# API Reference ## Constructs ### SecureBucket #### Initializers ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' new SecureBucket(scope: Construct, id: string, props?: SecureBucketProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | SecureBucketProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Optional - *Type:* SecureBucketProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | | applyRemovalPolicy | Apply the given removal policy to this resource. | | addEventNotification | Adds a bucket notification event destination. | | addObjectCreatedNotification | Subscribes a destination to receive notifications when an object is created in the bucket. | | addObjectRemovedNotification | Subscribes a destination to receive notifications when an object is removed from the bucket. | | addReplicationPolicy | Function to add required permissions to the destination bucket for cross account replication. | | addToResourcePolicy | Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects. | | arnForObjects | Returns an ARN that represents all objects within the bucket that match the key pattern specified. | | enableEventBridgeNotification | Enables event bridge notification, causing all events below to be sent to EventBridge:. | | grantDelete | Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket. | | grantPublicAccess | Allows unrestricted access to objects from this bucket. | | grantPut | Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. | | grantPutAcl | Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket. | | grantRead | Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User). | | grantReadWrite | Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User). | | grantWrite | Grant write permissions to this bucket to an IAM principal. | | onCloudTrailEvent | Define a CloudWatch event that triggers when something happens to this repository. | | onCloudTrailPutObject | Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call. | | onCloudTrailWriteObject | Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to. | | s3UrlForObject | The S3 URL of an S3 object. For example:. | | transferAccelerationUrlForObject | The https Transfer Acceleration URL of an S3 object. | | urlForObject | The https URL of an S3 object. Specify `regional: false` at the options for non-regional URLs. For example:. | | virtualHostedUrlForObject | The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:. | | addCorsRule | Adds a cross-origin access configuration for objects in an Amazon S3 bucket. | | addInventory | Add an inventory configuration. | | addLifecycleRule | Add a lifecycle rule to the bucket. | | addMetric | Adds a metrics configuration for the CloudWatch request metrics from the bucket. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. ##### `applyRemovalPolicy` ```typescript public applyRemovalPolicy(policy: RemovalPolicy): void ``` Apply the given removal policy to this resource. The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced. The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ###### `policy`^Required - *Type:* aws-cdk-lib.RemovalPolicy --- ##### `addEventNotification` ```typescript public addEventNotification(event: EventType, dest: IBucketNotificationDestination, filters: ...NotificationKeyFilter[]): void ``` Adds a bucket notification event destination. > [https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) *Example* ```typescript declare const myLambda: lambda.Function; const bucket = new s3.Bucket(this, 'MyBucket'); bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), {prefix: 'home/myusername/*'}); ``` ###### `event`^Required - *Type:* aws-cdk-lib.aws_s3.EventType The event to trigger the notification. --- ###### `dest`^Required - *Type:* aws-cdk-lib.aws_s3.IBucketNotificationDestination The notification destination (Lambda, SNS Topic or SQS Queue). --- ###### `filters`^Required - *Type:* ...aws-cdk-lib.aws_s3.NotificationKeyFilter[] S3 object key filter rules to determine which objects trigger this event. Each filter must include a `prefix` and/or `suffix` that will be matched against the s3 object key. Refer to the S3 Developer Guide for details about allowed filter rules. --- ##### `addObjectCreatedNotification` ```typescript public addObjectCreatedNotification(dest: IBucketNotificationDestination, filters: ...NotificationKeyFilter[]): void ``` Subscribes a destination to receive notifications when an object is created in the bucket. This is identical to calling `onEvent(EventType.OBJECT_CREATED)`. ###### `dest`^Required - *Type:* aws-cdk-lib.aws_s3.IBucketNotificationDestination The notification destination (see onEvent). --- ###### `filters`^Required - *Type:* ...aws-cdk-lib.aws_s3.NotificationKeyFilter[] Filters (see onEvent). --- ##### `addObjectRemovedNotification` ```typescript public addObjectRemovedNotification(dest: IBucketNotificationDestination, filters: ...NotificationKeyFilter[]): void ``` Subscribes a destination to receive notifications when an object is removed from the bucket. This is identical to calling `onEvent(EventType.OBJECT_REMOVED)`. ###### `dest`^Required - *Type:* aws-cdk-lib.aws_s3.IBucketNotificationDestination The notification destination (see onEvent). --- ###### `filters`^Required - *Type:* ...aws-cdk-lib.aws_s3.NotificationKeyFilter[] Filters (see onEvent). --- ##### `addReplicationPolicy` ```typescript public addReplicationPolicy(roleArn: string, accessControlTransition?: boolean, account?: string): void ``` Function to add required permissions to the destination bucket for cross account replication. These permissions will be added as a resource based policy on the bucket > [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html) ###### `roleArn`^Required - *Type:* string --- ###### `accessControlTransition`^Optional - *Type:* boolean --- ###### `account`^Optional - *Type:* string --- ##### `addToResourcePolicy` ```typescript public addToResourcePolicy(permission: PolicyStatement): AddToResourcePolicyResult ``` Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects. Note that the policy statement may or may not be added to the policy. For example, when an `IBucket` is created from an existing bucket, it's not possible to tell whether the bucket already has a policy attached, let alone to re-use that policy to add more statements to it. So it's safest to do nothing in these cases. ###### `permission`^Required - *Type:* aws-cdk-lib.aws_iam.PolicyStatement the policy statement to be added to the bucket's policy. --- ##### `arnForObjects` ```typescript public arnForObjects(keyPattern: string): string ``` Returns an ARN that represents all objects within the bucket that match the key pattern specified. To represent all keys, specify ``"*"``. If you need to specify a keyPattern with multiple components, concatenate them into a single string, e.g.: arnForObjects(`home/${team}/${user}/*`) ###### `keyPattern`^Required - *Type:* string --- ##### `enableEventBridgeNotification` ```typescript public enableEventBridgeNotification(): void ``` Enables event bridge notification, causing all events below to be sent to EventBridge:. Object Deleted (DeleteObject) - Object Deleted (Lifecycle expiration) - Object Restore Initiated - Object Restore Completed - Object Restore Expired - Object Storage Class Changed - Object Access Tier Changed - Object ACL Updated - Object Tags Added - Object Tags Deleted ##### `grantDelete` ```typescript public grantDelete(identity: IGrantable, objectsKeyPattern?: any): Grant ``` Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket. ###### `identity`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable The principal. --- ###### `objectsKeyPattern`^Optional - *Type:* any Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. --- ##### `grantPublicAccess` ```typescript public grantPublicAccess(allowedActions: ...string[], keyPrefix?: string): Grant ``` Allows unrestricted access to objects from this bucket. IMPORTANT: This permission allows anyone to perform actions on S3 objects in this bucket, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket without needing to authenticate. Without arguments, this method will grant read ("s3:GetObject") access to all objects ("*") in the bucket. The method returns the `iam.Grant` object, which can then be modified as needed. For example, you can add a condition that will restrict access only to an IPv4 range like this: const grant = bucket.grantPublicAccess(); grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” }); Note that if this `IBucket` refers to an existing bucket, possibly not managed by CloudFormation, this method will have no effect, since it's impossible to modify the policy of an existing bucket. ###### `allowedActions`^Required - *Type:* ...string[] the set of S3 actions to allow. Default is "s3:GetObject". --- ###### `keyPrefix`^Optional - *Type:* string the prefix of S3 object keys (e.g. `home/*`). Default is "*". --- ##### `grantPut` ```typescript public grantPut(identity: IGrantable, objectsKeyPattern?: any): Grant ``` Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal. ###### `identity`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable The principal. --- ###### `objectsKeyPattern`^Optional - *Type:* any Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. --- ##### `grantPutAcl` ```typescript public grantPutAcl(identity: IGrantable, objectsKeyPattern?: string): Grant ``` Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket. If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set, calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects; in this case, if you need to modify object ACLs, call this method explicitly. ###### `identity`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ###### `objectsKeyPattern`^Optional - *Type:* string --- ##### `grantRead` ```typescript public grantRead(identity: IGrantable, objectsKeyPattern?: any): Grant ``` Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User). If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal. ###### `identity`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable The principal. --- ###### `objectsKeyPattern`^Optional - *Type:* any Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. --- ##### `grantReadWrite` ```typescript public grantReadWrite(identity: IGrantable, objectsKeyPattern?: any): Grant ``` Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User). If an encryption key is used, permission to use the key for encrypt/decrypt will also be granted. Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`, which could be used to grant read/write object access to IAM principals in other accounts. If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true` in the `context` key of your cdk.json file. If you've already updated, but still need the principal to have permissions to modify the ACLs, use the `grantPutAcl` method. ###### `identity`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ###### `objectsKeyPattern`^Optional - *Type:* any --- ##### `grantWrite` ```typescript public grantWrite(identity: IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): Grant ``` Grant write permissions to this bucket to an IAM principal. If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal. Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`, which could be used to grant read/write object access to IAM principals in other accounts. If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true` in the `context` key of your cdk.json file. If you've already updated, but still need the principal to have permissions to modify the ACLs, use the `grantPutAcl` method. ###### `identity`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ###### `objectsKeyPattern`^Optional - *Type:* any --- ###### `allowedActionPatterns`^Optional - *Type:* string[] --- ##### `onCloudTrailEvent` ```typescript public onCloudTrailEvent(id: string, options?: OnCloudTrailBucketEventOptions): Rule ``` Define a CloudWatch event that triggers when something happens to this repository. Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail. ###### `id`^Required - *Type:* string The id of the rule. --- ###### `options`^Optional - *Type:* aws-cdk-lib.aws_s3.OnCloudTrailBucketEventOptions Options for adding the rule. --- ##### `onCloudTrailPutObject` ```typescript public onCloudTrailPutObject(id: string, options?: OnCloudTrailBucketEventOptions): Rule ``` Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call. Note that some tools like `aws s3 cp` will automatically use either PutObject or the multipart upload API depending on the file size, so using `onCloudTrailWriteObject` may be preferable. Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail. ###### `id`^Required - *Type:* string The id of the rule. --- ###### `options`^Optional - *Type:* aws-cdk-lib.aws_s3.OnCloudTrailBucketEventOptions Options for adding the rule. --- ##### `onCloudTrailWriteObject` ```typescript public onCloudTrailWriteObject(id: string, options?: OnCloudTrailBucketEventOptions): Rule ``` Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to. This includes the events PutObject, CopyObject, and CompleteMultipartUpload. Note that some tools like `aws s3 cp` will automatically use either PutObject or the multipart upload API depending on the file size, so using this method may be preferable to `onCloudTrailPutObject`. Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail. ###### `id`^Required - *Type:* string The id of the rule. --- ###### `options`^Optional - *Type:* aws-cdk-lib.aws_s3.OnCloudTrailBucketEventOptions Options for adding the rule. --- ##### `s3UrlForObject` ```typescript public s3UrlForObject(key?: string): string ``` The S3 URL of an S3 object. For example:. `s3://onlybucket` - `s3://bucket/key` ###### `key`^Optional - *Type:* string The S3 key of the object. If not specified, the S3 URL of the bucket is returned. --- ##### `transferAccelerationUrlForObject` ```typescript public transferAccelerationUrlForObject(key?: string, options?: TransferAccelerationUrlOptions): string ``` The https Transfer Acceleration URL of an S3 object. Specify `dualStack: true` at the options for dual-stack endpoint (connect to the bucket over IPv6). For example: - `https://bucket.s3-accelerate.amazonaws.com` - `https://bucket.s3-accelerate.amazonaws.com/key` ###### `key`^Optional - *Type:* string The S3 key of the object. If not specified, the URL of the bucket is returned. --- ###### `options`^Optional - *Type:* aws-cdk-lib.aws_s3.TransferAccelerationUrlOptions Options for generating URL. --- ##### `urlForObject` ```typescript public urlForObject(key?: string): string ``` The https URL of an S3 object. Specify `regional: false` at the options for non-regional URLs. For example:. `https://s3.us-west-1.amazonaws.com/onlybucket` - `https://s3.us-west-1.amazonaws.com/bucket/key` - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey` ###### `key`^Optional - *Type:* string The S3 key of the object. If not specified, the URL of the bucket is returned. --- ##### `virtualHostedUrlForObject` ```typescript public virtualHostedUrlForObject(key?: string, options?: VirtualHostedStyleUrlOptions): string ``` The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:. `https://only-bucket.s3.us-west-1.amazonaws.com` - `https://bucket.s3.us-west-1.amazonaws.com/key` - `https://bucket.s3.amazonaws.com/key` - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey` ###### `key`^Optional - *Type:* string The S3 key of the object. If not specified, the URL of the bucket is returned. --- ###### `options`^Optional - *Type:* aws-cdk-lib.aws_s3.VirtualHostedStyleUrlOptions Options for generating URL. --- ##### `addCorsRule` ```typescript public addCorsRule(rule: CorsRule): void ``` Adds a cross-origin