@aws-cdk/aws-s3
Advanced tools
@aws-cdk/aws-s3 is an AWS Cloud Development Kit (CDK) library that allows you to define Amazon S3 buckets and related resources using code. This package provides a high-level, object-oriented abstraction to create and manage S3 buckets, configure bucket policies, set up event notifications, and more.
Create an S3 Bucket
This code sample demonstrates how to create a versioned S3 bucket with a removal policy that destroys the bucket when the stack is deleted.
const s3 = require('@aws-cdk/aws-s3');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
new s3.Bucket(this, 'MyFirstBucket', {
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');Add Bucket Policy
This code sample shows how to add a bucket policy to an S3 bucket, allowing any principal to perform the 's3:GetObject' action on all objects in the bucket.
const s3 = require('@aws-cdk/aws-s3');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const bucket = new s3.Bucket(this, 'MyBucket');
bucket.addToResourcePolicy(new cdk.aws_iam.PolicyStatement({
actions: ['s3:GetObject'],
resources: [bucket.arnForObjects('*')],
principals: [new cdk.aws_iam.AnyPrincipal()],
}));
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');Enable Event Notifications
This code sample demonstrates how to enable event notifications for an S3 bucket. It sets up a notification to an SNS topic whenever an object is created in the bucket.
const s3 = require('@aws-cdk/aws-s3');
const cdk = require('@aws-cdk/core');
const sns = require('@aws-cdk/aws-sns');
const s3n = require('@aws-cdk/aws-s3-notifications');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const bucket = new s3.Bucket(this, 'MyBucket');
const topic = new sns.Topic(this, 'MyTopic');
bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.SnsDestination(topic));
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');The aws-sdk package is the official AWS SDK for JavaScript, which provides low-level APIs for interacting with AWS services, including S3. Unlike @aws-cdk/aws-s3, which is used for defining infrastructure as code, aws-sdk is used for making API calls to AWS services at runtime.
The serverless package is a framework for building and deploying serverless applications on AWS and other cloud providers. It allows you to define S3 buckets and other resources in a serverless.yml configuration file. While it provides similar functionalities, it is more focused on serverless architectures and deployments.
Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. It allows you to define S3 buckets and other AWS resources using HashiCorp Configuration Language (HCL). Terraform is cloud-agnostic and can manage resources across multiple cloud providers.
Define an unencrypted S3 bucket.
new Bucket(this, 'MyFirstBucket');
Bucket constructs expose the following deploy-time attributes:
bucketArn - the ARN of the bucket (i.e. arn:aws:s3:::bucket_name)bucketName - the name of the bucket (i.e. bucket_name)bucketUrl - the URL of the bucket (i.e.
https://s3.us-west-1.amazonaws.com/onlybucket)arnForObjects(...pattern) - the ARN of an object or objects within the
bucket (i.e.
arn:aws:s3:::my_corporate_bucket/exampleobject.png or
arn:aws:s3:::my_corporate_bucket/Development/*)urlForObject(key) - the URL of an object within the bucket (i.e.
https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey)Define a KMS-encrypted bucket:
const bucket = new Bucket(this, 'MyUnencryptedBucket', {
encryption: BucketEncryption.Kms
});
// you can access the encryption key:
assert(bucket.encryptionKey instanceof kms.EncryptionKey);
You can also supply your own key:
const myKmsKey = new kms.EncryptionKey(this, 'MyKey');
const bucket = new Bucket(this, 'MyEncryptedBucket', {
encryption: BucketEncryption.Kms,
encryptionKey: myKmsKey
});
assert(bucket.encryptionKey === myKmsKey);
Use BucketEncryption.ManagedKms to use the S3 master KMS key:
const bucket = new Bucket(this, 'Buck', {
encryption: BucketEncryption.ManagedKms
});
assert(bucket.encryptionKey == null);
A bucket policy will be automatically created for the bucket upon the first call to
addToResourcePolicy(statement):
const bucket = new Bucket(this, 'MyBucket');
bucket.addToResourcePolicy(new iam.PolicyStatement()
.addActions('s3:GetObject')
.addResources(bucket.arnForObjects('file.txt'))
.addAccountRootPrincipal());
Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example:
const lambda = new lambda.Function(this, 'Lambda', { /* ... */ });
const bucket = new Bucket(this, 'MyBucket');
bucket.grantReadWrite(lambda.role);
Will give the Lambda's execution role permissions to read and write from the bucket.
To use a bucket in a different stack in the same CDK application, pass the object to the other stack:
To import an existing bucket into your CDK application, use the Bucket.import factory method. This method accepts a
BucketImportProps which describes the properties of the already existing bucket:
const bucket = Bucket.import(this, {
bucketArn: 'arn:aws:s3:::my-bucket'
});
// now you can just call methods on the bucket
bucket.grantReadWrite(user);
The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.
To subscribe for bucket notifications, use the bucket.onEvent method. The
bucket.onObjectCreated and bucket.onObjectRemoved can also be used for these
common use cases.
The following example will subscribe an SNS topic to be notified of all ``s3:ObjectCreated:*` events:
const myTopic = new sns.Topic(this, 'MyTopic');
bucket.onEvent(s3.EventType.ObjectCreated, myTopic);
This call will also ensure that the topic policy can accept notifications for this specific bucket.
The following destinations are currently supported:
sns.Topicsqs.Queuelambda.FunctionIt is also possible to specify S3 object key filters when subscribing. The
following example will notify myQueue when objects prefixed with foo/ and
have the .jpg suffix are removed from the bucket.
bucket.onEvent(s3.EventType.ObjectRemoved, myQueue, { prefix: 'foo/', suffix: '.jpg' });
Use blockPublicAccess to specify block public access settings on the bucket.
Enable all block public access settings:
const bucket = new Bucket(this, 'MyBlockedBucket', {
blockPublicAccess: BlockPublicAccess.BlockAll
});
Block and ignore public ACLs:
const bucket = new Bucket(this, 'MyBlockedBucket', {
blockPublicAccess: BlockPublicAccess.BlockAcls
});
Alternatively, specify the settings manually:
const bucket = new Bucket(this, 'MyBlockedBucket', {
blockPublicAccess: new BlockPublicAccess({ blockPublicPolicy: true })
});
When blockPublicPolicy is set to true, grantPublicRead() throws an error.
0.31.0 (2019-05-06)
Foo.import static methods are now Foo.fromFooAttributesFooImportProps structs are now called FooAttributesstepfunctions.StateMachine.export has been removed.ses.ReceiptRule.name is now ses.ReceiptRule.receiptRuleNameses.ReceiptRuleSet.name is now ses.ReceiptRuleSet.receiptRuleSetNamesecretsmanager.AttachedSecret is now called secretsmanager.SecretTargetAttachment to match service semanticsecr.Repository.export has been removeds3.Bucket.bucketUrl is now called s3.Bucket.bucketWebsiteUrllambda.Version.functionVersion is now called lambda.Version.versionec2.SecurityGroup.groupName is now ec2.SecurityGroup.securityGroupNamecognito.UserPoolClient.clientId is now cognito.UserPoolClient.userPoolClientIdapigateway.IRestApiResource is now apigateway.IResourceapigateway.IResource.resourcePath is now apigateway.IResource.pathapigateway.IResource.resourceApi is now apigateway.IResource.restApiFAQs
The CDK Construct Library for AWS::S3
The npm package @aws-cdk/aws-s3 receives a total of 105,058 weekly downloads. As such, @aws-cdk/aws-s3 popularity was classified as popular.
We found that @aws-cdk/aws-s3 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.