@aws-cdk/aws-s3

AWS S3 Construct Library

Define an unencrypted S3 bucket.

new Bucket(this, 'MyFirstBucket');

Bucket constructs expose the following deploy-time attributes:

• bucketArn - the ARN of the bucket (i.e. arn:aws:s3:::bucket_name)
• bucketName - the name of the bucket (i.e. bucket_name)
• bucketUrl - the URL of the bucket (i.e. https://s3.us-west-1.amazonaws.com/onlybucket)
• arnForObjects(...pattern) - the ARN of an object or objects within the bucket (i.e. arn:aws:s3:::my_corporate_bucket/exampleobject.png or arn:aws:s3:::my_corporate_bucket/Development/*)
• urlForObject(key) - the URL of an object within the bucket (i.e. https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey)

Encryption

Define a KMS-encrypted bucket:

const bucket = new Bucket(this, 'MyUnencryptedBucket', {
    encryption: BucketEncryption.Kms
});

// you can access the encryption key:
assert(bucket.encryptionKey instanceof kms.EncryptionKey);

You can also supply your own key:

const myKmsKey = new kms.EncryptionKey(this, 'MyKey');

const bucket = new Bucket(this, 'MyEncryptedBucket', {
    encryption: BucketEncryption.Kms,
    encryptionKey: myKmsKey
});

assert(bucket.encryptionKey === myKmsKey);

Use BucketEncryption.ManagedKms to use the S3 master KMS key:

const bucket = new Bucket(this, 'Buck', {
    encryption: BucketEncryption.ManagedKms
});

assert(bucket.encryptionKey == null);

Bucket Policy

By default, a bucket policy will be automatically created for the bucket upon the first call to addToPolicy(statement):

const bucket = new Bucket(this, 'MyBucket');
bucket.addToPolicy(statement);

// we now have a policy!

You can bring you own policy as well:

const policy = new BucketPolicy(this, 'MyBucketPolicy');
const bucket = new Bucket(this, 'MyBucket', { policy });

Buckets as sources in CodePipeline

This package also defines an Action that allows you to use a Bucket as a source in CodePipeline:

import codepipeline = require('@aws-cdk/aws-codepipeline');
import s3 = require('@aws-cdk/aws-s3');

const sourceBucket = new s3.Bucket(this, 'MyBucket', {
    versioned: true, // a Bucket used as a source in CodePipeline must be versioned
});

const pipeline = new codepipeline.Pipeline(this, 'MyPipeline');
const sourceStage = new codepipeline.Stage(this, 'Source', {
    pipeline,
});
const sourceAction = new s3.PipelineSource(this, 'S3Source', {
    stage: sourceStage,
    bucket: sourceBucket,
    bucketKey: 'path/to/file.zip',
    artifactName: 'SourceOuptut', //name can be arbitrary
});
// use sourceAction.artifact as the inputArtifact to later Actions...

You can also add the Bucket to the Pipeline directly:

// equivalent to the code above:
const sourceAction = sourceBucket.addToPipeline(sourceStage, 'CodeCommit', {
    bucketKey: 'path/to/file.zip',
    artifactName: 'SourceOutput',
});

Importing and Exporting Buckets

You can create a Bucket construct that represents an external/existing/unowned bucket by using the Bucket.import factory method.

This method accepts an object that adheres to BucketRef which basically include tokens to bucket's attributes.

This means that you can define a BucketRef using token literals:

const bucket = Bucket.import(this, {
    bucketArn: new BucketArn('arn:aws:s3:::my-bucket')
});

// now you can just call methods on the bucket
bucket.grantReadWrite(user);

The bucket.export() method can be used to "export" the bucket from the current stack. It returns a BucketRef object that can later be used in a call to Bucket.import in another stack.

Here's an example.