access configuration for objects in an Amazon S3 bucket. ###### `rule`^Required - *Type:* aws-cdk-lib.aws_s3.CorsRule The CORS configuration rule to add. --- ##### `addInventory` ```typescript public addInventory(inventory: Inventory): void ``` Add an inventory configuration. ###### `inventory`^Required - *Type:* aws-cdk-lib.aws_s3.Inventory configuration to add. --- ##### `addLifecycleRule` ```typescript public addLifecycleRule(rule: LifecycleRule): void ``` Add a lifecycle rule to the bucket. ###### `rule`^Required - *Type:* aws-cdk-lib.aws_s3.LifecycleRule The rule to add. --- ##### `addMetric` ```typescript public addMetric(metric: BucketMetrics): void ``` Adds a metrics configuration for the CloudWatch request metrics from the bucket. ###### `metric`^Required - *Type:* aws-cdk-lib.aws_s3.BucketMetrics The metric configuration to add. --- #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | | isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. | | isResource | Check whether the given construct is a Resource. | | fromBucketArn | *No description.* | | fromBucketAttributes | Creates a Bucket construct that represents an external bucket. | | fromBucketName | *No description.* | | fromCfnBucket | Create a mutable `IBucket` based on a low-level `CfnBucket`. | | validateBucketName | Thrown an exception if the given bucket name is not valid. | --- ##### `isConstruct` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.isConstruct(x: any) ``` Checks if `x` is a construct. Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked. Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead. ###### `x`^Required - *Type:* any Any object. --- ##### `isOwnedResource` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.isOwnedResource(construct: IConstruct) ``` Returns true if the construct was created by CDK, and false otherwise. ###### `construct`^Required - *Type:* constructs.IConstruct --- ##### `isResource` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.isResource(construct: IConstruct) ``` Check whether the given construct is a Resource. ###### `construct`^Required - *Type:* constructs.IConstruct --- ##### `fromBucketArn` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.fromBucketArn(scope: Construct, id: string, bucketArn: string) ``` ###### `scope`^Required - *Type:* constructs.Construct --- ###### `id`^Required - *Type:* string --- ###### `bucketArn`^Required - *Type:* string --- ##### `fromBucketAttributes` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.fromBucketAttributes(scope: Construct, id: string, attrs: BucketAttributes) ``` Creates a Bucket construct that represents an external bucket. ###### `scope`^Required - *Type:* constructs.Construct The parent creating construct (usually `this`). --- ###### `id`^Required - *Type:* string The construct's name. --- ###### `attrs`^Required - *Type:* aws-cdk-lib.aws_s3.BucketAttributes A `BucketAttributes` object. Can be obtained from a call to `bucket.export()` or manually created. --- ##### `fromBucketName` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.fromBucketName(scope: Construct, id: string, bucketName: string) ``` ###### `scope`^Required - *Type:* constructs.Construct --- ###### `id`^Required - *Type:* string --- ###### `bucketName`^Required - *Type:* string --- ##### `fromCfnBucket` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.fromCfnBucket(cfnBucket: CfnBucket) ``` Create a mutable `IBucket` based on a low-level `CfnBucket`. ###### `cfnBucket`^Required - *Type:* aws-cdk-lib.aws_s3.CfnBucket --- ##### `validateBucketName` ```typescript import { SecureBucket } from '@gammarers/aws-secure-bucket' SecureBucket.validateBucketName(physicalName: string, allowLegacyBucketNaming?: boolean) ``` Thrown an exception if the given bucket name is not valid. ###### `physicalName`^Required - *Type:* string name of the bucket. --- ###### `allowLegacyBucketNaming`^Optional - *Type:* boolean allow legacy bucket naming style, default is false. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | env | aws-cdk-lib.ResourceEnvironment | The environment this resource belongs to. | | stack | aws-cdk-lib.Stack | The stack in which this resource is defined. | | bucketArn | string | The ARN of the bucket. | | bucketDomainName | string | The IPv4 DNS name of the specified bucket. | | bucketDualStackDomainName | string | The IPv6 DNS name of the specified bucket. | | bucketName | string | The name of the bucket. | | bucketRegionalDomainName | string | The regional domain name of the specified bucket. | | bucketWebsiteDomainName | string | The Domain name of the static website. | | bucketWebsiteUrl | string | The URL of the static website. | | encryptionKey | aws-cdk-lib.aws_kms.IKey | Optional KMS encryption key associated with this bucket. | | isWebsite | boolean | If this bucket has been configured for static website hosting. | | policy | aws-cdk-lib.aws_s3.BucketPolicy | The resource policy associated with this bucket. | | replicationRoleArn | string | Role used to set up permissions on this bucket for replication. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `env`^Required ```typescript public readonly env: ResourceEnvironment; ``` - *Type:* aws-cdk-lib.ResourceEnvironment The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into. --- ##### `stack`^Required ```typescript public readonly stack: Stack; ``` - *Type:* aws-cdk-lib.Stack The stack in which this resource is defined. --- ##### `bucketArn`^Required ```typescript public readonly bucketArn: string; ``` - *Type:* string The ARN of the bucket. --- ##### `bucketDomainName`^Required ```typescript public readonly bucketDomainName: string; ``` - *Type:* string The IPv4 DNS name of the specified bucket. --- ##### `bucketDualStackDomainName`^Required ```typescript public readonly bucketDualStackDomainName: string; ``` - *Type:* string The IPv6 DNS name of the specified bucket. --- ##### `bucketName`^Required ```typescript public readonly bucketName: string; ``` - *Type:* string The name of the bucket. --- ##### `bucketRegionalDomainName`^Required ```typescript public readonly bucketRegionalDomainName: string; ``` - *Type:* string The regional domain name of the specified bucket. --- ##### `bucketWebsiteDomainName`^Required ```typescript public readonly bucketWebsiteDomainName: string; ``` - *Type:* string The Domain name of the static website. --- ##### `bucketWebsiteUrl`^Required ```typescript public readonly bucketWebsiteUrl: string; ``` - *Type:* string The URL of the static website. --- ##### `encryptionKey`^Optional ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey Optional KMS encryption key associated with this bucket. --- ##### `isWebsite`^Optional ```typescript public readonly isWebsite: boolean; ``` - *Type:* boolean If this bucket has been configured for static website hosting. --- ##### `policy`^Optional ```typescript public readonly policy: BucketPolicy; ``` - *Type:* aws-cdk-lib.aws_s3.BucketPolicy The resource policy associated with this bucket. If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the first call to addToResourcePolicy(s). --- ##### `replicationRoleArn`^Optional ```typescript public readonly replicationRoleArn: string; ``` - *Type:* string Role used to set up permissions on this bucket for replication. --- ## Structs ### SecureBucketProps #### Initializer ```typescript import { SecureBucketProps } from '@gammarers/aws-secure-bucket' const secureBucketProps: SecureBucketProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | accessControl | aws-cdk-lib.aws_s3.BucketAccessControl | Specifies a canned ACL that grants predefined permissions to the bucket. | | autoDeleteObjects | boolean | Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted. | | blockPublicAccess | aws-cdk-lib.aws_s3.BlockPublicAccess | The block public access configuration of this bucket. | | bucketKeyEnabled | boolean | Whether Amazon S3 should use its own intermediary key to generate data keys. | | bucketName | string | Physical name of this bucket. | | cors | aws-cdk-lib.aws_s3.CorsRule[] | The CORS configuration of this bucket. | | encryption | aws-cdk-lib.aws_s3.BucketEncryption | The kind of server-side encryption to apply to this bucket. | | encryptionKey | aws-cdk-lib.aws_kms.IKey | External KMS key to use for bucket encryption. | | enforceSSL | boolean | Enforces SSL for requests. | | eventBridgeEnabled | boolean | Whether this bucket should send notifications to Amazon EventBridge or not. | | intelligentTieringConfigurations | aws-cdk-lib.aws_s3.IntelligentTieringConfiguration[] | Intelligent Tiering Configurations. | | inventories | aws-cdk-lib.aws_s3.Inventory[] | The inventory configuration of the bucket. | | lifecycleRules | aws-cdk-lib.aws_s3.LifecycleRule[] | Rules that define how Amazon S3 manages objects during their lifetime. | | metrics | aws-cdk-lib.aws_s3.BucketMetrics[] | The metrics configuration of this bucket. | | minimumTLSVersion | number | Enforces minimum TLS version for requests. | | notificationsHandlerRole | aws-cdk-lib.aws_iam.IRole | The role to be used by the notifications handler. | | notificationsSkipDestinationValidation | boolean | Skips notification validation of Amazon SQS, Amazon SNS, and Lambda destinations. | | objectLockDefaultRetention | aws-cdk-lib.aws_s3.ObjectLockRetention | The default retention mode and rules for S3 Object Lock. | | objectLockEnabled | boolean | Enable object lock on the bucket. | | objectOwnership | aws-cdk-lib.aws_s3.ObjectOwnership | The objectOwnership of the bucket. | | publicReadAccess | boolean | Grants public read access to all objects in the bucket. | | removalPolicy | aws-cdk-lib.RemovalPolicy | Policy to apply when the bucket is removed from this stack. | | replicationRules | aws-cdk-lib.aws_s3.ReplicationRule[] | A container for one or more replication rules. | | serverAccessLogsBucket | aws-cdk-lib.aws_s3.IBucket | Destination bucket for the server access logs. | | serverAccessLogsPrefix | string | Optional log file prefix to use for the bucket's access logs. | | targetObjectKeyFormat | aws-cdk-lib.aws_s3.TargetObjectKeyFormat | Optional key format for log objects. | | transferAcceleration | boolean | Whether this bucket should have transfer acceleration turned on or not. | | transitionDefaultMinimumObjectSize | aws-cdk-lib.aws_s3.TransitionDefaultMinimumObjectSize | Indicates which default minimum object size behavior is applied to the lifecycle configuration. | | versioned | boolean | Whether this bucket