@guardian/cdk
    Preparing search index...

    Class GuS3Bucket

    A construct to create a bucket with a "retain" policy to prevent it from being deleted. It will be orphaned instead.

    Hierarchy

    • Mixin<typeof Bucket, this> & Bucket<this>
      • GuS3Bucket
    Index

    Constructors

    constructor

    Properties

    autoCreatePolicy bucketArn bucketDomainName bucketDualStackDomainName bucketName bucketRegionalDomainName bucketWebsiteDomainName bucketWebsiteUrl disallowPublicAccess? encryptionKey? env idWithApp isWebsite? node notificationsHandlerRole? notificationsSkipDestinationValidation? objectOwnership? physicalName policy? replicationRoleArn? stack PROPERTY_INJECTION_ID

    Accessors

    bucketRef

    Methods

    _enableCrossEnvironment addCorsRule addEventNotification addInventory addLifecycleRule addMetric addObjectCreatedNotification addObjectRemovedNotification addReplicationPolicy addToResourcePolicy applyRemovalPolicy arnForObjects enableEventBridgeNotification generatePhysicalName getResourceArnAttribute getResourceNameAttribute grantDelete grantPublicAccess grantPut grantPutAcl grantRead grantReadWrite grantReplicationPermission grantWrite onCloudTrailEvent onCloudTrailPutObject onCloudTrailWriteObject s3UrlForObject toString transferAccelerationUrlForObject urlForObject virtualHostedUrlForObject fromBucketArn fromBucketAttributes fromBucketName fromCfnBucket isConstruct isOwnedResource isResource validateBucketName

    Constructors

    Properties

    autoCreatePolicy: boolean

    Indicates if a bucket resource policy should automatically created upon the first call to addToResourcePolicy.

    bucketArn: string
    bucketDomainName: string
    bucketDualStackDomainName: string
    bucketName: string
    bucketRegionalDomainName: string
    bucketWebsiteDomainName: string
    bucketWebsiteUrl: string
    disallowPublicAccess?: boolean

    Whether to disallow public access

    encryptionKey?: IKey

    Optional KMS encryption key associated with this bucket.

    env: ResourceEnvironment

    The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

    idWithApp: string

    The ID of the construct with the App suffix. This should be used in place of id when trying to reference the construct.

    isWebsite?: boolean

    If this bucket has been configured for static website hosting.

    node: Node

    The tree node.

    notificationsHandlerRole?: IRole
    notificationsSkipDestinationValidation?: boolean
    objectOwnership?: ObjectOwnership
    physicalName: string

    Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

    This value will resolve to one of the following:

    • a concrete value (e.g. "my-awesome-bucket")
    • undefined, when a name should be generated by CloudFormation
    • a concrete name generated automatically during synthesis, in cross-environment scenarios.
    policy?: BucketPolicy

    The resource policy associated with this bucket.

    If autoCreatePolicy is true, a BucketPolicy will be created upon the first call to addToResourcePolicy(s).

    replicationRoleArn?: string

    Role used to set up permissions on this bucket for replication

    stack: Stack

    The stack in which this resource is defined.

    PROPERTY_INJECTION_ID: string

    Uniquely identifies this class.

    Accessors

    • get bucketRef(): BucketReference

      A reference to a Bucket resource.

      Returns BucketReference

    Methods

    _enableCrossEnvironment

    • _enableCrossEnvironment(): void
      Internal

      Called when this resource is referenced across environments (account/region) to order to request that a physical name will be generated for this resource during synthesis, so the resource can be referenced through its absolute name/arn.

      Returns void

    • Adds a cross-origin access configuration for objects in an Amazon S3 bucket

      Parameters

      • rule: CorsRule

        The CORS configuration rule to add

      Returns void

    • Adds a bucket notification event destination.

      Parameters

      • event: EventType

        The event to trigger the notification

      • dest: IBucketNotificationDestination

        The notification destination (Lambda, SNS Topic or SQS Queue)

      • ...filters: NotificationKeyFilter[]

        S3 object key filter rules to determine which objects trigger this event. Each filter must include a prefix and/or suffix that will be matched against the s3 object key. Refer to the S3 Developer Guide for details about allowed filter rules.

      Returns void

      declare const myLambda: lambda.Function;
         const bucket = new s3.Bucket(this, 'MyBucket');
         bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), {prefix: 'home/myusername/*'});

    • Add an inventory configuration.

      Parameters

      • inventory: Inventory

        configuration to add

      Returns void

    • Add a lifecycle rule to the bucket

      Parameters

      • rule: LifecycleRule

        The rule to add

      Returns void

    • Adds a metrics configuration for the CloudWatch request metrics from the bucket.

      Parameters

      • metric: BucketMetrics

        The metric configuration to add

      Returns void

    • Subscribes a destination to receive notifications when an object is created in the bucket. This is identical to calling onEvent(EventType.OBJECT_CREATED).

      Parameters

      • dest: IBucketNotificationDestination

        The notification destination (see onEvent)

      • ...filters: NotificationKeyFilter[]

        Filters (see onEvent)

      Returns void

    • Subscribes a destination to receive notifications when an object is removed from the bucket. This is identical to calling onEvent(EventType.OBJECT_REMOVED).

      Parameters

      • dest: IBucketNotificationDestination

        The notification destination (see onEvent)

      • ...filters: NotificationKeyFilter[]

        Filters (see onEvent)

      Returns void

    • Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use bucketArn and arnForObjects(keys) to obtain ARNs for this bucket or objects.

      Note that the policy statement may or may not be added to the policy. For example, when an IBucket is created from an existing bucket, it's not possible to tell whether the bucket already has a policy attached, let alone to re-use that policy to add more statements to it. So it's safest to do nothing in these cases.

