Security News
The Unpaid Backbone of Open Source: Solo Maintainers Face Increasing Security Demands
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
@aws-cdk/aws-s3
Advanced tools
@aws-cdk/aws-s3 is an AWS Cloud Development Kit (CDK) library that allows you to define Amazon S3 buckets and related resources using code. This package provides a high-level, object-oriented abstraction to create and manage S3 buckets, configure bucket policies, set up event notifications, and more.
Create an S3 Bucket
This code sample demonstrates how to create a versioned S3 bucket with a removal policy that destroys the bucket when the stack is deleted.
const s3 = require('@aws-cdk/aws-s3');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
new s3.Bucket(this, 'MyFirstBucket', {
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
Add Bucket Policy
This code sample shows how to add a bucket policy to an S3 bucket, allowing any principal to perform the 's3:GetObject' action on all objects in the bucket.
const s3 = require('@aws-cdk/aws-s3');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const bucket = new s3.Bucket(this, 'MyBucket');
bucket.addToResourcePolicy(new cdk.aws_iam.PolicyStatement({
actions: ['s3:GetObject'],
resources: [bucket.arnForObjects('*')],
principals: [new cdk.aws_iam.AnyPrincipal()],
}));
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
Enable Event Notifications
This code sample demonstrates how to enable event notifications for an S3 bucket. It sets up a notification to an SNS topic whenever an object is created in the bucket.
const s3 = require('@aws-cdk/aws-s3');
const cdk = require('@aws-cdk/core');
const sns = require('@aws-cdk/aws-sns');
const s3n = require('@aws-cdk/aws-s3-notifications');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const bucket = new s3.Bucket(this, 'MyBucket');
const topic = new sns.Topic(this, 'MyTopic');
bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.SnsDestination(topic));
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
The aws-sdk package is the official AWS SDK for JavaScript, which provides low-level APIs for interacting with AWS services, including S3. Unlike @aws-cdk/aws-s3, which is used for defining infrastructure as code, aws-sdk is used for making API calls to AWS services at runtime.
The serverless package is a framework for building and deploying serverless applications on AWS and other cloud providers. It allows you to define S3 buckets and other resources in a serverless.yml configuration file. While it provides similar functionalities, it is more focused on serverless architectures and deployments.
Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. It allows you to define S3 buckets and other AWS resources using HashiCorp Configuration Language (HCL). Terraform is cloud-agnostic and can manage resources across multiple cloud providers.
This is a developer preview (public beta) module. Releases might lack important features and might have future breaking changes.
This API is still under active development and subject to non-backward compatible changes or removal in any future version. Use of the API is not recommended in production environments. Experimental APIs are not subject to the Semantic Versioning model.
Define an unencrypted S3 bucket.
new Bucket(this, 'MyFirstBucket');
Bucket
constructs expose the following deploy-time attributes:
bucketArn
- the ARN of the bucket (i.e. arn:aws:s3:::bucket_name
)bucketName
- the name of the bucket (i.e. bucket_name
)bucketUrl
- the URL of the bucket (i.e.
https://s3.us-west-1.amazonaws.com/onlybucket
)arnForObjects(...pattern)
- the ARN of an object or objects within the
bucket (i.e.
arn:aws:s3:::my_corporate_bucket/exampleobject.png
or
arn:aws:s3:::my_corporate_bucket/Development/*
)urlForObject(key)
- the URL of an object within the bucket (i.e.
https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey
)Define a KMS-encrypted bucket:
const bucket = new Bucket(this, 'MyUnencryptedBucket', {
encryption: BucketEncryption.Kms
});
// you can access the encryption key:
assert(bucket.encryptionKey instanceof kms.Key);
You can also supply your own key:
const myKmsKey = new kms.Key(this, 'MyKey');
const bucket = new Bucket(this, 'MyEncryptedBucket', {
encryption: BucketEncryption.Kms,
encryptionKey: myKmsKey
});
assert(bucket.encryptionKey === myKmsKey);
Use BucketEncryption.ManagedKms
to use the S3 master KMS key:
const bucket = new Bucket(this, 'Buck', {
encryption: BucketEncryption.ManagedKms
});
assert(bucket.encryptionKey == null);
A bucket policy will be automatically created for the bucket upon the first call to
addToResourcePolicy(statement)
:
const bucket = new Bucket(this, 'MyBucket');
bucket.addToResourcePolicy(new iam.PolicyStatement()
.addActions('s3:GetObject')
.addResources(bucket.arnForObjects('file.txt'))
.addAccountRootPrincipal());
Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example:
const lambda = new lambda.Function(this, 'Lambda', { /* ... */ });
const bucket = new Bucket(this, 'MyBucket');
bucket.grantReadWrite(lambda.role);
Will give the Lambda's execution role permissions to read and write from the bucket.