should have versioning turned on or not. | | websiteErrorDocument | string | The name of the error document (e.g. "404.html") for the website. `websiteIndexDocument` must also be set if this is set. | | websiteIndexDocument | string | The name of the index document (e.g. "index.html") for the website. Enables static website hosting for this bucket. | | websiteRedirect | aws-cdk-lib.aws_s3.RedirectTarget | Specifies the redirect behavior of all requests to a website endpoint of a bucket. | | websiteRoutingRules | aws-cdk-lib.aws_s3.RoutingRule[] | Rules that define when a redirect is applied and the redirect behavior. | | bucketType | SecureBucketType | The type of the bucket. | | isCloudFrontOriginBucket | boolean | If your are using it as the CloudFront origin bucket, set it to true. | | isPipelineArtifactBucket | boolean | If you are setting a custom Qualifier and using it as the artifact bucket for the CDK pipeline, set it to true. | --- ##### `accessControl`^Optional ```typescript public readonly accessControl: BucketAccessControl; ``` - *Type:* aws-cdk-lib.aws_s3.BucketAccessControl - *Default:* BucketAccessControl.PRIVATE Specifies a canned ACL that grants predefined permissions to the bucket. --- ##### `autoDeleteObjects`^Optional ```typescript public readonly autoDeleteObjects: boolean; ``` - *Type:* boolean - *Default:* false Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted. Requires the `removalPolicy` to be set to `RemovalPolicy.DESTROY`. **Warning** if you have deployed a bucket with `autoDeleteObjects: true`, switching this to `false` in a CDK version *before* `1.126.0` will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version `1.126.0` or later **before** switching this value to `false`. Setting `autoDeleteObjects` to true on a bucket will add `s3:PutBucketPolicy` to the bucket policy. This is because during bucket deletion, the custom resource provider needs to update the bucket policy by adding a deny policy for `s3:PutObject` to prevent race conditions with external bucket writers. --- ##### `blockPublicAccess`^Optional ```typescript public readonly blockPublicAccess: BlockPublicAccess; ``` - *Type:* aws-cdk-lib.aws_s3.BlockPublicAccess - *Default:* CloudFormation defaults will apply. New buckets and objects don't allow public access, but users can modify bucket policies or object permissions to allow public access The block public access configuration of this bucket. > [https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html) --- ##### `bucketKeyEnabled`^Optional ```typescript public readonly bucketKeyEnabled: boolean; ``` - *Type:* boolean - *Default:* false Whether Amazon S3 should use its own intermediary key to generate data keys. Only relevant when using KMS for encryption. - If not enabled, every object GET and PUT will cause an API call to KMS (with the attendant cost implications of that). - If enabled, S3 will use its own time-limited key instead. Only relevant, when Encryption is not set to `BucketEncryption.UNENCRYPTED`. --- ##### `bucketName`^Optional ```typescript public readonly bucketName: string; ``` - *Type:* string - *Default:* Assigned by CloudFormation (recommended). Physical name of this bucket. --- ##### `cors`^Optional ```typescript public readonly cors: CorsRule[]; ``` - *Type:* aws-cdk-lib.aws_s3.CorsRule[] - *Default:* No CORS configuration. The CORS configuration of this bucket. > [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html) --- ##### `encryption`^Optional ```typescript public readonly encryption: BucketEncryption; ``` - *Type:* aws-cdk-lib.aws_s3.BucketEncryption - *Default:* `KMS` if `encryptionKey` is specified, or `S3_MANAGED` otherwise. The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via `encryptionKey`. If encryption key is not specified, a key will automatically be created. --- ##### `encryptionKey`^Optional ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* If `encryption` is set to `KMS` and this property is undefined, a new KMS key will be created and associated with this bucket. External KMS key to use for bucket encryption. The `encryption` property must be either not specified or set to `KMS` or `DSSE`. An error will be emitted if `encryption` is set to `UNENCRYPTED` or `S3_MANAGED`. --- ##### `enforceSSL`^Optional ```typescript public readonly enforceSSL: boolean; ``` - *Type:* boolean - *Default:* false Enforces SSL for requests. S3.5 of the AWS Foundational Security Best Practices Regarding S3. > [https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html) --- ##### `eventBridgeEnabled`^Optional ```typescript public readonly eventBridgeEnabled: boolean; ``` - *Type:* boolean - *Default:* false Whether this bucket should send notifications to Amazon EventBridge or not. --- ##### `intelligentTieringConfigurations`^Optional ```typescript public readonly intelligentTieringConfigurations: IntelligentTieringConfiguration[]; ``` - *Type:* aws-cdk-lib.aws_s3.IntelligentTieringConfiguration[] - *Default:* No Intelligent Tiiering Configurations. Intelligent Tiering Configurations. > [https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html) --- ##### `inventories`^Optional ```typescript public readonly inventories: Inventory[]; ``` - *Type:* aws-cdk-lib.aws_s3.Inventory[] - *Default:* No inventory configuration The inventory configuration of the bucket. > [https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html) --- ##### `lifecycleRules`^Optional ```typescript public readonly lifecycleRules: LifecycleRule[]; ``` - *Type:* aws-cdk-lib.aws_s3.LifecycleRule[] - *Default:* No lifecycle rules. Rules that define how Amazon S3 manages objects during their lifetime. --- ##### `metrics`^Optional ```typescript public readonly metrics: BucketMetrics[]; ``` - *Type:* aws-cdk-lib.aws_s3.BucketMetrics[] - *Default:* No metrics configuration. The metrics configuration of this bucket. > [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metricsconfiguration.