import type { Construct } from 'constructs'; import { BucketGrants } from './bucket-grants'; import { BucketPolicy } from './bucket-policy'; import type { IBucketNotificationDestination } from './destination'; import type { LifecycleRule, StorageClass } from './rule'; import type { BucketReference, IBucketRef } from './s3.generated'; import { CfnBucket } from './s3.generated'; import * as events from '../../aws-events'; import * as iam from '../../aws-iam'; import type { GrantOnKeyResult, IEncryptedResource, IGrantable } from '../../aws-iam'; import * as kms from '../../aws-kms'; import type { Duration, IResource, ResourceProps } from '../../core'; import { RemovalPolicy, Resource } from '../../core'; export interface IBucket extends IResource, IBucketRef { /** * The ARN of the bucket. * @attribute */ readonly bucketArn: string; /** * The name of the bucket. * @attribute */ readonly bucketName: string; /** * The URL of the static website. * @attribute */ readonly bucketWebsiteUrl: string; /** * The Domain name of the static website. * @attribute */ readonly bucketWebsiteDomainName: string; /** * The IPv4 DNS name of the specified bucket. * @attribute */ readonly bucketDomainName: string; /** * The IPv6 DNS name of the specified bucket. * @attribute */ readonly bucketDualStackDomainName: string; /** * The regional domain name of the specified bucket. * @attribute */ readonly bucketRegionalDomainName: string; /** * If this bucket has been configured for static website hosting. */ readonly isWebsite?: boolean; /** * Optional KMS encryption key associated with this bucket. */ readonly encryptionKey?: kms.IKey; /** * The resource policy associated with this bucket. * * If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the * first call to addToResourcePolicy(s). */ policy?: BucketPolicy; /** * Role used to set up permissions on this bucket for replication */ replicationRoleArn?: string; /** * Adds a statement to the resource policy for a principal (i.e. * account/role/service) to perform actions on this bucket and/or its * contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for * this bucket or objects. * * Note that the policy statement may or may not be added to the policy. * For example, when an `IBucket` is created from an existing bucket, * it's not possible to tell whether the bucket already has a policy * attached, let alone to re-use that policy to add more statements to it. * So it's safest to do nothing in these cases. * * @param permission the policy statement to be added to the bucket's * policy. * @returns metadata about the execution of this method. If the policy * was not added, the value of `statementAdded` will be `false`. You * should always check this value to make sure that the operation was * actually carried out. Otherwise, synthesis and deploy will terminate * silently, which may be confusing. */ addToResourcePolicy(permission: iam.PolicyStatement): iam.AddToResourcePolicyResult; /** * The https URL of an S3 object. For example: * * - `https://s3.us-west-1.amazonaws.com/onlybucket` * - `https://s3.us-west-1.amazonaws.com/bucket/key` * - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey` * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @returns an ObjectS3Url token */ urlForObject(key?: string): string; /** * The https Transfer Acceleration URL of an S3 object. Specify `dualStack: true` at the options * for dual-stack endpoint (connect to the bucket over IPv6). For example: * * - `https://bucket.s3-accelerate.amazonaws.com` * - `https://bucket.s3-accelerate.amazonaws.com/key` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an TransferAccelerationUrl token */ transferAccelerationUrlForObject(key?: string, options?: TransferAccelerationUrlOptions): string; /** * The virtual hosted-style URL of an S3 object. Specify `regional: false` at * the options for non-regional URL. For example: * * - `https://only-bucket.s3.us-west-1.amazonaws.com` * - `https://bucket.s3.us-west-1.amazonaws.com/key` * - `https://bucket.s3.amazonaws.com/key` * - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey` * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an ObjectS3Url token */ virtualHostedUrlForObject(key?: string, options?: VirtualHostedStyleUrlOptions): string; /** * The S3 URL of an S3 object. For example: * - `s3://onlybucket` * - `s3://bucket/key` * @param key The S3 key of the object. If not specified, the S3 URL of the * bucket is returned. * @returns an ObjectS3Url token */ s3UrlForObject(key?: string): string; /** * Returns an ARN that represents all objects within the bucket that match * the key pattern specified. To represent all keys, specify ``"*"``. */ arnForObjects(keyPattern: string): string; /** * Grant read permissions for this bucket and its contents to an IAM * principal (Role/Group/User). * * If encryption is used, permission to use the key to decrypt the contents * of the bucket will also be granted to the same principal. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantRead(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Grant write permissions to this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * * Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`, * which could be used to grant read/write object access to IAM principals in other accounts. * If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, * and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true` * in the `context` key of your cdk.json file. * If you've already updated, but still need the principal to have permissions to modify the ACLs, * use the `grantPutAcl` method. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. * @param allowedActionPatterns Restrict the permissions to certain list of action patterns */ grantWrite(identity: iam.IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): iam.Grant; /** * Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantPut(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket. * * If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set, * calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects; * in this case, if you need to modify object ACLs, call this method explicitly. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*') */ grantPutAcl(identity: iam.IGrantable, objectsKeyPattern?: string): iam.Grant; /** * Grants s3:DeleteObject* permission to an IAM principal for objects * in this bucket. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantDelete(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Grants read/write permissions for this bucket and its contents to an IAM * principal (Role/Group/User). * * If an encryption key is used, permission to use the key for * encrypt/decrypt will also be granted. * * Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`, * which could be used to grant read/write object access to IAM principals in other accounts. * If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, * and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true` * in the `context` key of your cdk.json file. * If you've already updated, but still need the principal to have permissions to modify the ACLs, * use the `grantPutAcl` method. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantReadWrite(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Allows permissions for replication operation to bucket replication role. * * If an encryption key is used, permission to use the key for * encrypt/decrypt will also be granted. * * @param identity The principal * @param props The properties of the replication source and destination buckets. * @returns The `iam.Grant` object, which represents the grant of permissions. */ grantReplicationPermission(identity: iam.IGrantable, props: GrantReplicationPermissionProps): iam.Grant; /** * Allows unrestricted access to objects from this bucket. * * IMPORTANT: This permission allows anyone to perform actions on S3 objects * in this bucket, which is useful for when you configure your bucket as a * website and want everyone to be able to read objects in the bucket without * needing to authenticate. * * Without arguments, this method will grant read ("s3:GetObject") access to * all objects ("*") in the bucket. * * The method returns the `iam.Grant` object, which can then be modified * as needed. For example, you can add a condition that will restrict access only * to an IPv4 range like this: * * const grant = bucket.grantPublicAccess(); * grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” }); * * * @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*". * @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject". * @returns The `iam.PolicyStatement` object, which can be used to apply e.g. conditions. */ grantPublicAccess(keyPrefix?: string, ...allowedActions: string[]): iam.Grant; /** * Defines a CloudWatch event that triggers when something happens to this bucket * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailEvent(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object is uploaded * to the specified paths (keys) in this bucket using the PutObject API call. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using `onCloudTrailWriteObject` may be preferable. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailPutObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object at the * specified paths (keys) in this bucket are written to. This includes * the events PutObject, CopyObject, and CompleteMultipartUpload. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using this method may be preferable to `onCloudTrailPutObject`. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailWriteObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Adds a bucket notification event destination. * @param event The event to trigger the notification * @param dest The notification destination (Lambda, SNS Topic or SQS Queue) * * @param filters S3 object key filter rules to determine which objects * trigger this event. Each filter must include a `prefix` and/or `suffix` * that will be matched against the s3 object key. Refer to the S3 Developer Guide * for details about allowed filter rules. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html * * @example * * declare const myLambda: lambda.Function; * const bucket = new s3.Bucket(this, 'MyBucket'); * const filter: s3.NotificationKeyFilter = { prefix: 'home/myusername/*' }; * bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), filter); * * @see * https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html */ addEventNotification(event: EventType, dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Subscribes a destination to receive notifications when an object is * created in the bucket. This is identical to calling * `onEvent(s3.EventType.OBJECT_CREATED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectCreatedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Subscribes a destination to receive notifications when an object is * removed from the bucket. This is identical to calling * `onEvent(EventType.OBJECT_REMOVED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectRemovedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Enables event bridge notification, causing all events below to be sent to EventBridge: * * - Object Deleted (DeleteObject) * - Object Deleted (Lifecycle expiration) * - Object Restore Initiated * - Object Restore Completed * - Object Restore Expired * - Object Storage Class Changed * - Object Access Tier Changed * - Object ACL Updated * - Object Tags Added * - Object Tags Deleted */ enableEventBridgeNotification(): void; /** * Function to add required permissions to the destination bucket for cross account * replication. These permissions will be added as a resource based policy on the bucket. * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html * If owner of the bucket needs to be overridden, set accessControlTransition to true and provide * account ID in which destination bucket is hosted. For more information on accessControlTransition * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html */ addReplicationPolicy(roleArn: string, accessControlTransition?: boolean, account?: string): void; } /** * A reference to a bucket outside this stack */ export interface BucketAttributes { /** * The ARN of the bucket. At least one of bucketArn or bucketName must be * defined in order to initialize a bucket ref. */ readonly bucketArn?: string; /** * The name of the bucket. If the underlying value of ARN is a string, the * name will be parsed from the ARN. Otherwise, the name is optional, but * some features that require the bucket name such as auto-creating a bucket * policy, won't work. */ readonly bucketName?: string; /** * The domain name of the bucket. * * @default - Inferred from bucket name */ readonly bucketDomainName?: string; /** * The website URL of the bucket (if static web hosting is enabled). * * @default - Inferred from bucket name and region */ readonly bucketWebsiteUrl?: string; /** * The regional domain name of the specified bucket. */ readonly bucketRegionalDomainName?: string; /** * The IPv6 DNS name of the specified bucket. */ readonly bucketDualStackDomainName?: string; /** * Force the format of the website URL of the bucket. This should be true for * regions launched since 2014. * * @default - inferred from available region information, `false` otherwise * * @deprecated The correct website url format can be inferred automatically from the bucket `region`. * Always provide the bucket region if the `bucketWebsiteUrl` will be used. * Alternatively provide the full `bucketWebsiteUrl` manually. */ readonly bucketWebsiteNewUrlFormat?: boolean; /** * KMS encryption key associated with this bucket. * * @default - no encryption key */ readonly encryptionKey?: kms.IKey; /** * If this bucket has been configured for static website hosting. * * @default false */ readonly isWebsite?: boolean; /** * The account this existing bucket belongs to. * * @default - it's assumed the bucket belongs to the same account as the scope it's being imported into */ readonly account?: string; /** * The region this existing bucket is in. * Features that require the region (e.g. `bucketWebsiteUrl`) won't fully work * if the region cannot be correctly inferred. * * @default - it's assumed the bucket is in the same region as the scope it's being imported into */ readonly region?: string; /** * The role to be used by the notifications handler * * @default - a new role will be created. */ readonly notificationsHandlerRole?: iam.IRole; } /** * The properties for the destination bucket for granting replication permission. */ export interface GrantReplicationPermissionDestinationProps { /** * The destination bucket */ readonly bucket: IBucket; /** * The KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key. * * @default - no KMS key is used for replication. */ readonly encryptionKey?: kms.IKey; } /** * The properties for the destination bucket for granting replication permission. */ export interface GrantReplicationPermissionProps { /** * The KMS key used to decrypt objects in the source bucket for replication. * **Required if** the source bucket is encrypted with a customer-managed KMS key. * * @default - it's assumed the source bucket is not encrypted with a customer-managed KMS key. */ readonly sourceDecryptionKey?: kms.IKey; /** * The destination buckets for replication. * Specify the KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key. * One or more destination buckets are required if replication configuration is enabled (i.e., `replicationRole` is specified). * * @default - empty array (valid only if the `replicationRole` property is NOT specified) */ readonly destinations: GrantReplicationPermissionDestinationProps[]; } /** * Represents an S3 Bucket. * * Buckets can be either defined within this stack: * * new Bucket(this, 'MyBucket', { props }); * * Or imported from an existing bucket: * * Bucket.import(this, 'MyImportedBucket', { bucketArn: ... }); * * You can also export a bucket and import it into another stack: * * const ref = myBucket.export(); * Bucket.import(this, 'MyImportedBucket', ref); * */ export declare abstract class BucketBase extends Resource implements IBucket, IEncryptedResource { abstract readonly bucketArn: string; abstract readonly bucketName: string; abstract readonly bucketDomainName: string; abstract readonly bucketWebsiteUrl: string; abstract readonly bucketWebsiteDomainName: string; abstract readonly bucketRegionalDomainName: string; abstract readonly bucketDualStackDomainName: string; /** * Optional KMS encryption key associated with this bucket. */ abstract readonly encryptionKey?: kms.IKey; /** * If this bucket has been configured for static website hosting. */ abstract readonly isWebsite?: boolean; /** * The resource policy associated with this bucket. * * If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the * first call to addToResourcePolicy(s). */ abstract policy?: BucketPolicy; /** * Role used to set up permissions on this bucket for replication */ abstract replicationRoleArn?: string; /** * Indicates if a bucket resource policy should automatically created upon * the first call to `addToResourcePolicy`. */ protected abstract autoCreatePolicy: boolean; /** * Whether to disallow public access */ abstract disallowPublicAccess?: boolean; private notifications?; protected notificationsHandlerRole?: iam.IRole; protected notificationsSkipDestinationValidation?: boolean; protected objectOwnership?: ObjectOwnership; constructor(scope: Construct, id: string, props?: ResourceProps); grantOnKey(grantee: IGrantable, ...actions: string[]): GrantOnKeyResult; /** * Collection of grant methods for a Bucket */ get grants(): BucketGrants; /** * Define a CloudWatch event that triggers when something happens to this repository * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailEvent(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object is uploaded * to the specified paths (keys) in this bucket using the PutObject API call. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using `onCloudTrailWriteObject` may be preferable. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailPutObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object at the * specified paths (keys) in this bucket are written to. This includes * the events PutObject, CopyObject, and CompleteMultipartUpload. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using this method may be preferable to `onCloudTrailPutObject`. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailWriteObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Adds a statement to the resource policy for a principal (i.e. * account/role/service) to perform actions on this bucket and/or its * contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for * this bucket or objects. * * Note that the policy statement may or may not be added to the policy. * For example, when an `IBucket` is created from an existing bucket, * it's not possible to tell whether the bucket already has a policy * attached, let alone to re-use that policy to add more statements to it. * So it's safest to do nothing in these cases. * * @param permission the policy statement to be added to the bucket's * policy. * @returns metadata about the execution of this method. If the policy * was not added, the value of `statementAdded` will be `false`. You * should always check this value to make sure that the operation was * actually carried out. Otherwise, synthesis and deploy will terminate * silently, which may be confusing. */ addToResourcePolicy(permission: iam.PolicyStatement): iam.AddToResourcePolicyResult; /** * Ensures a bucket policy exists on the L2 if `autoCreatePolicy` is set. */ protected maybeAutoCreatePolicy(): void; /** * The https URL of an S3 object. Specify `regional: false` at the options * for non-regional URLs. For example: * * - `https://s3.us-west-1.amazonaws.com/onlybucket` * - `https://s3.us-west-1.amazonaws.com/bucket/key` * - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @returns an ObjectS3Url token */ urlForObject(key?: string): string; /** * The https Transfer Acceleration URL of an S3 object. Specify `dualStack: true` at the options * for dual-stack endpoint (connect to the bucket over IPv6). For example: * * - `https://bucket.s3-accelerate.amazonaws.com` * - `https://bucket.s3-accelerate.amazonaws.com/key` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an TransferAccelerationUrl token */ transferAccelerationUrlForObject(key?: string, options?: TransferAccelerationUrlOptions): string; /** * The virtual hosted-style URL of an S3 object. Specify `regional: false` at * the options for non-regional URL. For example: * * - `https://only-bucket.s3.us-west-1.amazonaws.com` * - `https://bucket.s3.us-west-1.amazonaws.com/key` * - `https://bucket.s3.amazonaws.com/key` * - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an ObjectS3Url token */ virtualHostedUrlForObject(key?: string, options?: VirtualHostedStyleUrlOptions): string; /** * The S3 URL of an S3 object. For example: * * - `s3://onlybucket` * - `s3://bucket/key` * * @param key The S3 key of the object. If not specified, the S3 URL of the * bucket is returned. * @returns an ObjectS3Url token */ s3UrlForObject(key?: string): string; /** * Returns an ARN that represents all objects within the bucket that match * the key pattern specified. To represent all keys, specify ``"*"``. * * If you need to specify a keyPattern with multiple components, concatenate them into a single string, e.g.: * * arnForObjects(`home/${team}/${user}/*`) * */ arnForObjects(keyPattern: string): string; /** * Grant read permissions for this bucket and its contents to an IAM * principal (Role/Group/User). * * If encryption is used, permission to use the key to decrypt the contents * of the bucket will also be granted to the same principal. * * * The use of this method is discouraged. Please use `grants.read()` instead. * * [disable-awslint:no-grants] * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantRead(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * * The use of this method is discouraged. Please use `grants.write()` instead. * * [disable-awslint:no-grants] */ grantWrite(identity: iam.IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): iam.Grant; /** * Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * * * The use of this method is discouraged. Please use `grants.put()` instead. * * [disable-awslint:no-grants] * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantPut(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * * The use of this method is discouraged. Please use `grants.putAcl()` instead. * * [disable-awslint:no-grants] */ grantPutAcl(identity: iam.IGrantable, objectsKeyPattern?: string): iam.Grant; /** * Grants s3:DeleteObject* permission to an IAM principal for objects * in this bucket. * * * The use of this method is discouraged. Please use `grants.delete()` instead. * * [disable-awslint:no-grants] * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantDelete(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * * The use of this method is discouraged. Please use `grants.readWrite()` instead. * * [disable-awslint:no-grants] */ grantReadWrite(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Grant replication permission to a principal. * This method allows the principal to perform replication operations on this bucket. * * Note that when calling this function for source or destination buckets that support KMS encryption, * you need to specify the KMS key for encryption and the KMS key for decryption, respectively. * * * The use of this method is discouraged. Please use `grants.replicationPermission()` instead. * * [disable-awslint:no-grants] * * @param identity The principal to grant replication permission to. * @param props The properties of the replication source and destination buckets. */ grantReplicationPermission(identity: iam.IGrantable, props: GrantReplicationPermissionProps): iam.Grant; /** * Allows unrestricted access to objects from this bucket. * * IMPORTANT: This permission allows anyone to perform actions on S3 objects * in this bucket, which is useful for when you configure your bucket as a * website and want everyone to be able to read objects in the bucket without * needing to authenticate. * * Without arguments, this method will grant read ("s3:GetObject") access to * all objects ("*") in the bucket. * * The method returns the `iam.Grant` object, which can then be modified * as needed. For example, you can add a condition that will restrict access only * to an IPv4 range like this: * * const grant = bucket.grantPublicAccess(); * grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” }); * * Note that if this `IBucket` refers to an existing bucket, possibly not * managed by CloudFormation, this method will have no effect, since it's * impossible to modify the policy of an existing bucket. * * * The use of this method is discouraged. Please use `grants.publicAccess()` instead. * * [disable-awslint:no-grants] * * @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*". * @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject". */ grantPublicAccess(keyPrefix?: string, ...allowedActions: string[]): iam.Grant; /** * Adds a bucket notification event destination. * @param event The event to trigger the notification * @param dest The notification destination (Lambda, SNS Topic or SQS Queue) * * @param filters S3 object key filter rules to determine which objects * trigger this event. Each filter must include a `prefix` and/or `suffix` * that will be matched against the s3 object key. Refer to the S3 Developer Guide * for details about allowed filter rules. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html * * @example * * declare const myLambda: lambda.Function; * const bucket = new s3.Bucket(this, 'MyBucket'); * const filter: s3.NotificationKeyFilter = { prefix: 'home/myusername/*' }; * bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), filter); * * @see * https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html */ addEventNotification(event: EventType, dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; private withNotifications; /** * Subscribes a destination to receive notifications when an object is * created in the bucket. This is identical to calling * `onEvent(EventType.OBJECT_CREATED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectCreatedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Subscribes a destination to receive notifications when an object is * removed from the bucket. This is identical to calling * `onEvent(EventType.OBJECT_REMOVED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectRemovedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Enables event bridge notification, causing all events below to be sent to EventBridge: * * - Object Deleted (DeleteObject) * - Object Deleted (Lifecycle expiration) * - Object Restore Initiated * - Object Restore Completed * - Object Restore Expired * - Object Storage Class Changed * - Object Access Tier Changed * - Object ACL Updated * - Object Tags Added * - Object Tags Deleted */ enableEventBridgeNotification(): void; /** * Function to add required permissions to the destination bucket for cross account * replication. These permissions will be added as a resource based policy on the bucket * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html * If owner of the bucket needs to be overridden, set accessControlTransition to true and provide * account ID in which destination bucket is hosted. For more information on accessControlTransition * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html */ addReplicationPolicy(roleArn: string, accessControlTransition?: boolean, account?: string): void; private urlJoin; get bucketRef(): BucketReference; } export interface