To use a bucket in a different stack in the same CDK application, pass the object to the other stack:
To import an existing bucket into your CDK application, use the Bucket.import
factory method. This method accepts a
BucketImportProps
which describes the properties of the already existing bucket:
const bucket = Bucket.import(this, {
bucketArn: 'arn:aws:s3:::my-bucket'
});
// now you can just call methods on the bucket
bucket.grantReadWrite(user);
The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.
To subscribe for bucket notifications, use the bucket.onEvent
method. The
bucket.onObjectCreated
and bucket.onObjectRemoved
can also be used for these
common use cases.
The following example will subscribe an SNS topic to be notified of all ``s3:ObjectCreated:*` events:
const myTopic = new sns.Topic(this, 'MyTopic');
bucket.onEvent(s3.EventType.ObjectCreated, myTopic);
This call will also ensure that the topic policy can accept notifications for this specific bucket.
The following destinations are currently supported:
sns.Topic
sqs.Queue
lambda.Function
It is also possible to specify S3 object key filters when subscribing. The
following example will notify myQueue
when objects prefixed with foo/
and
have the .jpg
suffix are removed from the bucket.
bucket.onEvent(s3.EventType.ObjectRemoved, myQueue, { prefix: 'foo/', suffix: '.jpg' });
Use blockPublicAccess
to specify block public access settings on the bucket.
Enable all block public access settings:
const bucket = new Bucket(this, 'MyBlockedBucket', {
blockPublicAccess: BlockPublicAccess.BlockAll
});
Block and ignore public ACLs:
const bucket = new Bucket(this, 'MyBlockedBucket', {
blockPublicAccess: BlockPublicAccess.BlockAcls
});
Alternatively, specify the settings manually:
const bucket = new Bucket(this, 'MyBlockedBucket', {
blockPublicAccess: new BlockPublicAccess({ blockPublicPolicy: true })
});
When blockPublicPolicy
is set to true
, grantPublicRead()
throws an error.
0.35.0 (2019-06-19)
cdk context
(#2870) (b8a1c8e), closes #2854name
in StageProps
to stageName
. (#2882) (be574a1)hwType
to hardwareType
(#2916) (1aa0589), closes #2896aws-sns-subscribers
(#2804) (9ef899c)AssetProps.packaging
has been removed and is now automatically discovered based on the file type.ZipDirectoryAsset
has been removed, use aws-s3-assets.Asset
.FileAsset
has been removed, use aws-s3-assets.Asset
.Code.directory
and Code.file
have been removed. Use Code.asset
.hardwareType
from hwType
.TableOptions.pitrEnabled
renamed to pointInTimeRecovery
.TableOptions.sseEnabled
renamed to serverSideEncryption
.TableOptions.ttlAttributeName
renamed to timeToLiveAttribute
.TableOptions.streamSpecification
renamed stream
.ContainerImage.fromAsset()
now takes only build directory
directly (no need to pass scope
or id
anymore).ISecret.secretJsonValue
renamed to secretValueFromJson
.ParameterStoreString
has been removed. Use StringParameter.fromStringParameterAttributes
.ParameterStoreSecureString
has been removed. Use StringParameter.fromSecureStringParameterAttributes
.ParameterOptions.name
was renamed to parameterName
.newStream
renamed to addStream
and doesn't need a scopenewSubscriptionFilter
renamed to addSubscriptionFilter
and doesn't need a scopenewMetricFilter
renamed to addMetricFilter
and doesn't need a scopeNewSubscriptionFilterProps
renamed to SubscriptionProps
NewLogStreamProps
renamed to LogStreamOptions
NewMetricFilterProps
renamed to MetricFilterOptions
JSONPattern
renamed to JsonPattern
MethodOptions.authorizerId
is now called authorizer
and accepts an IAuthorizer
which is a placeholder interface for the authorizer resource.restapi.executeApiArn
renamed to arnForExecuteApi
.restapi.latestDeployment
and deploymentStage
are now read-only.EventPattern.detail
is now a map.scheduleExpression: string
is now schedule: Schedule
.cdk.RemovalPolicy
to configure the resource's removal policy.applyRemovalPolicy
is now CfnResource.applyRemovalPolicy