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metricsconfiguration.html) --- ##### `minimumTLSVersion`^Optional ```typescript public readonly minimumTLSVersion: number; ``` - *Type:* number - *Default:* No minimum TLS version is enforced. Enforces minimum TLS version for requests. Requires `enforceSSL` to be enabled. > [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-object-tls-version](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-object-tls-version) --- ##### `notificationsHandlerRole`^Optional ```typescript public readonly notificationsHandlerRole: IRole; ``` - *Type:* aws-cdk-lib.aws_iam.IRole - *Default:* a new role will be created. The role to be used by the notifications handler. --- ##### `notificationsSkipDestinationValidation`^Optional ```typescript public readonly notificationsSkipDestinationValidation: boolean; ``` - *Type:* boolean - *Default:* false Skips notification validation of Amazon SQS, Amazon SNS, and Lambda destinations. --- ##### `objectLockDefaultRetention`^Optional ```typescript public readonly objectLockDefaultRetention: ObjectLockRetention; ``` - *Type:* aws-cdk-lib.aws_s3.ObjectLockRetention - *Default:* no default retention period The default retention mode and rules for S3 Object Lock. Default retention can be configured after a bucket is created if the bucket already has object lock enabled. Enabling object lock for existing buckets is not supported. > [https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable) --- ##### `objectLockEnabled`^Optional ```typescript public readonly objectLockEnabled: boolean; ``` - *Type:* boolean - *Default:* false, unless objectLockDefaultRetention is set (then, true) Enable object lock on the bucket. Enabling object lock for existing buckets is not supported. Object lock must be enabled when the bucket is created. > [https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable) --- ##### `objectOwnership`^Optional ```typescript public readonly objectOwnership: ObjectOwnership; ``` - *Type:* aws-cdk-lib.aws_s3.ObjectOwnership - *Default:* No ObjectOwnership configuration. By default, Amazon S3 sets Object Ownership to `Bucket owner enforced`. This means ACLs are disabled and the bucket owner will own every object. The objectOwnership of the bucket. > [https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html) --- ##### `publicReadAccess`^Optional ```typescript public readonly publicReadAccess: boolean; ``` - *Type:* boolean - *Default:* false Grants public read access to all objects in the bucket. Similar to calling `bucket.grantPublicAccess()` --- ##### `removalPolicy`^Optional ```typescript public readonly removalPolicy: RemovalPolicy; ``` - *Type:* aws-cdk-lib.RemovalPolicy - *Default:* The bucket will be orphaned. Policy to apply when the bucket is removed from this stack. --- ##### `replicationRules`^Optional ```typescript public readonly replicationRules: ReplicationRule[]; ``` - *Type:* aws-cdk-lib.aws_s3.ReplicationRule[] - *Default:* No replication A container for one or more replication rules. --- ##### `serverAccessLogsBucket`^Optional ```typescript public readonly serverAccessLogsBucket: IBucket; ``` - *Type:* aws-cdk-lib.aws_s3.IBucket - *Default:* If "serverAccessLogsPrefix" undefined - access logs disabled, otherwise - log to current bucket. Destination bucket for the server access logs. --- ##### `serverAccessLogsPrefix`^Optional ```typescript public readonly serverAccessLogsPrefix: string; ``` - *Type:* string - *Default:* No log file prefix Optional log file prefix to use for the bucket's access logs. If defined without "serverAccessLogsBucket", enables access logs to current bucket with this prefix. --- ##### `targetObjectKeyFormat`^Optional ```typescript public readonly targetObjectKeyFormat: TargetObjectKeyFormat; ``` - *Type:* aws-cdk-lib.aws_s3.TargetObjectKeyFormat - *Default:* the default key format is: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] Optional key format for log objects. --- ##### `transferAcceleration`^Optional ```typescript public readonly transferAcceleration: boolean; ``` - *Type:* boolean - *Default:* false Whether this bucket should have transfer acceleration turned on or not. --- ##### `transitionDefaultMinimumObjectSize`^Optional ```typescript public readonly transitionDefaultMinimumObjectSize: TransitionDefaultMinimumObjectSize; ``` - *Type:* aws-cdk-lib.aws_s3.TransitionDefaultMinimumObjectSize - *Default:* TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS before September 2024, otherwise