1 namespaces · 73 types
Define an S3 bucket.
bucket = AWSCDK::S3::Bucket.new(self, "MyFirstBucket")
Bucket constructs expose the following deploy-time attributes:
bucket_arn - the ARN of the bucket (i.e. arn:aws:s3:::amzn-s3-demo-bucket)bucket_name - the name of the bucket (i.e. amzn-s3-demo-bucket)bucket_website_url - the Website URL of the bucket (i.e.
http://amzn-s3-demo-bucket.s3-website-us-west-1.amazonaws.com)bucket_domain_name - the URL of the bucket (i.e. amzn-s3-demo-bucket.s3.amazonaws.com)bucket_dual_stack_domain_name - the dual-stack URL of the bucket (i.e.
amzn-s3-demo-bucket.s3.dualstack.eu-west-1.amazonaws.com)bucket_regional_domain_name - the regional URL of the bucket (i.e.
amzn-s3-demo-bucket.s3.eu-west-1.amazonaws.com)arn_for_objects(pattern) - the ARN of an object or objects within the bucket (i.e.
arn:aws:s3:::amzn-s3-demo-bucket/exampleobject.png or
arn:aws:s3:::amzn-s3-demo-bucket/Development/*)url_for_object(key) - the HTTP URL of an object within the bucket (i.e.
https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey)virtual_hosted_url_for_object(key) - the virtual-hosted style HTTP URL of an object
within the bucket (i.e. https://china-bucket-s3.cn-north-1.amazonaws.com.cn/mykey)s3_url_for_object(key) - the S3 URL of an object within the bucket (i.e.
s3://bucket/mykey)Define a KMS-encrypted bucket:
bucket = AWSCDK::S3::Bucket.new(self, "MyEncryptedBucket", {
encryption: AWSCDK::S3::BucketEncryption::KMS,
})
# you can access the encryption key:
assert(bucket.encryption_key.is_a?(AWSCDK::KMS::Key))
You can also supply your own key:
my_kms_key = AWSCDK::KMS::Key.new(self, "MyKey")
bucket = AWSCDK::S3::Bucket.new(self, "MyEncryptedBucket", {
encryption: AWSCDK::S3::BucketEncryption::KMS,
encryption_key: my_kms_key,
})
assert(bucket.encryption_key == my_kms_key)
Enable KMS-SSE encryption via S3 Bucket Keys:
bucket = AWSCDK::S3::Bucket.new(self, "MyEncryptedBucket", {
encryption: AWSCDK::S3::BucketEncryption::KMS,
bucket_key_enabled: true,
})
Use BucketEncryption.ManagedKms to use the S3 master KMS key:
bucket = AWSCDK::S3::Bucket.new(self, "Buck", {
encryption: AWSCDK::S3::BucketEncryption::KMS_MANAGED,
})
assert(bucket.encryption_key == nil)
Enable DSSE encryption:
const bucket = new s3.Bucket(stack, 'MyDSSEBucket', {
encryption: s3.BucketEncryption.DSSE_MANAGED,
bucketKeyEnabled: true,
});
Explicitly block uploads encrypted with SSE-C:
bucket = AWSCDK::S3::Bucket.new(self, "MySsecBlockedBucket", {
blocked_encryption_types: [AWSCDK::S3::BlockedEncryptionType.SSE_C],
})
Allow uploads with all encryption types:
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
blocked_encryption_types: [AWSCDK::S3::BlockedEncryptionType.NONE],
})
A bucket policy will be automatically created for the bucket upon the first call to
add_to_resource_policy(statement):
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket")
result = bucket.add_to_resource_policy(
AWSCDK::IAM::PolicyStatement.new({
actions: ["s3:GetObject"],
resources: [bucket.arn_for_objects("file.txt")],
principals: [AWSCDK::IAM::AccountRootPrincipal.new],
}))
If you try to add a policy statement to an existing bucket, this method will not do anything:
bucket = AWSCDK::S3::Bucket.from_bucket_name(self, "existingBucket", "amzn-s3-demo-bucket")
# No policy statement will be added to the resource
result = bucket.add_to_resource_policy(
AWSCDK::IAM::PolicyStatement.new({
actions: ["s3:GetObject"],
resources: [bucket.arn_for_objects("file.txt")],
principals: [AWSCDK::IAM::AccountRootPrincipal.new],
}))
That's because it's not possible to tell whether the bucket already has a policy attached, let alone to re-use that policy to add more statements to it. We recommend that you always check the result of the call:
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket")
result = bucket.add_to_resource_policy(
AWSCDK::IAM::PolicyStatement.new({
actions: ["s3:GetObject"],
resources: [bucket.arn_for_objects("file.txt")],
principals: [AWSCDK::IAM::AccountRootPrincipal.new],
}))
if !result[:statement_added]
end
The bucket policy can be directly accessed after creation to add statements or adjust the removal policy.
