@aws-cdk/aws-s3

AWS S3 Construct Library

Define an unencrypted S3 bucket.

new Bucket(this, 'MyFirstBucket');

Bucket constructs expose the following deploy-time attributes:

• bucketArn - the ARN of the bucket (i.e. arn:aws:s3:::bucket_name)
• bucketName - the name of the bucket (i.e. bucket_name)
• bucketUrl - the URL of the bucket (i.e. https://s3.us-west-1.amazonaws.com/onlybucket)
• arnForObjects(...pattern) - the ARN of an object or objects within the bucket (i.e. arn:aws:s3:::my_corporate_bucket/exampleobject.png or arn:aws:s3:::my_corporate_bucket/Development/*)
• urlForObject(key) - the URL of an object within the bucket (i.e. https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey)

Encryption

Define a KMS-encrypted bucket:

const bucket = new Bucket(this, 'MyUnencryptedBucket', {
    encryption: BucketEncryption.Kms
});

// you can access the encryption key:
assert(bucket.encryptionKey instanceof kms.EncryptionKey);

You can also supply your own key:

const myKmsKey = new kms.EncryptionKey(this, 'MyKey');

const bucket = new Bucket(this, 'MyEncryptedBucket', {
    encryption: BucketEncryption.Kms,
    encryptionKey: myKmsKey
});

assert(bucket.encryptionKey === myKmsKey);

Use BucketEncryption.ManagedKms to use the S3 master KMS key:

const bucket = new Bucket(this, 'Buck', {
    encryption: BucketEncryption.ManagedKms
});

assert(bucket.encryptionKey == null);

Permissions

A bucket policy will be automatically created for the bucket upon the first call to addToResourcePolicy(statement):

const bucket = new Bucket(this, 'MyBucket');
bucket.addToResourcePolicy(new iam.PolicyStatement()
  .addActions('s3:GetObject')
  .addResources(bucket.arnForObjects('file.txt'))
  .addAccountRootPrincipal());

Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example:

const lambda = new lambda.Function(this, 'Lambda', { /* ... */ });

const bucket = new Bucket(this, 'MyBucket');
bucket.grantReadWrite(lambda.role);

Will give the Lambda's execution role permissions to read and write from the bucket.

Sharing buckets between stacks

To use a bucket in a different stack in the same CDK application, pass the object to the other stack:

sharing bucket between stacks

Importing existing buckets

To import an existing bucket into your CDK application, use the Bucket.import factory method. This method accepts a BucketImportProps which describes the properties of the already existing bucket:

const bucket = Bucket.import(this, {
    bucketArn: 'arn:aws:s3:::my-bucket'
});

// now you can just call methods on the bucket
bucket.grantReadWrite(user);

Bucket Notifications

The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.

To subscribe for bucket notifications, use the bucket.onEvent method. The bucket.onObjectCreated and bucket.onObjectRemoved can also be used for these common use cases.

The following example will subscribe an SNS topic to be notified of all ``s3:ObjectCreated:*` events:

const myTopic = new sns.Topic(this, 'MyTopic');
bucket.onEvent(s3.EventType.ObjectCreated, myTopic);

This call will also ensure that the topic policy can accept notifications for this specific bucket.

The following destinations are currently supported:

• sns.Topic
• sqs.Queue
• lambda.Function

It is also possible to specify S3 object key filters when subscribing. The following example will notify myQueue when objects prefixed with foo/ and have the .jpg suffix are removed from the bucket.

bucket.onEvent(s3.EventType.ObjectRemoved, myQueue, { prefix: 'foo/', suffix: '.jpg' });

Block Public Access

Use blockPublicAccess to specify block public access settings on the bucket.

Enable all block public access settings:

const bucket = new Bucket(this, 'MyBlockedBucket', {
    blockPublicAccess: BlockPublicAccess.BlockAll
});

Block and ignore public ACLs:

const bucket = new Bucket(this, 'MyBlockedBucket', {
    blockPublicAccess: BlockPublicAccess.BlockAcls
});

Alternatively, specify the settings manually:

const bucket = new Bucket(this, 'MyBlockedBucket', {
    blockPublicAccess: new BlockPublicAccess({ blockPublicPolicy: true })
});

When blockPublicPolicy is set to true, grantPublicRead() throws an error.

Changelog

0.28.0 (2019-04-04)

Bug Fixes

• aws-ecs: use executionRole for event rule target (#2165) (aa6f7bc), closes #2015

• core: remove cdk.Secret (#2068) (b53d04d), closes #2064

• feat(aws-iam): refactor grants, add OrganizationPrincipal (#1623) (1bb8ca9), closes #1623 #236

Code Refactoring

• cdk: introduce SecretValue to represent secrets (#2161) (a3d9f2e)

Features

• codepipeline: move all of the Pipeline Actions to their dedicated package. (#2098) (b314ecf)
• codepipeline: re-factor the CodePipeline Action bind method to take a Role separately from the Pipeline. (#2085) (ffe0046)
• ec2: support reserving IP space in VPCs (#2090) (4819ff4)
• Add python support to cdk init (#2130) (997dbcc)
• ecs: support AWS Cloud Map (service discovery) (#2065) (4864cc8), closes #1554
• lambda: add a newVersion method. (#2099) (6fc179a)
• update CloudFormation resource spec to v2.29.0 (#2170) (ebc490d)

BREAKING CHANGES TO EXPERIMENTAL FEATURES

• The secretsmanager.SecretString class has been removed in favor of cdk.SecretValue.secretsManager(id[, options])
• The following prop types have been changed from string to cdk.SecretValue: codepipeline-actions.AlexaSkillDeployAction.clientSecret, codepipeline-actions.AlexaSkillDeployAction.refreshToken, codepipeline-actions.GitHubSourceAction.oauthToken, iam.User.password
• secretsmanager.Secret.stringValue and jsonFieldValue have been removed. Use secretsmanage.Secret.secretValue and secretJsonValue instead.
• secretsmanager.Secret.secretString have been removed. Use cdk.SecretValue.secretsManager() or secretsmanager.Secret.import(..).secretValue.
• The class cdk.Secret has been removed. Use cdk.SecretValue instead.
• The class cdk.DynamicReference is no longer a construct, and it's constructor signature was changed and was renamed cdk.CfnDynamicReference.
• grant(function.role) and grant(project.role) are now grant(function) and grant(role).
• core: Replace use of cdk.Secret with secretsmanager.SecretString (preferred) or ssm.ParameterStoreSecureString.
• codepipeline: this changes the package of all CodePipeline Actions to be aws-codepipeline-actions.
• codepipeline: this moves all classes from the aws-codepipeline-api package to the aws-codepipeline package.
• codepipeline: this changes the CodePipeline Action naming scheme from <service>.Pipeline<Category>Action (s3.PipelineSourceAction) to codepipeline_actions.<Service><Category>Action (codepipeline_actions.S3SourceAction).