BlockPublicAccessOptions { /** * Whether to block public ACLs * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly blockPublicAcls?: boolean; /** * Whether to block public policy * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly blockPublicPolicy?: boolean; /** * Whether to ignore public ACLs * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly ignorePublicAcls?: boolean; /** * Whether to restrict public access * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly restrictPublicBuckets?: boolean; } export declare class BlockPublicAccess { /** * Use this option if you want to ensure every public access method is blocked. * However keep in mind that this is the default state of an S3 bucket, and leaving blockPublicAccess undefined would also work. */ static readonly BLOCK_ALL: BlockPublicAccess; /** * * @deprecated Use `BLOCK_ACLS_ONLY` instead. */ static readonly BLOCK_ACLS: BlockPublicAccess; /** * Use this option if you want to only block the ACLs, using this will set blockPublicPolicy and restrictPublicBuckets to false. */ static readonly BLOCK_ACLS_ONLY: BlockPublicAccess; blockPublicAcls: boolean | undefined; blockPublicPolicy: boolean | undefined; ignorePublicAcls: boolean | undefined; restrictPublicBuckets: boolean | undefined; constructor(options: BlockPublicAccessOptions); } /** * Specifies a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket. */ export interface BucketMetrics { /** * The ID used to identify the metrics configuration. */ readonly id: string; /** * The prefix that an object must have to be included in the metrics results. */ readonly prefix?: string; /** * Specifies a list of tag filters to use as a metrics configuration filter. * The metrics configuration includes only objects that meet the filter's criteria. */ readonly tagFilters?: { [tag: string]: any; }; } /** * All http request methods */ export declare enum HttpMethods { /** * The GET method requests a representation of the specified resource. */ GET = "GET", /** * The PUT method replaces all current representations of the target resource with the request payload. */ PUT = "PUT", /** * The HEAD method asks for a response identical to that of a GET request, but without the response body. */ HEAD = "HEAD", /** * The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server. */ POST = "POST", /** * The DELETE method deletes the specified resource. */ DELETE = "DELETE" } /** * Specifies a cross-origin access rule for an Amazon S3 bucket. */ export interface CorsRule { /** * A unique identifier for this rule. * * @default - No id specified. */ readonly id?: string; /** * The time in seconds that your browser is to cache the preflight response for the specified resource. * * @default - No caching. */ readonly maxAge?: number; /** * Headers that are specified in the Access-Control-Request-Headers header. * * @default - No headers allowed. */ readonly allowedHeaders?: string[]; /** * An HTTP method that you allow the origin to execute. */ readonly allowedMethods: HttpMethods[]; /** * One or more origins you want customers to be able to access the bucket from. */ readonly allowedOrigins: string[]; /** * One or more headers in the response that you want customers to be able to access from their applications. * * @default - No headers exposed. */ readonly exposedHeaders?: string[]; } /** * All http request methods */ export declare enum RedirectProtocol { HTTP = "http", HTTPS = "https" } /** * Specifies a redirect behavior of all requests to a website endpoint of a bucket. */ export interface RedirectTarget { /** * Name of the host where requests are redirected */ readonly hostName: string; /** * Protocol to use when redirecting requests * * @default - The protocol used in the original request. */ readonly protocol?: RedirectProtocol; } /** * All supported inventory list formats. */ export declare enum InventoryFormat { /** * Generate the inventory list as CSV. */ CSV = "CSV", /** * Generate the inventory list as Parquet. */ PARQUET = "Parquet", /** * Generate the inventory list as ORC. */ ORC = "ORC" } /** * All supported inventory frequencies. */ export declare enum InventoryFrequency { /** * A report is generated every day. */ DAILY = "Daily", /** * A report is generated every Sunday (UTC timezone) after the initial report. */ WEEKLY = "Weekly" } /** * Inventory version support. */ export declare enum InventoryObjectVersion { /** * Includes all versions of each object in the report. */ ALL = "All", /** * Includes only the current version of each object in the report. */ CURRENT = "Current" } /** * The destination of the inventory. */ export interface InventoryDestination { /** * Bucket where all inventories will be saved in. */ readonly bucket: IBucket; /** * The prefix to be used when saving the inventory. * * @default - No prefix. */ readonly prefix?: string; /** * The account ID that owns the destination S3 bucket. * If no account ID is provided, the owner is not validated before exporting data. * It's recommended to set an account ID to prevent problems if the destination bucket ownership changes. * * @default - No account ID. */ readonly bucketOwner?: string; } /** * Specifies the inventory configuration of an S3 Bucket. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html */ export interface Inventory { /** * The destination of the inventory. */ readonly destination: InventoryDestination; /** * The inventory will only include objects that meet the prefix filter criteria. * * @default - No objects prefix */ readonly objectsPrefix?: string; /** * The format of the inventory. * * @default InventoryFormat.CSV */ readonly format?: InventoryFormat; /** * Whether the inventory is enabled or disabled. * * @default true */ readonly enabled?: boolean; /** * The inventory configuration ID. * Should be limited to 64 characters and can only contain letters, numbers, periods, dashes, and underscores. * * @default - generated ID. */ readonly inventoryId?: string; /** * Frequency at which the inventory should be generated. * * @default InventoryFrequency.WEEKLY */ readonly frequency?: InventoryFrequency; /** * If the inventory should contain all the object versions or only the current one. * * @default InventoryObjectVersion.ALL */ readonly includeObjectVersions?: InventoryObjectVersion; /** * A list of optional fields to be included in the inventory result. * * @default - No optional fields. */ readonly optionalFields?: string[]; } /** * The ObjectOwnership of the bucket. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html * */ export declare enum ObjectOwnership { /** * ACLs are disabled, and the bucket owner automatically owns * and has full control over every object in the bucket. * ACLs no longer affect permissions to data in the S3 bucket. * The bucket uses policies to define access control. */ BUCKET_OWNER_ENFORCED = "BucketOwnerEnforced", /** * The bucket owner will own the object if the object is uploaded with * the bucket-owner-full-control canned ACL. Without this setting and * canned ACL, the object is uploaded and remains owned by the uploading account. */ BUCKET_OWNER_PREFERRED = "BucketOwnerPreferred", /** * The uploading account will own the object. */ OBJECT_WRITER = "ObjectWriter" } /** * The intelligent tiering configuration. */ export interface IntelligentTieringConfiguration { /** * Configuration name */ readonly name: string; /** * Add a filter to limit the scope of this configuration to a single prefix. * * @default this configuration will apply to **all** objects in the bucket. */ readonly prefix?: string; /** * You can limit the scope of this rule to the key value pairs added below. * * @default No filtering will be performed on tags */ readonly tags?: Tag[]; /** * When enabled, Intelligent-Tiering will automatically move objects that * haven’t been accessed for a minimum of 90 days to the Archive Access tier. * * @default Objects will not move to Glacier */ readonly archiveAccessTierTime?: Duration; /** * When enabled, Intelligent-Tiering will automatically move objects that * haven’t been accessed for a minimum of 180 days to the Deep Archive Access * tier. * * @default Objects will not move to Glacier Deep Access */ readonly deepArchiveAccessTierTime?: Duration; } /** * The date source for the partitioned prefix. */ export declare enum PartitionDateSource { /** * The year, month, and day will be based on the timestamp of the S3 event in the file that's been delivered. */ EVENT_TIME = "EventTime", /** * The year, month, and day will be based on the time when the log file was delivered to S3. */ DELIVERY_TIME = "DeliveryTime" } /** * The key format for the log object. */ export declare abstract class TargetObjectKeyFormat { /** * Use partitioned prefix for log objects. * If you do not specify the dateSource argument, the default is EventTime. * * The partitioned prefix format as follow: * [DestinationPrefix][SourceAccountId]/​[SourceRegion]/​[SourceBucket]/​[YYYY]/​[MM]/​[DD]/​[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] */ static partitionedPrefix(dateSource?: PartitionDateSource): TargetObjectKeyFormat; /** * Use the simple prefix for log objects. * * The simple prefix format as follow: * [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] */ static simplePrefix(): TargetObjectKeyFormat; /** * Render the log object key format. * * @internal */ abstract _render(): CfnBucket.LoggingConfigurationProperty['targetObjectKeyFormat']; } /** * The replication time value used for S3 Replication Time Control (S3 RTC). */ export declare class ReplicationTimeValue { readonly minutes: number; /** * Fifteen minutes. */ static readonly FIFTEEN_MINUTES: ReplicationTimeValue; /** * @param minutes the time in minutes */ private constructor(); } /** * Specifies which Amazon S3 objects to replicate and where to store the replicas. */ export interface ReplicationRule { /** * The destination bucket for the replicated objects. * * The destination can be either in the same AWS account or a cross account. * * If you want to configure cross-account replication, * the destination bucket must have a policy that allows the source bucket to replicate objects to it. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html */ readonly destination: IBucket; /** * Whether to want to change replica ownership to the AWS account that owns the destination bucket. * * This can only be specified if the source bucket and the destination bucket are not in the same AWS account. * * @default - The replicas are owned by same AWS account that owns the source object */ readonly accessControlTransition?: boolean; /** * Specifying S3 Replication Time Control (S3 RTC), * including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. * * @default - S3 Replication Time Control is not enabled */ readonly replicationTimeControl?: ReplicationTimeValue; /** * A container specifying replication metrics-related settings enabling replication metrics and events. * * When a value is set, metrics will be output to indicate whether the replication took longer than the specified time. * * @default - Replication metrics are not enabled */ readonly metrics?: ReplicationTimeValue; /** * The customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. * Amazon S3 uses this key to encrypt replica objects. * * Amazon S3 only supports symmetric encryption KMS keys. * * @see https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html * * @default - Amazon S3 uses the AWS managed KMS key for encryption */ readonly kmsKey?: kms.IKey; /** * The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. * * @default - The storage class of the source object */ readonly storageClass?: StorageClass; /** * Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service. * * @default false */ readonly sseKmsEncryptedObjects?: boolean; /** * Specifies whether Amazon S3 replicates modifications on replicas. * * @default false */ readonly replicaModifications?: boolean; /** * The priority indicates which rule has precedence whenever two or more replication rules conflict. * * Amazon S3 will attempt to replicate objects according to all replication rules. * However, if there are two or more rules with the same destination bucket, * then objects will be replicated according to the rule with the highest priority. * * The higher the number, the higher the priority. * * It is essential to specify priority explicitly when the replication configuration has multiple rules. * * @default 0 */ readonly priority?: number; /** * Specifies whether Amazon S3 replicates delete markers. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html * * @default - delete markers in source bucket is not replicated to destination bucket */ readonly deleteMarkerReplication?: boolean; /** * A unique identifier for the rule. * * The maximum value is 255 characters. * * @default - auto generated random ID */ readonly id?: string; /** * A filter that identifies the subset of objects to which the replication rule applies. * * @default - applies to all objects */ readonly filter?: Filter; } /** * A filter that identifies the subset of objects to which the replication rule applies. */ export interface Filter { /** * An object key name prefix that identifies the object or objects to which the rule applies. * * @default - applies to all objects */ readonly prefix?: string; /** * The tag array used for tag filters. * * The rule applies only to objects that have the tag in this set. * * @default - applies to all objects */ readonly tags?: Tag[]; } /** * The transition default minimum object size for lifecycle */ export declare enum TransitionDefaultMinimumObjectSize { /** * Objects smaller than 128 KB will not transition to any storage class by default. */ ALL_STORAGE_CLASSES_128_K = "all_storage_classes_128K", /** * Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier * Deep Archive storage classes. * * By default, all other storage classes will prevent transitions smaller than 128 KB. */ VARIES_BY_STORAGE_CLASS = "varies_by_storage_class" } export interface BucketProps { /** * The kind of server-side encryption to apply to this bucket. * * If you choose KMS, you can specify a KMS key via `encryptionKey`. If * encryption key is not specified, a key will automatically be created. * * @default - `KMS` if `encryptionKey` is specified, or `S3_MANAGED` otherwise. */ readonly encryption?: BucketEncryption; /** * External KMS key to use for bucket encryption. * * The `encryption` property must be either not specified or set to `KMS` or `DSSE`. * An error will be emitted if `encryption` is set to `UNENCRYPTED` or `S3_MANAGED`. * * @default - If `encryption` is set to `KMS` and this property is undefined, * a new KMS key will be created and associated with this bucket. */ readonly encryptionKey?: kms.IKey; /** * Encryption types that should be blocked for this bucket. Use `NONE` to allow all * encryption types. * * At least one `BlockedEncryptionType` must be given. If `NONE` is given, it must be * the only `BlockedEncryptionType` in the list. * * @default - Amazon S3 determines which encryption types to block. */ readonly blockedEncryptionTypes?: BlockedEncryptionType[]; /** * Enforces SSL for requests. S3.5 of the AWS Foundational Security Best Practices Regarding S3. * @see https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html * * @default false */ readonly enforceSSL?: boolean; /** * Whether Amazon S3 should use its own intermediary key to generate data keys. * * Only relevant when using KMS for encryption. * * - If not enabled, every object GET and PUT will cause an API call to KMS (with the * attendant cost implications of that). * - If enabled, S3 will use its own time-limited key instead. * * Only relevant, when Encryption is not set to `BucketEncryption.UNENCRYPTED`. * * @default - false */ readonly bucketKeyEnabled?: boolean; /** * Physical name of this bucket. * * @default - Assigned by CloudFormation (recommended). */ readonly bucketName?: string; /** * Policy to apply when the bucket is removed from this stack. * * @default - The bucket will be orphaned. */ readonly removalPolicy?: RemovalPolicy; /** * Whether all objects should be automatically deleted when the bucket is * removed from the stack or when the stack is deleted. * * Requires the `removalPolicy` to be set to `RemovalPolicy.DESTROY`. * * **Warning** if you have deployed a bucket with `autoDeleteObjects: true`, * switching this to `false` in a CDK version *before* `1.126.0` will lead to * all objects in the bucket being deleted. Be sure to update your bucket resources * by deploying with CDK version `1.126.0` or later **before** switching this value to `false`. * * Setting `autoDeleteObjects` to true on a bucket will add `s3:PutBucketPolicy` to the * bucket policy. This is because during bucket deletion, the custom resource provider * needs to update the bucket policy by adding a deny policy for `s3:PutObject` to * prevent race conditions with external bucket writers. * * @default false */ readonly autoDeleteObjects?: boolean; /** * Whether this bucket should have versioning turned on or not. * * @default false (unless object lock is enabled, then true) */ readonly versioned?: boolean; /** * Enable object lock on the bucket. * * Enabling object lock for existing buckets is not supported. Object lock must be * enabled when the bucket is created. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable * * @default false, unless objectLockDefaultRetention is set (then, true) */ readonly objectLockEnabled?: boolean; /** * Enables Amazon S3 to evaluate the ABAC policy in the request. * Set to true to enable ABAC, false to explicitly disable it. * * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-abacstatus * * @default - The ABAC status is not set */ readonly abacStatus?: boolean; /** * The default retention mode and rules for S3 Object Lock. * * Default retention can be configured after a bucket is created if the bucket already * has object lock enabled. Enabling object lock for existing buckets is not supported. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable * * @default no default retention period */ readonly objectLockDefaultRetention?: ObjectLockRetention; /** * Whether this bucket should send notifications to Amazon EventBridge or not. * * @default false */ readonly eventBridgeEnabled?: boolean; /** * Rules that define how Amazon S3 manages objects during their lifetime. * * @default - No lifecycle rules. */ readonly lifecycleRules?: LifecycleRule[]; /** * Indicates which default minimum object size behavior is applied to the lifecycle configuration. * * To customize the minimum object size for any transition you can add a filter that specifies a custom * `objectSizeGreaterThan` or `objectSizeLessThan` for `lifecycleRules` property. Custom filters always * take precedence over the default transition behavior. * * @default - TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS before September 2024, * otherwise TransitionDefaultMinimumObjectSize.ALL_STORAGE_CLASSES_128_K. */ readonly transitionDefaultMinimumObjectSize?: TransitionDefaultMinimumObjectSize; /** * The name of the index document (e.g. "index.html") for the website. Enables static website * hosting for this bucket. * * @default - No index document. */ readonly websiteIndexDocument?: string; /** * The name of the error document (e.g. "404.html") for the website. * `websiteIndexDocument` must also be set if this is set. * * @default - No error document. */ readonly websiteErrorDocument?: string; /** * Specifies the redirect behavior of all requests to a website endpoint of a bucket. * * If you specify this property, you can't specify "websiteIndexDocument", "websiteErrorDocument" nor , "websiteRoutingRules". * * @default - No redirection. */ readonly websiteRedirect?: RedirectTarget; /** * Rules that define when a redirect is applied and the redirect behavior * * @default - No redirection rules. */ readonly websiteRoutingRules?: RoutingRule[]; /** * Specifies a canned ACL that grants predefined permissions to the bucket. * * @default BucketAccessControl.PRIVATE */ readonly accessControl?: BucketAccessControl; /** * Grants public read access to all objects in the bucket. * Similar to calling `bucket.grantPublicAccess()` * * @default false */ readonly publicReadAccess?: boolean; /** * The block public access configuration of this bucket. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html * * * @default - CloudFormation defaults will apply. New buckets and objects don't allow public access, but users can modify bucket policies or object permissions to allow public access */ readonly blockPublicAccess?: BlockPublicAccess; /** * The metrics configuration of this bucket. * * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metricsconfiguration.html * * @default - No metrics configuration. */ readonly metrics?: BucketMetrics[]; /** * The CORS configuration of this bucket. * * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html * * @default - No CORS configuration. */ readonly cors?: CorsRule[]; /** * Destination bucket for the server access logs. * @default - If "serverAccessLogsPrefix" undefined - access logs disabled, otherwise - log to current bucket. */ readonly serverAccessLogsBucket?: IBucket; /** * Optional log file prefix to use for the bucket's access logs. * If defined without "serverAccessLogsBucket", enables access logs to current bucket with this prefix. * @default - No log file prefix */ readonly serverAccessLogsPrefix?: string; /** * Optional key format for log objects. * * @default - the default key format is: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] */ readonly targetObjectKeyFormat?: TargetObjectKeyFormat; /** * The inventory configuration of the bucket. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html * * @default - No inventory configuration */ readonly inventories?: Inventory[]; /** * The objectOwnership of the bucket. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html * * @default - No ObjectOwnership configuration. By default, Amazon S3 sets Object Ownership to `Bucket owner enforced`. * This means ACLs are disabled and the bucket owner will own every object. * */ readonly objectOwnership?: ObjectOwnership; /** * Whether this bucket should have transfer acceleration turned on or not. * * @default false */ readonly transferAcceleration?: boolean; /** * The role to be used by the notifications handler * * @default - a new role will be created. */ readonly notificationsHandlerRole?: iam.IRole; /** * Skips notification validation of Amazon SQS, Amazon SNS, and Lambda destinations. * * @default false */ readonly notificationsSkipDestinationValidation?: boolean; /** * Intelligent Tiering Configurations * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html * * @default No Intelligent Tiering Configurations. */ readonly intelligentTieringConfigurations?: IntelligentTieringConfiguration[]; /** * Enforces minimum TLS version for requests. * * Requires `enforceSSL` to be enabled. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-object-tls-version * * @default No minimum TLS version is enforced. */ readonly minimumTLSVersion?: number; /** * The role to be used by the replication. * * When setting this property, you must also set `replicationRules`. * * @default - a new role will be created. */ readonly replicationRole?: iam.IRole; /** * A container for one or more replication rules. * * @default - No replication */ readonly replicationRules?: ReplicationRule[]; } /** * Tag */ export interface Tag { /** * key to e tagged */ readonly key: string; /** * additional value */ readonly value: string; } /** * An S3 bucket with associated policy objects * * This bucket does not yet have all features that exposed by the underlying * BucketResource. * * @example * import { RemovalPolicy } from 'aws-cdk-lib'; * * new s3.Bucket(scope, 'Bucket', { * blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, * encryption: s3.BucketEncryption.S3_MANAGED, * enforceSSL: true, * versioned: true, * removalPolicy: RemovalPolicy.RETAIN, * }); * */ export declare class Bucket extends BucketBase { /** * Uniquely identifies this class. */ static readonly PROPERTY_INJECTION_ID: string; static fromBucketArn(scope: Construct, id: string, bucketArn: string): IBucket; static fromBucketName(scope: Construct, id: string, bucketName: string): IBucket; /** * Creates a Bucket construct that represents an external bucket. * * @param scope The parent creating construct (usually `this`). * @param id The construct's name. * @param attrs A `BucketAttributes` object. Can be obtained from a call to * `bucket.export()` or manually created. */ static fromBucketAttributes(scope: Construct, id: string, attrs: BucketAttributes): IBucket; /** * Create a mutable `IBucket` based on a low-level `CfnBucket`. */ static fromCfnBucket(cfnBucket: CfnBucket): IBucket; /** * Thrown an exception if the given bucket name is not valid. * * @param physicalName name of the bucket. * @param allowLegacyBucketNaming allow legacy bucket naming style, default is false. */ static validateBucketName(physicalName: string, allowLegacyBucketNaming?: boolean): void; /** * Return any errors against the bucket name */ private static _validateBucketName; /** * Like 'validateBucketName', but has an instance to throw a scoped ValidationError against */ private static validateBucketNameScoped; get bucketArn(): string; get bucketName(): string; readonly bucketDomainName: string; readonly bucketWebsiteUrl: string; get bucketWebsiteDomainName(): string; readonly bucketDualStackDomainName: string; readonly bucketRegionalDomainName: string; readonly encryptionKey?: kms.IKey; get isWebsite(): boolean | undefined; policy?: BucketPolicy; replicationRoleArn?: string; protected autoCreatePolicy: boolean; get disallowPublicAccess(): boolean | undefined; set disallowPublicAccess(_value: boolean | undefined); private accessControl?; private readonly lifecycleRules; private readonly transitionDefaultMinimumObjectSize?; private readonly eventBridgeEnabled?; private readonly metrics; private readonly cors; private readonly inventories; private readonly _resource; private readonly reflection; constructor(scope: Construct, id: string, props?: BucketProps); /** * Add a lifecycle rule to the bucket * * @param rule The rule to add */ addLifecycleRule(rule: LifecycleRule): void; /** * Adds a metrics configuration for the CloudWatch request metrics from the bucket. * * @param metric The metric configuration to add */ addMetric(metric: BucketMetrics): void; /** * Adds a cross-origin access configuration for objects in an Amazon S3 bucket * * @param rule The CORS configuration rule to add */ addCorsRule(rule: CorsRule): void; /** * Add an inventory configuration. * * @param inventory configuration to add */ addInventory(inventory: Inventory): void; /** * Adds an iam statement to enforce SSL requests only. */ private enforceSSLStatement; /** * Adds an iam statement to allow requests with a minimum TLS * version only. */ private minimumTLSVersionStatement; /** * Set up key properties and return the Bucket encryption property from the * user's configuration, according to the following table: * * | props.encryption | props.encryptionKey | props.bucketKeyEnabled | bucketEncryption (return value) | encryptionKey (return value) | * |------------------|---------------------|------------------------|---------------------------------|------------------------------| * | undefined | undefined | e | undefined | undefined | * | UNENCRYPTED | undefined | false | undefined | undefined | * | undefined | k | e | SSE-KMS, bucketKeyEnabled = e | k | * | KMS | k | e | SSE-KMS, bucketKeyEnabled = e | k | * | KMS | undefined | e | SSE-KMS, bucketKeyEnabled = e | new key | * | KMS_MANAGED | undefined | e | SSE-KMS, bucketKeyEnabled = e | undefined | * | S3_MANAGED | undefined | false | SSE-S3 | undefined | * | S3_MANAGED | undefined | e | SSE-S3, bucketKeyEnabled = e | undefined | * | UNENCRYPTED | undefined | true | ERROR! | ERROR! | * | UNENCRYPTED | k | e | ERROR! | ERROR! | * | KMS_MANAGED | k | e | ERROR! | ERROR! | * | S3_MANAGED | undefined | true | ERROR! | ERROR! | * | S3_MANAGED | k | e | ERROR! | ERROR! | */ private parseEncryption; /** * Parse the lifecycle configuration out of the bucket props * @param props Par */ private parseLifecycleConfiguration; private parseServerAccessLogs; private parseMetricConfiguration; private parseCorsConfiguration; private parseTagFilters; private parseOwnershipControls; private parseTieringConfig; private parseObjectLockConfig; private renderWebsiteConfiguration; private renderReplicationConfiguration; /** * Allows Log Delivery to the S3 bucket, using a Bucket Policy if the relevant feature * flag is enabled, otherwise the canned ACL is used. * * If log delivery is to be allowed using the ACL and an ACL has already been set, this fails. * * @see * https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html */ private allowLogDelivery; private parseInventoryConfiguration; private enableAutoDeleteObjects; /** * Function to set the blockPublicAccessOptions to a true default if not defined. * If no blockPublicAccessOptions are specified at all, this is already the case as an s3 default in aws * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html */ private setDefaultPublicAccessBlockConfig; } /** * What kind of server-side encryption to apply to this bucket */ export declare enum BucketEncryption { /** * Previous option. Buckets can not be unencrypted now. * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html * @deprecated S3 applies server-side encryption with SSE-S3 for every bucket * that default encryption is not configured. */ UNENCRYPTED = "UNENCRYPTED", /** * Server-side KMS encryption with a master key managed by KMS. */ KMS_MANAGED = "KMS_MANAGED", /** * Server-side encryption with a master key managed by S3. */ S3_MANAGED = "S3_MANAGED", /** * Server-side encryption with a KMS key managed by the user. * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined. */ KMS = "KMS", /** * Double server-side KMS encryption with a master key managed by KMS. */ DSSE_MANAGED = "DSSE_MANAGED", /** * Double server-side encryption with a KMS key managed by the user. * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined. */ DSSE = "DSSE" } /** * Encryption types that can be blocked on an S3 bucket. */ export declare class BlockedEncryptionType { readonly name: string; /** Special value - all encryption types are allowed */ static readonly NONE: BlockedEncryptionType; /** Server-Side Encryption with customer-provided keys (SSE-C) is blocked */ static readonly SSE_C: BlockedEncryptionType; /** * Use this constructor only if S3 releases a new BlockedEncryptionType * that is unknown to CDK. Otherwise, use this class's static constants. */ static custom(name: string): BlockedEncryptionType; /** * @param name The name for this blocked encryption type used in the API */ private constructor(); } /** * Notification event types. * @link https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-event-types-and-destinations.html#supported-notification-event-types */ export declare enum EventType { /** * Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using * these event types, you can enable notification when an object is created * using a specific API, or you can use the s3:ObjectCreated:* event type to * request notification regardless of the API that was used to create an * object. */ OBJECT_CREATED = "s3:ObjectCreated:*", /** * Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using * these event types, you can enable notification when an object is created * using a specific API, or you can use the s3:ObjectCreated:* event type to * request notification regardless of the API that was used to create an * object. */ OBJECT_CREATED_PUT = "s3:ObjectCreated:Put", /** * Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using * these event types, you can enable notification when an object is created * using a specific API, or you can use the s3:ObjectCreated:* event type to * request notification regardless of the API that was used to create an * object. */ OBJECT_CREATED_POST = "s3:ObjectCreated:Post", /** * Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using * these event types, you can enable notification when an object is created * using a specific API, or you can use the s3:ObjectCreated:* event type to * request notification regardless of the API that was used to create an * object. */ OBJECT_CREATED_COPY = "s3:ObjectCreated:Copy", /** * Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using * these event types, you can enable notification when an object is created * using a specific API, or you can use the s3:ObjectCreated:* event type to * request notification regardless of the API that was used to create an * object. */ OBJECT_CREATED_COMPLETE_MULTIPART_UPLOAD = "s3:ObjectCreated:CompleteMultipartUpload", /** * By using the ObjectRemoved event types, you can enable notification when * an object or a batch of objects is removed from a bucket. * * You can request notification when an object is deleted or a versioned * object is permanently deleted by using the s3:ObjectRemoved:Delete event * type. Or you can request notification when a delete marker is created for * a versioned object by using s3:ObjectRemoved:DeleteMarkerCreated. For * information about deleting versioned objects, see Deleting Object * Versions. You can also use a wildcard s3:ObjectRemoved:* to request * notification anytime an object is deleted. * * You will not receive event notifications from automatic deletes from * lifecycle policies or from failed operations. */ OBJECT_REMOVED = "s3:ObjectRemoved:*", /** * By using the ObjectRemoved event types, you can enable notification when * an object or a batch of objects is removed from a bucket. * * You can request notification when an object is deleted or a versioned * object is permanently deleted by using the s3:ObjectRemoved:Delete event * type. Or you can request notification when a delete marker is created for * a versioned object by using s3:ObjectRemoved:DeleteMarkerCreated. For * information about deleting versioned objects, see Deleting Object * Versions. You can also use a wildcard s3:ObjectRemoved:* to request * notification anytime an object is deleted. * * You will not receive event notifications from automatic deletes from * lifecycle policies or from failed operations. */ OBJECT_REMOVED_DELETE = "s3:ObjectRemoved:Delete", /** * By using the ObjectRemoved event types, you can enable notification when * an object or a batch of objects is removed from a bucket. * * You can request notification when an object is deleted or a versioned * object is permanently deleted by using the s3:ObjectRemoved:Delete event * type. Or you can request notification when a delete marker is created for * a versioned object by using s3:ObjectRemoved:DeleteMarkerCreated. For * information about deleting versioned objects, see Deleting Object * Versions. You can also use a wildcard s3:ObjectRemoved:* to request * notification anytime an object is deleted. * * You will not receive event notifications from automatic deletes from * lifecycle policies or from failed operations. */ OBJECT_REMOVED_DELETE_MARKER_CREATED = "s3:ObjectRemoved:DeleteMarkerCreated", /** * Using restore object event types you can receive notifications for * initiation and completion when restoring objects from the S3 Glacier * storage class. * * You use s3:ObjectRestore:Post to request notification of object restoration * initiation. */ OBJECT_RESTORE_POST = "s3:ObjectRestore:Post", /** * Using restore object event types you can receive notifications for * initiation and completion when restoring objects from the S3 Glacier * storage class. * * You use s3:ObjectRestore:Completed to request notification of * restoration completion. */ OBJECT_RESTORE_COMPLETED = "s3:ObjectRestore:Completed", /** * Using restore object event types you can receive notifications for * initiation and completion when restoring objects from the S3 Glacier * storage class. * * You use s3:ObjectRestore:Delete to request notification of * restoration completion. */ OBJECT_RESTORE_DELETE = "s3:ObjectRestore:Delete", /** * You can use this event type to request Amazon S3 to send a notification * message when Amazon S3 detects that an object of the RRS storage class is * lost. */ REDUCED_REDUNDANCY_LOST_OBJECT = "s3:ReducedRedundancyLostObject", /** * You receive this notification event when an object that was eligible for * replication using Amazon S3 Replication Time Control failed to replicate. */ REPLICATION_OPERATION_FAILED_REPLICATION = "s3:Replication:OperationFailedReplication", /** * You receive this notification event when an object that was eligible for * replication using Amazon S3 Replication Time Control exceeded the 15-minute * threshold for replication. */ REPLICATION_OPERATION_MISSED_THRESHOLD = "s3:Replication:OperationMissedThreshold", /** * You receive this notification event for an object that was eligible for * replication using the Amazon S3 Replication Time Control feature replicated * after the 15-minute