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket")
bucket.policy&.apply_removal_policy(AWSCDK::RemovalPolicy::RETAIN)
Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example:
my_lambda = nil # AWSCDK::Lambda::Function
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket")
bucket.grant_read_write(my_lambda)
Will give the Lambda's execution role permissions to read and write from the bucket.
The S3 construct library provides several grant methods for IBucketRef instances, which can
be accessed via the BucketGrants class:
principal = nil # AWSCDK::IAM::IPrincipal
bucket = nil # AWSCDK::Interfaces::AWSS3::IBucketRef
AWSCDK::S3::BucketGrants.from_bucket(bucket).delete(principal)
If bucket is an instance of CfnBucket, and the grants process involves adding statements
to the bucket policy, then the BucketGrants class will, by default, do the same thing it
would do for an instance of Bucket: create a new bucket policy (or reuse an existing one)
and add the necessary statements to it.
But if you want to customize this behavior, you can register an instance of IResourcePolicyFactory
for the AWS::S3::Bucket CloudFormation type:
require 'aws-cdk-lib'
require 'constructs'
scope = nil # Constructs::Construct
class MyFactory
include AWSCDK::IAM::IResourcePolicyFactory
def for_resource(resource)
return {
env: resource.env,
def add_to_resource_policy(statement)
# custom implementation to add the statement to the resource policy
return {statement_added: true, policy_dependable: resource}
end,
}
end
end
AWSCDK::IAM::ResourceWithPolicies.register(scope, "AWS::S3::Bucket", MyFactory.new)
IResourcePolicyFactory is responsible for converting a construct into a IResourceWithPolicyV2,
effectively providing an ad-hoc way to extend the behavior of L1s to support grants the same way
as L2s do.
The BucketGrants class has many methods, but two of them have a special behavior. These two
accept an objects_key_pattern parameter to restrict granted permissions to specific resources:
readread_writeWhen examining the synthesized policy, you'll notice it includes both your specified object key
patterns and the bucket itself. This is by design. Some permissions (like s3:ListBucket) apply
at the bucket level, while others (like s3:GetObject) apply to specific objects.
Specifically, the s3:ListBucket action operates on bucket resources
and requires the bucket ARN to work properly. This might be seen as a bug, giving the impression that more permissions were granted than the ones you intended, but the reality is that the policy does not ignore your objects_key_pattern - object-specific actions like s3:GetObject
will still be limited to the resources defined in your pattern.
If you need to restrict the s3:ListBucket action to specific paths, you can add a Condition to your policy that limits the objects_key_pattern to specific folders. For more details and examples, see the AWS documentation on bucket policies.
You can enable ABAC (Attribute-Based Access Control) for an S3 general purpose bucket. When ABAC is enabled for the general purpose bucket, you can use tags to manage access to the general purpose buckets as well as for cost tracking purposes. When ABAC is disabled for the general purpose buckets, you can only use tags for cost tracking purposes.
To enable ABAC on a bucket:
bucket = AWSCDK::S3::Bucket.new(self, "Bucket", {
abac_status: true,
})
By default, if abac_status is not specified, ABAC will not be enabled for the bucket.
For more information about ABAC and how to use it with S3, see the AWS documentation on ABAC.
To require all requests use Secure Socket Layer (SSL):
bucket = AWSCDK::S3::Bucket.new(self, "Bucket", {
enforce_ssl: true,
})
To require a minimum TLS version for all requests:
bucket = AWSCDK::S3::Bucket.new(self, "Bucket", {
enforce_ssl: true,
minimum_tls_version: 1.2,
})
By default, CloudFormation assigns a unique bucket name. You can also specify a bucket_name directly, but this creates a globally unique name that could conflict with other accounts.
Using bucket_name_prefix with bucket_namespace set to ACCOUNT_REGIONAL, the bucket name is scoped to your account and region, reducing the risk of name conflicts. CloudFormation appends -<accountId>-<region>-an to the prefix to form the full name.
AWSCDK::S3::Bucket.new(self, "MyBucket", {
bucket_name_prefix: "my-app",
bucket_namespace: AWSCDK::S3::BucketNamespace::ACCOUNT_REGIONAL,
})
Note that bucket_name cannot be used together with bucket_name_prefix or bucket_namespace.