Let's define a stack with an S3 bucket and export it using bucket.export().

class Producer extends Stack {
    public readonly myBucketRef: BucketRef;

    constructor(parent: App, name: string) {
        super(parent, name);

        const bucket = new Bucket(this, 'MyBucket');
        this.myBucketRef = bucket.export();
    }
}

Now let's define a stack that requires a BucketRef as an input and uses Bucket.import to create a Bucket object that represents this external bucket. Grant a user principal created within this consuming stack read/write permissions to this bucket and contents.

interface ConsumerProps {
    public userBucketRef: BucketRef;
}

class Consumer extends Stack {
    constructor(parent: App, name: string, props: ConsumerProps) {
        super(parent, name);

        const user = new User(this, 'MyUser');
        const userBucket = Bucket.import(this, props.userBucketRef);
        userBucket.grantReadWrite(user);
    }
}

Now, let's define our CDK app to bind these together:

const app = new App(process.argv);

const producer = new Producer(app, 'produce');

new Consumer(app, 'consume', {
    userBucketRef: producer.myBucketRef
});

process.stdout.write(app.run());

Bucket Notifications

The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.

To subscribe for bucket notifications, use the bucket.onEvent method. The bucket.onObjectCreated and bucket.onObjectRemoved can also be used for these common use cases.

The following example will subscribe an SNS topic to be notified of all ``s3:ObjectCreated:*` events:

const myTopic = new sns.Topic(this, 'MyTopic');
bucket.onEvent(s3.EventType.ObjectCreated, myTopic);

This call will also ensure that the topic policy can accept notifications for this specific bucket.

The following destinations are currently supported:

• sns.Topic
• sqs.Queue
• lambda.Function

It is also possible to specify S3 object key filters when subscribing. The following example will notify myQueue when objects prefixed with foo/ and have the .jpg suffix are removed from the bucket.

bucket.onEvent(s3.EventType.ObjectRemoved, myQueue, { prefix: 'foo/', suffix: '.jpg' });

Changelog

0.9.2 (2018-09-20)

NOTICE: This release includes a framework-wide breaking change which changes the type of all the string resource attributes across the framework. Instead of using strong-types that extend cdk.Token (such as QueueArn, TopicName, etc), we now represent all these attributes as normal strings, and codify the tokens into the string (using the feature introduced in #168).

Furthermore, the cdk.Arn type has been removed. In order to format/parse ARNs, use the static methods on cdk.ArnUtils.

See motivation and discussion in #695.

Breaking Changes

• cfn2ts: use stringified tokens for resource attributes instead of strong types (#712) (6508f78), closes #518 #695 #744
• aws-dynamodb: Attribute type for keys, changes the signature of the addPartitionKey and addSortKey methods to be consistent across the board. (#720) (e6cc189)
• aws-codebuild: fix typo "priviledged" -> "privileged

Bug Fixes

• assets: can't use multiple assets in the same stack (#725) (bba2e5b), closes #706
• aws-codebuild: typo in BuildEnvironment "priviledged" -> "privileged (#734) (72fec36)
• aws-ecr: fix addToResourcePolicy (#737) (eadbda5)
• aws-events: ruleName can now be specified (#726) (a7bc5ee), closes #708
• aws-lambda: jsii use no long requires 'sourceAccount' (#728) (9e7d311), closes #714
• aws-s3: remove policy argument (#730) (a79190c), closes #672
• cdk: "cdk init" java template is broken (#732) (281c083), closes #711 awslabs/jsii#233

Features

• aws-apigateway: new API Gateway Construct Library (#665) (b0f3857)
• aws-cdk: detect presence of EC2 credentials (#724) (8e8c295), closes #702 #130
• aws-codepipeline: make the Stage insertion API in CodePipeline more flexible (#460) (d182818)
• aws-codepipeline: new "Pipeline#addStage" convenience method (#647) (25c9fa0)
• aws-rds: add support for parameter groups (#729) (2541508), closes #719
• docs: add documentation for CDK toolkit plugings (#733) (965b918)
• dependencies: upgrade to jsii 0.7.6