threshold. */ REPLICATION_OPERATION_REPLICATED_AFTER_THRESHOLD = "s3:Replication:OperationReplicatedAfterThreshold", /** * You receive this notification event for an object that was eligible for * replication using Amazon S3 Replication Time Control but is no longer tracked * by replication metrics. */ REPLICATION_OPERATION_NOT_TRACKED = "s3:Replication:OperationNotTracked", /** * By using the LifecycleExpiration event types, you can receive a notification * when Amazon S3 deletes an object based on your S3 Lifecycle configuration. */ LIFECYCLE_EXPIRATION = "s3:LifecycleExpiration:*", /** * The s3:LifecycleExpiration:Delete event type notifies you when an object * in an unversioned bucket is deleted. * It also notifies you when an object version is permanently deleted by an * S3 Lifecycle configuration. */ LIFECYCLE_EXPIRATION_DELETE = "s3:LifecycleExpiration:Delete", /** * The s3:LifecycleExpiration:DeleteMarkerCreated event type notifies you * when S3 Lifecycle creates a delete marker when a current version of an * object in versioned bucket is deleted. */ LIFECYCLE_EXPIRATION_DELETE_MARKER_CREATED = "s3:LifecycleExpiration:DeleteMarkerCreated", /** * You receive this notification event when an object is transitioned to * another Amazon S3 storage class by an S3 Lifecycle configuration. */ LIFECYCLE_TRANSITION = "s3:LifecycleTransition", /** * You receive this notification event when an object within the * S3 Intelligent-Tiering storage class moved to the Archive Access tier or * Deep Archive Access tier. */ INTELLIGENT_TIERING = "s3:IntelligentTiering", /** * By using the ObjectTagging event types, you can enable notification when * an object tag is added or deleted from an object. */ OBJECT_TAGGING = "s3:ObjectTagging:*", /** * The s3:ObjectTagging:Put event type notifies you when a tag is PUT on an * object or an existing tag is updated. */ OBJECT_TAGGING_PUT = "s3:ObjectTagging:Put", /** * The s3:ObjectTagging:Delete event type notifies you when a tag is removed * from an object. */ OBJECT_TAGGING_DELETE = "s3:ObjectTagging:Delete", /** * You receive this notification event when an ACL is PUT on an object or when * an existing ACL is changed. * An event is not generated when a request results in no change to an * object’s ACL. */ OBJECT_ACL_PUT = "s3:ObjectAcl:Put", /** * Using restore object event types you can receive notifications for * initiation and completion when restoring objects from the S3 Glacier * storage class. * * You use s3:ObjectRestore:* to request notification of * any restoration event. */ OBJECT_RESTORE = "s3:ObjectRestore:*", /** * You receive this notification event for any object replication event. */ REPLICATION = "s3:Replication:*" } export interface NotificationKeyFilter { /** * S3 keys must have the specified prefix. */ readonly prefix?: string; /** * S3 keys must have the specified suffix. */ readonly suffix?: string; } /** * Options for the onCloudTrailPutObject method */ export interface OnCloudTrailBucketEventOptions extends events.OnEventOptions { /** * Only watch changes to these object paths * * @default - Watch changes to all objects */ readonly paths?: string[]; } /** * Default bucket access control types. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html */ export declare enum BucketAccessControl { /** * Owner gets FULL_CONTROL. No one else has access rights. */ PRIVATE = "Private", /** * Owner gets FULL_CONTROL. The AllUsers group gets READ access. */ PUBLIC_READ = "PublicRead", /** * Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. * Granting this on a bucket is generally not recommended. */ PUBLIC_READ_WRITE = "PublicReadWrite", /** * Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access. */ AUTHENTICATED_READ = "AuthenticatedRead", /** * The LogDelivery group gets WRITE and READ_ACP permissions on the bucket. * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html */ LOG_DELIVERY_WRITE = "LogDeliveryWrite", /** * Object owner gets FULL_CONTROL. Bucket owner gets READ access. * If you specify this canned ACL when creating a bucket, Amazon S3 ignores it. */ BUCKET_OWNER_READ = "BucketOwnerRead", /** * Both the object owner and the bucket owner get FULL_CONTROL over the object. * If you specify this canned ACL when creating a bucket, Amazon S3 ignores it. */ BUCKET_OWNER_FULL_CONTROL = "BucketOwnerFullControl", /** * Owner gets FULL_CONTROL. Amazon EC2 gets READ access to GET an Amazon Machine Image (AMI) bundle from Amazon S3. */ AWS_EXEC_READ = "AwsExecRead" } export interface RoutingRuleCondition { /** * The HTTP error code when the redirect is applied * * In the event of an error, if the error code equals this value, then the specified redirect is applied. * * If both condition properties are specified, both must be true for the redirect to be applied. * * @default - The HTTP error code will not be verified */ readonly httpErrorCodeReturnedEquals?: string; /** * The object key name prefix when the redirect is applied * * If both condition properties are specified, both must be true for the redirect to be applied. * * @default - The object key name will not be verified */ readonly keyPrefixEquals?: string; } export declare class ReplaceKey { readonly withKey?: string | undefined; readonly prefixWithKey?: string | undefined; /** * The specific object key to use in the redirect request */ static with(keyReplacement: string): ReplaceKey; /** * The object key prefix to use in the redirect request */ static prefixWith(keyReplacement: string): ReplaceKey; private constructor(); } /** * Rule that define when a redirect is applied and the redirect behavior. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html */ export interface RoutingRule { /** * The host name to use in the redirect request * * @default - The host name used in the original request. */ readonly hostName?: string; /** * The HTTP redirect code to use on the response * * @default "301" - Moved Permanently */ readonly httpRedirectCode?: string; /** * Protocol to use when redirecting requests * * @default - The protocol used in the original request. */ readonly protocol?: RedirectProtocol; /** * Specifies the object key prefix to use in the redirect request * * @default - The key will not be replaced */ readonly replaceKey?: ReplaceKey; /** * Specifies a condition that must be met for the specified redirect to apply. * * @default - No condition */ readonly condition?: RoutingRuleCondition; } /** * Modes in which S3 Object Lock retention can be configured. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-retention-modes */ export declare enum ObjectLockMode { /** * The Governance retention mode. * * With governance mode, you protect objects against being deleted by most users, but you can * still grant some users permission to alter the retention settings or delete the object if * necessary. You can also use governance mode to test retention-period settings before * creating a compliance-mode retention period. */ GOVERNANCE = "GOVERNANCE", /** * The Compliance retention mode. * * When an object is locked in compliance mode, its retention mode can't be changed, and * its retention period can't be shortened. Compliance mode helps ensure that an object * version can't be overwritten or deleted for the duration of the retention period. */ COMPLIANCE = "COMPLIANCE" } /** * The default retention settings for an S3 Object Lock configuration. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html */ export declare class ObjectLockRetention { /** * Configure for Governance retention for a specified duration. * * With governance mode, you protect objects against being deleted by most users, but you can * still grant some users permission to alter the retention settings or delete the object if * necessary. You can also use governance mode to test retention-period settings before * creating a compliance-mode retention period. * * @param duration the length of time for which objects should retained * @returns the ObjectLockRetention configuration */ static governance(duration: Duration): ObjectLockRetention; /** * Configure for Compliance retention for a specified duration. * * When an object is locked in compliance mode, its retention mode can't be changed, and * its retention period can't be shortened. Compliance mode helps ensure that an object * version can't be overwritten or deleted for the duration of the retention period. * * @param duration the length of time for which objects should be retained * @returns the ObjectLockRetention configuration */ static compliance(duration: Duration): ObjectLockRetention; /** * The default period for which objects should be retained. */ readonly duration: Duration; /** * The retention mode to use for the object lock configuration. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-retention-modes */ readonly mode: ObjectLockMode; private constructor(); } /** * Options for creating Virtual-Hosted style URL. */ export interface VirtualHostedStyleUrlOptions { /** * Specifies the URL includes the region. * * @default - true */ readonly regional?: boolean; } /** * Options for creating a Transfer Acceleration URL. */ export interface TransferAccelerationUrlOptions { /** * Dual-stack support to connect to the bucket over IPv6. * * @default - false */ readonly dualStack?: boolean; }