For more information, see the AWS documentation on bucket namespaces.
To use a bucket in a different stack in the same CDK application, pass the object to the other stack:
#
# Stack that defines the bucket
#
class Producer < AWSCDK::Stack
attr_reader :my_bucket
def initialize(scope, id, props = nil)
super(scope, id, props)
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
removal_policy: AWSCDK::RemovalPolicy::DESTROY,
})
@my_bucket = bucket
end
end
#
# Stack that consumes the bucket
#
class Consumer < AWSCDK::Stack
def initialize(scope, id, props)
super(scope, id, props)
user = AWSCDK::IAM::User.new(self, "MyUser")
props[:user_bucket].grant_read_write(user)
end
end
app = AWSCDK::App.new
producer = Producer.new(app, "ProducerStack")
Consumer.new(app, "ConsumerStack", {user_bucket: producer.my_bucket})
To import an existing bucket into your CDK application, use the Bucket.fromBucketAttributes
factory method. This method accepts BucketAttributes which describes the properties of an already
existing bucket:
Note that this method allows importing buckets with legacy names containing uppercase letters (A-Z) or underscores (_), which were
permitted for buckets created before March 1, 2018. For buckets created after this date, uppercase letters and underscores
are not allowed in the bucket name.
my_lambda = nil # AWSCDK::Lambda::Function
bucket = AWSCDK::S3::Bucket.from_bucket_attributes(self, "ImportedBucket", {
bucket_arn: "arn:aws:s3:::amzn-s3-demo-bucket",
})
# now you can just call methods on the bucket
filter = {prefix: "home/myusername/*"}
bucket.add_event_notification(AWSCDK::S3::EventType::OBJECT_CREATED, AWSCDK::S3Notifications::LambdaDestination.new(my_lambda), filter)
Alternatively, short-hand factories are available as Bucket.fromBucketName and
Bucket.fromBucketArn, which will derive all bucket attributes from the bucket
name or ARN respectively:
by_name = AWSCDK::S3::Bucket.from_bucket_name(self, "BucketByName", "amzn-s3-demo-bucket")
by_arn = AWSCDK::S3::Bucket.from_bucket_arn(self, "BucketByArn", "arn:aws:s3:::amzn-s3-demo-bucket")
The bucket's region defaults to the current stack's region, but can also be explicitly set in cases where one of the bucket's regional properties needs to contain the correct values.
my_cross_region_bucket = AWSCDK::S3::Bucket.from_bucket_attributes(self, "CrossRegionImport", {
bucket_arn: "arn:aws:s3:::amzn-s3-demo-bucket",
region: "us-east-1",
})
The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.
To subscribe for bucket notifications, use the bucket.addEventNotification method. The
bucket.addObjectCreatedNotification and bucket.addObjectRemovedNotification can also be used for
these common use cases.
The following example will subscribe an SNS topic to be notified of all s3:ObjectCreated:* events:
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket")
topic = AWSCDK::SNS::Topic.new(self, "MyTopic")
bucket.add_event_notification(AWSCDK::S3::EventType::OBJECT_CREATED, AWSCDK::S3Notifications::SNSDestination.new(topic))
This call will also ensure that the topic policy can accept notifications for this specific bucket.
Supported S3 notification targets are exposed by the aws-cdk-lib/aws-s3-notifications package.
It is also possible to specify S3 object key filters when subscribing. The
following example will notify my_queue when objects prefixed with foo/ and
have the .jpg suffix are removed from the bucket.
my_queue = nil # AWSCDK::SQS::Queue
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket")
bucket.add_event_notification(AWSCDK::S3::EventType::OBJECT_REMOVED, AWSCDK::S3Notifications::SQSDestination.new(my_queue), {
prefix: "foo/",
suffix: ".jpg",
})
Adding notifications on existing buckets:
topic = nil # AWSCDK::SNS::Topic
bucket = AWSCDK::S3::Bucket.from_bucket_attributes(self, "ImportedBucket", {
bucket_arn: "arn:aws:s3:::amzn-s3-demo-bucket",
})
bucket.add_event_notification(AWSCDK::S3::EventType::OBJECT_CREATED, AWSCDK::S3Notifications::SNSDestination.new(topic))
If you do not want for S3 to validate permissions of Amazon SQS, Amazon SNS, and Lambda destinations you can use the notifications_skip_destination_validation flag:
my_queue = nil # AWSCDK::SQS::Queue
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
notifications_skip_destination_validation: true,
})
bucket.add_event_notification(AWSCDK::S3::EventType::OBJECT_REMOVED, AWSCDK::S3Notifications::SQSDestination.new(my_queue))
When you add an event notification to a bucket, a custom resource is created to
manage the notifications. By default, a new role is created for the Lambda
function that implements this feature. If you want to use your own role instead,
you should provide it in the Bucket constructor:
my_role = nil # AWSCDK::IAM::IRole
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
notifications_handler_role: my_role,
})
Whatever role you provide, the CDK will try to modify it by adding the
permissions from AWSLambdaBasicExecutionRole (an AWS managed policy) as well
as the permissions s3:PutBucketNotification and s3:GetBucketNotification.