TransitionDefaultMinimumObjectSize.ALL_STORAGE_CLASSES_128_K. Indicates which default minimum object size behavior is applied to the lifecycle configuration. To customize the minimum object size for any transition you can add a filter that specifies a custom `objectSizeGreaterThan` or `objectSizeLessThan` for `lifecycleRules` property. Custom filters always take precedence over the default transition behavior. --- ##### `versioned`^Optional ```typescript public readonly versioned: boolean; ``` - *Type:* boolean - *Default:* false (unless object lock is enabled, then true) Whether this bucket should have versioning turned on or not. --- ##### `websiteErrorDocument`^Optional ```typescript public readonly websiteErrorDocument: string; ``` - *Type:* string - *Default:* No error document. The name of the error document (e.g. "404.html") for the website. `websiteIndexDocument` must also be set if this is set. --- ##### `websiteIndexDocument`^Optional ```typescript public readonly websiteIndexDocument: string; ``` - *Type:* string - *Default:* No index document. The name of the index document (e.g. "index.html") for the website. Enables static website hosting for this bucket. --- ##### `websiteRedirect`^Optional ```typescript public readonly websiteRedirect: RedirectTarget; ``` - *Type:* aws-cdk-lib.aws_s3.RedirectTarget - *Default:* No redirection. Specifies the redirect behavior of all requests to a website endpoint of a bucket. If you specify this property, you can't specify "websiteIndexDocument", "websiteErrorDocument" nor , "websiteRoutingRules". --- ##### `websiteRoutingRules`^Optional ```typescript public readonly websiteRoutingRules: RoutingRule[]; ``` - *Type:* aws-cdk-lib.aws_s3.RoutingRule[] - *Default:* No redirection rules. Rules that define when a redirect is applied and the redirect behavior. --- ##### `bucketType`^Optional ```typescript public readonly bucketType: SecureBucketType; ``` - *Type:* SecureBucketType - *Default:* SecureBucketType.DEFAULT The type of the bucket. --- ##### ~~`isCloudFrontOriginBucket`~~^Optional - *Deprecated:* This property is deprecated. Use the bucketType property instead. ```typescript public readonly isCloudFrontOriginBucket: boolean; ``` - *Type:* boolean - *Default:* false If your are using it as the CloudFront origin bucket, set it to true. --- ##### ~~`isPipelineArtifactBucket`~~^Optional - *Deprecated:* This property is deprecated. Use the bucketType property instead. ```typescript public readonly isPipelineArtifactBucket: boolean; ``` - *Type:* boolean - *Default:* false If you are setting a custom Qualifier and using it as the artifact bucket for the CDK pipeline, set it to true. --- ## Enums ### SecureBucketType #### Members | **Name** | **Description** | | --- | --- | | SINGLE_PIPELINE_ARTIFACT | *No description.* | | SINGLE_REGION_DEPLOYMENT_PIPELINE_ARTIFACT_BUCKET | If you are setting a custom Qualifier and using it as the artifact bucket for the CDK pipeline, is it selected as the single region deployment pipeline artifact bucket. | | MULTI_PIPELINE_ARTIFACT | *No description.* | | MULTI_REGION_DEPLOYMENT_PIPELINE_ARTIFACT_BUCKET | If you are setting a custom Qualifier and using it as the artifact bucket for the CDK pipeline, is it selected as the multi region deployment pipeline artifact bucket. | | CLOUD_FRONT_ORIGIN | If you are using it as the CloudFront origin bucket, is it selected as the cloudfront origin bucket. | | CLOUD_FRONT_ORIGIN_BUCKET | If you are using it as the CloudFront origin bucket, is it selected as the cloudfront origin bucket. | | DEFAULT | If you are not setting a custom Qualifier and using it as the default bucket, is it selected as the default bucket. | | DEFAULT_BUCKET | If you are not setting a custom Qualifier and using it as the default bucket, is it selected as the default bucket. | --- ##### ~~`SINGLE_PIPELINE_ARTIFACT`~~ - *Deprecated:* This property is deprecated. Use the bucketType property instead. --- ##### `SINGLE_REGION_DEPLOYMENT_PIPELINE_ARTIFACT_BUCKET` If you are setting a custom Qualifier and using it as the artifact bucket for the CDK pipeline, is it selected as the single region deployment pipeline artifact bucket. --- ##### ~~`MULTI_PIPELINE_ARTIFACT`~~ - *Deprecated:* This property is deprecated. Use the bucketType property instead. --- ##### `MULTI_REGION_DEPLOYMENT_PIPELINE_ARTIFACT_BUCKET` If you are setting a custom Qualifier and using it as the artifact bucket for the CDK pipeline, is it selected as the multi region deployment pipeline artifact bucket. --- ##### ~~`CLOUD_FRONT_ORIGIN`~~ - *Deprecated:* This property is deprecated. Use the bucketType property instead. If you are using it as the CloudFront origin bucket, is it selected as the cloudfront origin bucket. --- ##### `CLOUD_FRONT_ORIGIN_BUCKET` If you are using it as the CloudFront origin bucket, is it selected as the cloudfront origin bucket. --- ##### ~~`DEFAULT`~~ - *Deprecated:* This property is deprecated. Use the bucketType property instead. If you are not setting a custom Qualifier and using it as the default bucket, is it selected as the default bucket. --- ##### `DEFAULT_BUCKET` If you are not setting a custom Qualifier and using it as the default bucket, is it selected as the default bucket. ---