vvondra/backup.json

## backup.json
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "BackupBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "LifecycleConfiguration": {
          "Rules": [
            {
              "Id": "Move to Glacier",
              "Status": "Enabled",
              "ExpirationInDays": "160",
              "Transition": {
                "TransitionInDays": "3",
                "StorageClass": "Glacier"
              }
            }
          ]
        }
      }
    },
    "BackupBucketPolicy" : {
      "Type" : "AWS::S3::BucketPolicy",
      "Properties" : {
        "Bucket" : { "Ref" : "BackupBucket" },
        "PolicyDocument" : {
          "Version" : "2012-10-17",
          "Statement" : [ {
            "Sid" : "AllowUploadBackups",
            "Effect" : "Allow",
            "Principal" : { "AWS" : [ { "Fn::GetAtt" : [ "BackupUser", "Arn" ] } ] },
            "Action" : [
              "s3:AbortMultipartUpload",
              "s3:GetObjectAcl",
              "s3:GetObject",
              "s3:PutObjectAcl",
              "s3:PutObject"
            ],
            "Resource" : { "Fn::Join" : [ "", [
              "arn:aws:s3:::",
              { "Ref" : "BackupBucket" },
              "/*"
            ] ] }
          } ]
        }
      }
    },

    "BackupUser" : {
      "Type" : "AWS::IAM::User",
      "Properties" : {
        "Path" : "/"
      }
    },

    "BackupUserKey" : {
      "Type" : "AWS::IAM::AccessKey",
       "Properties": {
         "Status": "Active",
         "UserName": { "Ref" : "BackupUser" }
      }
    }
  },
  "Outputs": {
    "BucketName": {
      "Value": {
        "Ref": "BackupBucket"
      },
      "Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration."
    },
    "BackupUserUserAccessKeyID" : {
      "Description" : "Backup user access key ID",
      "Value" : { "Ref" : "BackupUserKey" }
    },

    "BackupUserUserSecretAccessKey" : {
      "Description" : "Backup user secret access key",
      "Value" : {
        "Fn::GetAtt" : ["BackupUserKey", "SecretAccessKey"]
      }
    }
  }
}
	{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
	"BackupBucket": {
	"Type": "AWS::S3::Bucket",
	"Properties": {
	"LifecycleConfiguration": {
	"Rules": [
	{
	"Id": "Move to Glacier",
	"Status": "Enabled",
	"ExpirationInDays": "160",
	"Transition": {
	"TransitionInDays": "3",
	"StorageClass": "Glacier"
	}
	}
	]
	}
	}
	},
	"BackupBucketPolicy" : {
	"Type" : "AWS::S3::BucketPolicy",
	"Properties" : {
	"Bucket" : { "Ref" : "BackupBucket" },
	"PolicyDocument" : {
	"Version" : "2012-10-17",
	"Statement" : [ {
	"Sid" : "AllowUploadBackups",
	"Effect" : "Allow",
	"Principal" : { "AWS" : [ { "Fn::GetAtt" : [ "BackupUser", "Arn" ] } ] },
	"Action" : [
	"s3:AbortMultipartUpload",
	"s3:GetObjectAcl",
	"s3:GetObject",
	"s3:PutObjectAcl",
	"s3:PutObject"
	],
	"Resource" : { "Fn::Join" : [ "", [
	"arn:aws:s3:::",
	{ "Ref" : "BackupBucket" },
	"/*"
	] ] }
	} ]
	}
	}
	},

	"BackupUser" : {
	"Type" : "AWS::IAM::User",
	"Properties" : {
	"Path" : "/"
	}
	},

	"BackupUserKey" : {
	"Type" : "AWS::IAM::AccessKey",
	"Properties": {
	"Status": "Active",
	"UserName": { "Ref" : "BackupUser" }
	}
	}
	},
	"Outputs": {
	"BucketName": {
	"Value": {
	"Ref": "BackupBucket"
	},
	"Description": "Name of the sample Amazon S3 bucket with a lifecycle configuration."
	},
	"BackupUserUserAccessKeyID" : {
	"Description" : "Backup user access key ID",
	"Value" : { "Ref" : "BackupUserKey" }
	},

	"BackupUserUserSecretAccessKey" : {
	"Description" : "Backup user secret access key",
	"Value" : {
	"Fn::GetAtt" : ["BackupUserKey", "SecretAccessKey"]
	}
	}
	}
	}