If you’re passing an imported role, and you don’t want this to happen, configure
it to be immutable:
imported_role = AWSCDK::IAM::Role.from_role_arn(self, "role", "arn:aws:iam::123456789012:role/RoleName", {
mutable: false,
})
If you provide an imported immutable role, make sure that it has at least all the permissions mentioned above. Otherwise, the deployment will fail!
Amazon S3 can send events to Amazon EventBridge whenever certain events happen in your bucket. Unlike other destinations, you don't need to select which event types you want to deliver.
The following example will enable EventBridge notifications:
bucket = AWSCDK::S3::Bucket.new(self, "MyEventBridgeBucket", {
event_bridge_enabled: true,
})
Use block_public_access to specify block public access settings on the bucket.
Enable all block public access settings:
bucket = AWSCDK::S3::Bucket.new(self, "MyBlockedBucket", {
block_public_access: AWSCDK::S3::BlockPublicAccess.BLOCK_ALL,
})
Block and ignore public ACLs (other options remain unblocked):
bucket = AWSCDK::S3::Bucket.new(self, "MyBlockedBucket", {
block_public_access: AWSCDK::S3::BlockPublicAccess.BLOCK_ACLS_ONLY,
})
Alternatively, specify the settings manually (unspecified options will remain blocked):
bucket = AWSCDK::S3::Bucket.new(self, "MyBlockedBucket", {
block_public_access: AWSCDK::S3::BlockPublicAccess.new({block_public_policy: false}),
})
When block_public_policy is set to true, grant_public_read() throws an error.
Use public_read_access to allow public read access to the bucket.
Note that to enable public_read_access, make sure both bucket-level and account-level block public access control is disabled.
Bucket-level block public access control can be configured through block_public_access property. Account-level block public
access control can be configured on AWS Console -> S3 -> Block Public Access settings for this account (Navigation Panel).
bucket = AWSCDK::S3::Bucket.new(self, "Bucket", {
public_read_access: true,
block_public_access: {
block_public_policy: false,
block_public_acls: false,
ignore_public_acls: false,
restrict_public_buckets: false,
},
})
Use server_access_logs_bucket to describe where server access logs are to be stored.
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket")
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
})
It's also possible to specify a prefix for Amazon S3 to assign to all log object keys.
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket")
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
server_access_logs_prefix: "logs",
})
You have two options for the log object key format.
Non-date-based partitioning is the default log object key format and appears as follows:
[DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket")
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
server_access_logs_prefix: "logs",
# You can use a simple prefix with `TargetObjectKeyFormat.simplePrefix()`, but it is the same even if you do not specify `targetObjectKeyFormat` property.
target_object_key_format: AWSCDK::S3::TargetObjectKeyFormat.simple_prefix,
})
Another option is Date-based partitioning.
If you choose this format, you can select either the event time or the delivery time of the log file as the date source used in the log format.
This format appears as follows:
[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket")
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
server_access_logs_prefix: "logs",
target_object_key_format: AWSCDK::S3::TargetObjectKeyFormat.partitioned_prefix(AWSCDK::S3::PartitionDateSource::EVENT_TIME),
})
When possible, it is recommended to use a bucket policy to grant access instead of
using ACLs. When the @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy feature flag
is enabled, this is done by default for server access logs. If S3 Server Access Logs
are the only logs delivered to your bucket (or if all other services logging to the
bucket support using bucket policy instead of ACLs), you can set object ownership
to bucket owner enforced, as is recommended.
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket", {
object_ownership: AWSCDK::S3::ObjectOwnership::BUCKET_OWNER_ENFORCED,
})
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
server_access_logs_prefix: "logs",
})
The above code will create a new bucket policy if none exists or update the existing bucket policy to allow access log delivery.