.RemovalPolicy.Orphan
has been renamed to Retain
.RemovalPolicy.Forbid
has been removed, use Retain
.RepositoryProps.retain
is now removalPolicy
, and defaults to Retain
instead of remove since ECR is a stateful resourceKeyProps.retain
is now removalPolicy
LogGroupProps.retainLogGroup
is now removalPolicy
LogStreamProps.retainLogStream
is now removalPolicy
DatabaseClusterProps.deleteReplacePolicy
is now removalPolicy
DatabaseInstanceNewProps.deleteReplacePolicy
is now removalPolicy
attr
instead of the resource type. For example, in S3 bucket.bucketArn
is now bucket.attrArn
.propertyOverrides
has been removed from all "Cfn" resources, instead
users can now read/write resource properties directly on the resource class. For example, instead of lambda.propertyOverrides.runtime
just use lambda.runtime
.stageName
instead of name
Function.addLayer
to addLayers
and made it variadicIFunction.handler
propertyIVersion.versionArn
property (the value is at functionArn
)SingletonLayerVersion
LogRetention
PolicyStatement
no longer has a fluid API, and accepts a
props object to be able to set the important fields.ImportedResourcePrincipal
to UnknownPrincipal
.managedPolicyArns
renamed to managedPolicies
, takes
return value from ManagedPolicy.fromAwsManagedPolicyName()
.PolicyDocument.postProcess()
is now removed.PolicyDocument.addStatement()
renamed to addStatements
.PolicyStatement
is no longer IResolvable
, call .toStatementJson()
to retrieve the IAM policy statement JSON.AwsPrincipal
has been removed, use ArnPrincipal
instead.s3.StorageClass
is now an enum-like class instead of a regular
enum. This means that you need to call .value
in order to obtain it's value.s3.Coordinates
renamed to s3.Location
Artifact.s3Coordinates
renamed to Artifact.s3Location
.BuildSpec
object.lambda.Runtime.NodeJS*
are now lambda.Runtime.Nodejs*
Stack
APIstack.name
renamed to stack.stackName
stack.stackName
will return the concrete stack name. Use Aws.stackName
to indicate { Ref: "AWS::StackName" }.stack.account
and stack.region
will return the concrete account/region only if they are explicitly specified when the stack is defined (under the env
prop). Otherwise, they will return a token that resolves to the AWS::AccountId and AWS::Region intrinsic references. Use Context.getDefaultAccount()
and Context.getDefaultRegion()
to obtain the defaults passed through the toolkit in case those are needed. Use Token.isUnresolved(v)
to check if you have a concrete or intrinsic.stack.logicalId
has been removed. Use stack.getLogicalId()
stack.env
has been removed, use stack.account
, stack.region
and stack.environment
insteadstack.accountId
renamed to stack.account
(to allow treating account more abstractly)AvailabilityZoneProvider
can now be accessed through Context.getAvailabilityZones()
SSMParameterProvider
can now be accessed through Context.getSsmParameter()
parseArn
is now Arn.parse
arnFromComponents
is now arn.format
node.lock
and node.unlock
are now privatestack.requireRegion
and requireAccountId
have been removed. Use Token.unresolved(stack.region)
insteadstack.parentApp
have been removed. Use App.isApp(stack.node.root)
instead.stack.missingContext
is now privatestack.renameLogical
have been renamed to stack.renameLogicalId
IAddressingScheme
, HashedAddressingScheme
and LogicalIDs
are now internal. Override Stack.allocateLogicalId
to customize how logical IDs are allocated to resources.--rename
, and the stack
names are now immutable on the stack artifact.@aws-cdk/aws-sns-subscribers
package.roleName
in RoleProps
is now of type PhysicalName
bucketName
in BucketProps
is now of type PhysicalName
roleName
in RoleProps
is now of type PhysicalName
FAQs
The CDK Construct Library for AWS::S3
The npm package @aws-cdk/aws-s3 receives a total of 114,777 weekly downloads. As such, @aws-cdk/aws-s3 popularity was classified as popular.
We found that @aws-cdk/aws-s3 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.