Next

  5. Review & Create

    • Acknowledge IAM resources creation

    • Click Submit

  6. Monitor Deployment

    • Wait for CREATE_COMPLETE status (2–5 minutes)

Option 2: AWS CLI

  1. Create Parameters File (parameters.json)

[
  { "ParameterKey": "BucketNames", "ParameterValue": "bucket1,bucket2,bucket3" },
  { "ParameterKey": "E6dataAccountId", "ParameterValue": "<E6DATA_ACCOUNT_ID>" },
  { "ParameterKey": "ExternalId", "ParameterValue": "<EXTERNAL_ID>" },
  { "ParameterKey": "VPCEndpointId", "ParameterValue": "<VPC_ENDPOINT_ID>" }
]

  1. Deploy Stack

aws cloudformation create-stack \
  --stack-name <stack-name> \
  --template-body file://<template-file>.yaml \
  --parameters file://parameters.json \
  --capabilities CAPABILITY_NAMED_IAM \
  --region <your-region>

  1. Monitor Deployment

aws cloudformation describe-stacks \
  --stack-name <stack-name> \
  --query 'Stacks[0].StackStatus'

Wait until CREATE_COMPLETE.

Post-Deployment: Outputs

  • RoleArn: IAM role ARN (e.g., arn:aws:iam::<account-id>:role/...)

  • FailedBuckets: Buckets where policy application failed (should be empty)

Via CLI

aws cloudformation describe-stacks \
  --stack-name <stack-name> \
  --query 'Stacks[0].Outputs'

Info to Send to e6data

  • CloudFormation Stack Name

  • IAM Role ARN

  • AWS Region

Email Template Example:

Subject: e6data CloudFormation Stack Deployment Completed

Hi e6data Team,

We have successfully deployed the cross-account access CloudFormation stack.

Deployment Details:
- Stack Name: <your-stack-name>
- IAM Role ARN: <role-arn-from-outputs>
- AWS Region: <your-region>
- AWS Account ID: <your-account-id>

Please proceed with configuring access on your end.

Best regards,
[Your Name]

Verification

  1. Verify IAM Role

aws iam get-role --role-name e6data-cross-account-role-<stack-name>-<region>

  1. Verify Lambda Function

aws lambda list-functions --query 'Functions[?contains(FunctionName, `ManageBucketPolicies`)]'

  1. Check CloudWatch Logs

aws logs tail /aws/lambda/<lambda-function-name> --follow

  1. Verify S3 Bucket Policies

aws s3api get-bucket-policy --bucket <bucket-name> | jq .Policy | jq fromjson

Troubleshooting

  • Insufficient permissions → Check IAM permissions for CloudFormation, Lambda, S3

  • FailedBuckets not empty → Bucket policy conflicts, size limits, or cross-region issues

  • Lambda timeout → Increase timeout or deploy in batches

  • VPC Endpoint issues → Verify endpoint is active

Updating the Stack

  • Via Console: CloudFormation → Select stack → Update → Modify BucketNames → Submit

  • Via CLI:

aws cloudformation update-stack \
  --stack-name <stack-name> \
  --use-previous-template \
  --parameters ParameterKey=BucketNames,ParameterValue="new-bucket1,new-bucket2" \
               ParameterKey=E6dataAccountId,UsePreviousValue=true \
               ParameterKey=ExternalId,UsePreviousValue=true \
               ParameterKey=VPCEndpointId,UsePreviousValue=true \
  --capabilities CAPABILITY_NAMED_IAM

Deleting the Stack

  • Removes IAM role, policies, Lambda, VPC endpoint policies

  • Does not delete your S3 buckets or data

Via Console: CloudFormation → Select stack → Delete Via CLI:

aws cloudformation delete-stack --stack-name <stack-name>

Security Best Practices

  1. Monitor Role usage (CloudTrail, CloudWatch alarms)

  2. Regular audits of bucket access

  3. Keep External ID secure; rotate periodically

  4. Grant access only to necessary buckets

Support

  • Template deployment → Check CloudFormation events & CloudWatch logs

  • e6data platform → Contact support with Stack Name and Role ARN

  • AWS services → Refer to AWS docs or AWS Support

PreviousOverviewNextCloudFormation Script

Last updated