However, there could be an edge case if the access_logs_bucket also defines a bucket
policy resource using the L1 Construct. Although the mixing of L1 and L2 Constructs is not
recommended, there are no mechanisms in place to prevent users from doing this at the moment.
bucket_name = "amzn-s3-demo-bucket"
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket", {
object_ownership: AWSCDK::S3::ObjectOwnership::BUCKET_OWNER_ENFORCED,
bucket_name: bucket_name,
})
# Creating a bucket policy using L1
bucket_policy = AWSCDK::S3::CfnBucketPolicy.new(self, "BucketPolicy", {
bucket: bucket_name,
policy_document: {
Statement: [
{
Action: "s3:*",
Effect: "Deny",
Principal: {
AWS: "*",
},
Resource: [
access_logs_bucket.bucket_arn,
"#{access_logs_bucket.bucket_arn}/*",
],
},
],
Version: "2012-10-17",
},
})
# 'serverAccessLogsBucket' will create a new L2 bucket policy
# to allow log delivery and overwrite the L1 bucket policy.
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
server_access_logs_prefix: "logs",
})
The above example uses the L2 Bucket Construct with the L1 CfnBucketPolicy Construct. However,
when server_access_logs_bucket is set, a new L2 Bucket Policy resource will be created
which overwrites the permissions defined in the L1 Bucket Policy causing unintended
behaviours.
As noted above, we highly discourage the mixed usage of L1 and L2 Constructs. The recommended
approach would to define the bucket policy using add_to_resource_policy method.
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket", {
object_ownership: AWSCDK::S3::ObjectOwnership::BUCKET_OWNER_ENFORCED,
})
access_logs_bucket.add_to_resource_policy(
AWSCDK::IAM::PolicyStatement.new({
actions: ["s3:*"],
resources: [access_logs_bucket.bucket_arn, access_logs_bucket.arn_for_objects("*")],
principals: [AWSCDK::IAM::AnyPrincipal.new],
}))
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
server_access_logs_prefix: "logs",
})
Alternatively, users can use the L2 Bucket Policy Construct
BucketPolicy.fromCfnBucketPolicy to wrap around CfnBucketPolicy Construct. This will allow the subsequent bucket policy generated by server_access_logs_bucket usage to append to the existing bucket policy instead of overwriting.
bucket_name = "amzn-s3-demo-bucket"
access_logs_bucket = AWSCDK::S3::Bucket.new(self, "AccessLogsBucket", {
object_ownership: AWSCDK::S3::ObjectOwnership::BUCKET_OWNER_ENFORCED,
bucket_name: bucket_name,
})
bucket_policy = AWSCDK::S3::CfnBucketPolicy.new(self, "BucketPolicy", {
bucket: bucket_name,
policy_document: {
Statement: [
{
Action: "s3:*",
Effect: "Deny",
Principal: {
AWS: "*",
},
Resource: [
access_logs_bucket.bucket_arn,
"#{access_logs_bucket.bucket_arn}/*",
],
},
],
Version: "2012-10-17",
},
})
# Wrap L1 Construct with L2 Bucket Policy Construct. Subsequent
# generated bucket policy to allow access log delivery would append
# to the current policy.
AWSCDK::S3::BucketPolicy.from_cfn_bucket_policy(bucket_policy)
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
server_access_logs_bucket: access_logs_bucket,
server_access_logs_prefix: "logs",
})
An inventory contains a list of the objects in the source bucket and metadata for each object. The inventory lists are stored in the destination bucket as a CSV file compressed with GZIP, as an Apache optimized row columnar (ORC) file compressed with ZLIB, or as an Apache Parquet (Parquet) file compressed with Snappy.
You can configure multiple inventory lists for a bucket. You can configure what object metadata to include in the inventory, whether to list all object versions or only current versions, where to store the inventory list file output, and whether to generate the inventory on a daily or weekly basis.
inventory_bucket = AWSCDK::S3::Bucket.new(self, "InventoryBucket")
data_bucket = AWSCDK::S3::Bucket.new(self, "DataBucket", {
inventories: [
{
frequency: AWSCDK::S3::InventoryFrequency::DAILY,
include_object_versions: AWSCDK::S3::InventoryObjectVersion::CURRENT,
destination: {
bucket: inventory_bucket,
},
},
{
frequency: AWSCDK::S3::InventoryFrequency::WEEKLY,
include_object_versions: AWSCDK::S3::InventoryObjectVersion::ALL,
destination: {
bucket: inventory_bucket,
prefix: "with-all-versions",
},
},
],
})
If the destination bucket is created as part of the same CDK application, the necessary permissions will be automatically added to the bucket policy.
