import { AddToResourcePolicyResult, Conditions, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { IBucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';
import { IConstruct } from 'constructs';
import { IAccessSpec, IAWSServiceAccessGenerator } from './k9policy';
/**
 * Configure the k9 Security S3 Bucket policy generator with the K9BucketPolicyProps.
 */
export interface K9BucketPolicyProps extends s3.BucketPolicyProps {
    /**
     * An array of IAccessSpec defining the desired access.  The policy
     * generator will combine and normalize overlapping access specs.
     */
    readonly k9DesiredAccess: Array<IAccessSpec>;
    /**
     * (Optionally) Provide the BucketEncryption object for the Bucket to
     * allow the policy generator to customize the policy for the Bucket's
     * configuration without handling, e.g. the encryption method options directly
     */
    readonly encryption?: BucketEncryption;
    /**
     * Enforce encryption at rest with policy conditions.  The policy will use
     * the encryption method defined by the encryption property or default to `aws:kms`.
     *
     * @default true
     */
    readonly enforceEncryptionAtRest?: boolean;
    /**
     * Allow public read access to the bucket.
     *
     * @default false
     */
    readonly publicReadAccess?: boolean;
    /**
     * An (optional) array of IAWSServiceAccessGenerator instances which will generate statements to allow access to the
     * bucket or bucket object(s) by an AWS service like CloudFront or Kinesis.
     *
     * @default undefined
     */
    readonly awsServiceAccessGenerators?: Array<IAWSServiceAccessGenerator>;
}
export declare const SID_DENY_UNEXPECTED_ENCRYPTION_METHOD = "DenyUnexpectedEncryptionMethod";
export declare const SID_DENY_UNENCRYPTED_STORAGE = "DenyUnencryptedStorage";
export declare const SID_ALLOW_PUBLIC_READ_ACCESS = "AllowPublicReadAccess";
export declare class CloudFrontOACReadAccessGenerator implements IAWSServiceAccessGenerator {
    static readonly SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS = "AllowCloudFrontOACReadAccess";
    readonly bucket: IBucket;
    readonly distributionArn: string;
    constructor(bucket: IBucket, distributionArn: string);
    makeAllowStatements(): Array<PolicyStatement>;
    makeConditionsToExceptFromDenyEveryoneElse(): Conditions;
}
/**
 * Grants least-privilege access to a bucket by generating a BucketPolicy from the access capabilities
 * described by `props`; the policy will be set on the Bucket specified in `props`.
 *
 * When a BucketPolicy already exists on the Bucket referenced in `props`:
 *   * the BucketPolicy's existing Statements will pass through unmodified
 *   * k9 will identify IAM principals there were allowed by the original policy and add those principals to
 *   the `DenyEveryoneElse` Statement's exclusion list so that, e.g. autoDeleteObjects works as expected
 *   * k9's Allow and Deny statements will be added to the policy
 *
 * @remarks
 *
 * k9 modifies the existing BucketPolicy in place instead of replacing or copying and modifying that
 * to preserve dependency references created by certain S3 CDK features such as `autoDeleteObjects`.
 *
 * @param scope The scope in which to define this construct.
 * @param id The scoped construct ID.
 * @param props describing the desired access capabilities for the bucket
 *
 * @return an array of AddToResourcePolicyResult
 */
export declare function grantAccessViaResourcePolicy(scope: IConstruct, id: string, props: K9BucketPolicyProps): AddToResourcePolicyResult[];