However, if you use an imported bucket (i.e Bucket.fromXXX()), you'll have to make sure it contains the following policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InventoryAndAnalyticsExamplePolicy",
"Effect": "Allow",
"Principal": { "Service": "s3.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": ["arn:aws:s3:::amzn-s3-demo-destination-bucket/*"]
}
]
}
You can use the two following properties to specify the bucket redirection policy. Please note that these methods cannot both be applied to the same bucket.
You can statically redirect a to a given Bucket URL or any other host name with website_redirect:
bucket = AWSCDK::S3::Bucket.new(self, "MyRedirectedBucket", {
website_redirect: {host_name: "www.example.com"},
})
Alternatively, you can also define multiple website_routing_rules, to define complex, conditional redirections:
bucket = AWSCDK::S3::Bucket.new(self, "MyRedirectedBucket", {
website_routing_rules: [
{
host_name: "www.example.com",
http_redirect_code: "302",
protocol: AWSCDK::S3::RedirectProtocol::HTTPS,
replace_key: AWSCDK::S3::ReplaceKey.prefix_with("test/"),
condition: {
http_error_code_returned_equals: "200",
key_prefix_equals: "prefix",
},
},
],
})
To put files into a bucket as part of a deployment (for example, to host a
website), see the aws-cdk-lib/aws-s3-deployment package, which provides a
resource that can do just that.
S3 provides two types of URLs for accessing objects via HTTP(S). Path-Style and Virtual Hosted-Style URL. Path-Style is a classic way and will be deprecated. We recommend to use Virtual Hosted-Style URL for newly made bucket.
You can generate both of them.
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket")
bucket.url_for_object("objectname") # Path-Style URL
bucket.virtual_hosted_url_for_object("objectname") # Virtual Hosted-Style URL
bucket.virtual_hosted_url_for_object("objectname", {regional: false})
You can use one of following properties to specify the bucket object Ownership.
The Uploading account will own the object.
AWSCDK::S3::Bucket.new(self, "MyBucket", {
object_ownership: AWSCDK::S3::ObjectOwnership::OBJECT_WRITER,
})
The bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. Without this setting and canned ACL, the object is uploaded and remains owned by the uploading account.
AWSCDK::S3::Bucket.new(self, "MyBucket", {
object_ownership: AWSCDK::S3::ObjectOwnership::BUCKET_OWNER_PREFERRED,
})
ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies to define access control.
AWSCDK::S3::Bucket.new(self, "MyBucket", {
object_ownership: AWSCDK::S3::ObjectOwnership::BUCKET_OWNER_ENFORCED,
})
Some services may not not support log delivery to buckets that have object ownership set to bucket owner enforced, such as S3 buckets using ACLs or CloudFront Distributions.
When a bucket is removed from a stack (or the stack is deleted), the S3
bucket will be removed according to its removal policy (which by default will
simply orphan the bucket and leave it in your AWS account). If the removal
policy is set to RemovalPolicy.DESTROY, the bucket will be deleted as long
as it does not contain any objects.
To override this and force all objects to get deleted during bucket deletion,
enable theauto_delete_objects option.
When auto_delete_objects is enabled, s3:PutBucketPolicy is added to the bucket policy. This is done to allow the custom resource this feature is built on to add a deny policy for s3:PutObject to the bucket policy when a delete stack event occurs. Adding this deny policy prevents new objects from being written to the bucket. Doing this prevents race conditions with external bucket writers during the deletion process.
bucket = AWSCDK::S3::Bucket.new(self, "MyTempFileBucket", {
removal_policy: AWSCDK::RemovalPolicy::DESTROY,
auto_delete_objects: true,
})
Warning if you have deployed a bucket with autoDeleteObjects: true,
switching this to false in a CDK version before 1.126.0 will lead to
all objects in the bucket being deleted. Be sure to update your bucket resources
by deploying with CDK version 1.126.0 or later before switching this value to false.
Transfer Acceleration can be configured to enable fast, easy, and secure transfers of files over long distances:
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
transfer_acceleration: true,
})
To access the bucket that is enabled for Transfer Acceleration, you must use a special endpoint. The URL can be generated using method transfer_acceleration_url_for_object:
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
transfer_acceleration: true,
})
bucket.transfer_acceleration_url_for_object("objectname")
Intelligent Tiering can be configured to automatically move files to glacier:
AWSCDK::S3::Bucket.new(self, "MyBucket", {
intelligent_tiering_configurations: [
{
name: "foo",
prefix: "folder/name",
archive_access_tier_time: AWSCDK::Duration.days(90),
deep_archive_access_tier_time: AWSCDK::Duration.days(180),
tags: [{key: "tagname", value: "tagvalue"}],
},
],
})
Managing lifecycle can be configured transition or expiration actions.
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
lifecycle_rules: [
{
abort_incomplete_multipart_upload_after: AWSCDK::Duration.minutes(30),
enabled: false,
expiration: AWSCDK::Duration.days(30),
expiration_date: Date.new,
expired_object_delete_marker: false,
id: "id",
noncurrent_version_expiration: AWSCDK::Duration.days(30),
# the properties below are optional
noncurrent_versions_to_retain: 123,
noncurrent_version_transitions: [
{
storage_class: AWSCDK::S3::StorageClass.GLACIER,
transition_after: AWSCDK::Duration.days(30),
# the properties below are optional
noncurrent_versions_to_retain: 123,
},
],
object_size_greater_than: 500,
prefix: "prefix",
object_size_less_than: 10000,
transitions: [
{
storage_class: AWSCDK::S3::StorageClass.GLACIER,
# exactly one of transitionAfter or transitionDate must be specified
transition_after: AWSCDK::Duration.days(30),
},
],
},
],
})
To indicate which default minimum object size behavior is applied to the lifecycle configuration, use the
transition_default_minimum_object_size property.
The default value of the property before September 2024 is TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS
that allows objects smaller than 128 KB to be transitioned only to the S3 Glacier and S3 Glacier Deep Archive storage classes,
otherwise TransitionDefaultMinimumObjectSize.ALL_STORAGE_CLASSES_128_K that prevents objects smaller than 128 KB from being
transitioned to any storage class.
To customize the minimum object size for any transition you
can add a filter that specifies a custom object_size_greater_than or object_size_less_than for lifecycle_rules
property. Custom filters always take precedence over the default transition behavior.
AWSCDK::S3::Bucket.new(self, "MyBucket", {
transition_default_minimum_object_size: AWSCDK::S3::TransitionDefaultMinimumObjectSize::VARIES_BY_STORAGE_CLASS,
lifecycle_rules: [
{
transitions: [
{
storage_class: AWSCDK::S3::StorageClass.DEEP_ARCHIVE,
transition_after: AWSCDK::Duration.days(30),
},
],
},
{
object_size_less_than: 300000,
object_size_greater_than: 200000,
transitions: [
{
storage_class: AWSCDK::S3::StorageClass.ONE_ZONE_INFREQUENT_ACCESS,
transition_after: AWSCDK::Duration.days(30),
},
],
},
],
})
Object Lock can be configured to enable a write-once-read-many model for an S3 bucket. Object Lock must be configured when a bucket is created; if a bucket is created without Object Lock, it cannot be enabled later via the CDK.
Object Lock can be enabled on an S3 bucket by specifying:
bucket = AWSCDK::S3::Bucket.new(self, "MyBucket", {
object_lock_enabled: true,
})
Usually, it is desired to not just enable Object Lock for a bucket but to also configure a
retention mode
and a retention period.
These can be specified by providing object_lock_default_retention:
# Configure for governance mode with a duration of 7 years
AWSCDK::S3::Bucket.new(self, "Bucket1", {
object_lock_default_retention: AWSCDK::S3::ObjectLockRetention.governance(AWSCDK::Duration.days(7 * 365)),
})
# Configure for compliance mode with a duration of 1 year
AWSCDK::S3::Bucket.new(self, "Bucket2", {
object_lock_default_retention: AWSCDK::S3::ObjectLockRetention.compliance(AWSCDK::Duration.days(365)),
})
You can use replicating objects to enable automatic, asynchronous copying of objects across Amazon S3 buckets. Buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different AWS Regions or within the same Region as the source bucket.
To replicate objects to a destination bucket, you can specify the replication_rules property:
destination_bucket1 = nil # AWSCDK::S3::IBucket
destination_bucket2 = nil # AWSCDK::S3::IBucket
replication_role = nil # AWSCDK::IAM::IRole
encryption_key = nil # AWSCDK::KMS::IKey
destination_encryption_key = nil # AWSCDK::KMS::IKey
source_bucket = AWSCDK::S3::Bucket.new(self, "SourceBucket", {
# Versioning must be enabled on both the source and destination bucket
versioned: true,
encryption_key: encryption_key,
replication_role: replication_role,
replication_rules: [
{
# The destination bucket for the replication rule.
destination: destination_bucket1,
# The priority of the rule.
# Amazon S3 will attempt to replicate objects according to all replication rules.
# However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority.
# The higher the number, the higher the priority.
# It is essential to specify priority explicitly when the replication configuration has multiple rules.
priority: 1,
},
{
destination: destination_bucket2,
priority: 2,
# Whether to specify S3 Replication Time Control (S3 RTC).
# S3 RTC replicates most objects that you upload to Amazon S3 in seconds,
# and 99.99 percent of those objects within specified time.
replication_time_control: AWSCDK::S3::ReplicationTimeValue.FIFTEEN_MINUTES,
# Whether to enable replication metrics about S3 RTC.
# If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
metrics: AWSCDK::S3::ReplicationTimeValue.FIFTEEN_MINUTES,
# The kms key to use for the destination bucket.
kms_key: destination_encryption_key,
# The storage class to use for the destination bucket.
storage_class: AWSCDK::S3::StorageClass.INFREQUENT_ACCESS,
# Whether to replicate objects with SSE-KMS encryption.
sse_kms_encrypted_objects: false,
# Whether to replicate modifications on replicas.
replica_modifications: true,
# Whether to replicate delete markers.
# This property cannot be enabled if the replication rule has a tag filter.
delete_marker_replication: false,
# The ID of the rule.
id: "full-settings-rule",
# The object filter for the rule.
filter: {
# The prefix filter for the rule.
prefix: "prefix",
# The tag filter for the rule.
tags: [
{
key: "tagKey",
value: "tagValue",
},
],
},
},
],
})
# Grant permissions to the replication role.
# This method is not required if you choose to use an auto-generated replication role or manually grant permissions.
source_bucket.(replication_role, {
# Optional. Specify the KMS key to use for decrypting objects in the source bucket.
source_decryption_key: encryption_key,
destinations: [
{bucket: destination_bucket1},
{bucket: destination_bucket2, encryption_key: destination_encryption_key},
],
})
You can also set a destination bucket from a different account as the replication destination.
In this case, the bucket policy for the destination bucket is required, to configure it through CDK use add_replication_policy() method to add bucket policy on destination bucket.
In a cross-account scenario, where the source and destination buckets are owned by different AWS accounts, you can use a KMS key to encrypt object replicas. However, the KMS key owner must grant the source bucket owner permission to use the KMS key.
For more information, please refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html .
NOTE: AWS managed keys don't allow cross-account use, and therefore can't be used to perform cross-account replication.
If you need to override the bucket ownership to destination account pass the account value to the method to provide permissions to override bucket owner.
addReplicationPolicy(bucket.replicationRoleArn, true, '11111111111');
However, if the destination bucket is a referenced bucket, CDK cannot set the bucket policy, so you will need to configure the necessary bucket policy separately.
# The destination bucket in a different account.
destination_bucket = nil # AWSCDK::S3::IBucket
replication_role = nil # AWSCDK::IAM::IRole
source_bucket = AWSCDK::S3::Bucket.new(self, "SourceBucket", {
versioned: true,
replication_role: replication_role,
replication_rules: [
{
destination: destination_bucket,
priority: 1,
# Whether to want to change replica ownership to the AWS account that owns the destination bucket.
# The replicas are owned by same AWS account that owns the source object by default.
access_control_transition: true,
},
],
})
# Add permissions to the destination after replication role is created
if source_bucket.replication_role_arn
destination_bucket.add_replication_policy(source_bucket.replication_role_arn, true, "111111111111")
end
S3 provides several mixins that can be applied to L1 and L2 constructs.
Automatically deletes all objects from a bucket when the bucket is removed from the stack or when the stack is deleted. Requires the bucket's removal policy to be set to DESTROY:
AWSCDK::S3::CfnBucket.new(self, "Bucket").with(AWSCDK::S3::Mixins::BucketAutoDeleteObjects.new)
Enables or suspends versioning on an S3 bucket:
AWSCDK::S3::CfnBucket.new(self, "Bucket").with(AWSCDK::S3::Mixins::BucketVersioning.new)
Blocks public access on an S3 bucket. Defaults to blocking all public access:
AWSCDK::S3::CfnBucket.new(self, "Bucket").with(AWSCDK::S3::Mixins::BucketBlockPublicAccess.new)
Adds IAM policy statements to a bucket policy:
AWSCDK::S3::CfnBucketPolicy.new(self, "Policy", {
bucket: AWSCDK::S3::CfnBucket.new(self, "Bucket").ref,
policy_document: AWSCDK::IAM::PolicyDocument.new,
}).with(AWSCDK::S3::Mixins::BucketPolicyStatements.new([
AWSCDK::IAM::PolicyStatement.new({
actions: ["s3:GetObject"],
resources: ["*"],
principals: [AWSCDK::IAM::AnyPrincipal.new],
}),
]))