      Parameters

      • permission: PolicyStatement

        the policy statement to be added to the bucket's policy.

      Returns AddToResourcePolicyResult

      metadata about the execution of this method. If the policy was not added, the value of statementAdded will be false. You should always check this value to make sure that the operation was actually carried out. Otherwise, synthesis and deploy will terminate silently, which may be confusing.

    • Apply the given removal policy to this resource

      The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

      The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

      Parameters

      • policy: RemovalPolicy

      Returns void

    • Returns an ARN that represents all objects within the bucket that match the key pattern specified. To represent all keys, specify "*".

      If you need to specify a keyPattern with multiple components, concatenate them into a single string, e.g.:

      arnForObjects(home/${team}/${user}/*)

      Parameters

      • keyPattern: string

      Returns string

    • Enables event bridge notification, causing all events below to be sent to EventBridge:

      • Object Deleted (DeleteObject)
      • Object Deleted (Lifecycle expiration)
      • Object Restore Initiated
      • Object Restore Completed
      • Object Restore Expired
      • Object Storage Class Changed
      • Object Access Tier Changed
      • Object ACL Updated
      • Object Tags Added
      • Object Tags Deleted

      Returns void

    • Returns string

    • Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

      Normally, this token will resolve to arnAttr, but if the resource is referenced across environments, arnComponents will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arnComponents.

      Parameters

      • arnAttr: string

        The CFN attribute which resolves to the ARN of the resource. Commonly it will be called "Arn" (e.g. resource.attrArn), but sometimes it's the CFN resource's ref.

      • arnComponents: ArnComponents

        The format of the ARN of this resource. You must reference this.physicalName somewhere within the ARN in order for cross-environment references to work.

      Returns string

    • Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

      Normally, this token will resolve to nameAttr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.

      Parameters

      • nameAttr: string

        The CFN attribute which resolves to the resource's name. Commonly this is the resource's ref.

      Returns string

    • Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.

      Parameters

      • identity: IGrantable

        The principal

      • OptionalobjectsKeyPattern: any

        Restrict the permission to a certain key pattern (default '*'). Parameter type is any but string should be passed in.

      Returns Grant

    • Allows unrestricted access to objects from this bucket.

      IMPORTANT: This permission allows anyone to perform actions on S3 objects in this bucket, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket without needing to authenticate.

      Without arguments, this method will grant read ("s3:GetObject") access to all objects ("*") in the bucket.

      The method returns the iam.Grant object, which can then be modified as needed. For example, you can add a condition that will restrict access only to an IPv4 range like this:

      const grant = bucket.grantPublicAccess();
grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });

      Note that if this IBucket refers to an existing bucket, possibly not managed by CloudFormation, this method will have no effect, since it's impossible to modify the policy of an existing bucket.

      Parameters

      • OptionalkeyPrefix: string

        the prefix of S3 object keys (e.g. home/*). Default is "*".

      • ...allowedActions: string[]

        the set of S3 actions to allow. Default is "s3:GetObject".

      Returns Grant

    • Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.

      If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

      Parameters

      • identity: IGrantable

        The principal

      • OptionalobjectsKeyPattern: any

        Restrict the permission to a certain key pattern (default '*'). Parameter type is any but string should be passed in.

      Returns Grant

    • Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.

      If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set, calling grantWrite or grantReadWrite no longer grants permissions to modify the ACLs of the objects; in this case, if you need to modify object ACLs, call this method explicitly.

      Parameters

      • identity: IGrantable

        The principal

      • OptionalobjectsKeyPattern: string

        Restrict the permission to a certain key pattern (default '*')

      Returns Grant

    • Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).

      If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.

      Parameters

      • identity: IGrantable

        The principal

      • OptionalobjectsKeyPattern: any

        Restrict the permission to a certain key pattern (default '*'). Parameter type is any but string should be passed in.

      Returns Grant

    • Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).

      If an encryption key is used, permission to use the key for encrypt/decrypt will also be granted.

      Before CDK version 1.85.0, this method granted the s3:PutObject* permission that included s3:PutObjectAcl, which could be used to grant read/write object access to IAM principals in other accounts. If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, and make sure the @aws-cdk/aws-s3:grantWriteWithoutAcl feature flag is set to true in the context key of your cdk.json file. If you've already updated, but still need the principal to have permissions to modify the ACLs, use the grantPutAcl method.

      Parameters

      • identity: IGrantable

        The principal

      • OptionalobjectsKeyPattern: any

        Restrict the permission to a certain key pattern (default '*'). Parameter type is any but string should be passed in.

      Returns Grant

    • Grant replication permission to a principal. This method allows the principal to perform replication operations on this bucket.

      Note that when calling this function for source or destination buckets that support KMS encryption, you need to specify the KMS key for encryption and the KMS key for decryption, respectively.

      Parameters

      • identity: IGrantable

        The principal to grant replication permission to.

      • props: GrantReplicationPermissionProps

        The properties of the replication source and destination buckets.

      Returns Grant

    • Grant write permissions to this bucket to an IAM principal.

      If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

      Before CDK version 1.85.0, this method granted the s3:PutObject* permission that included s3:PutObjectAcl, which could be used to grant read/write object access to IAM principals in other accounts. If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, and make sure the @aws-cdk/aws-s3:grantWriteWithoutAcl feature flag is set to true in the context key of your cdk.json file. If you've already updated, but still need the principal to have permissions to modify the ACLs, use the grantPutAcl method.

      Parameters

      • identity: IGrantable

        The principal

      • OptionalobjectsKeyPattern: any

        Restrict the permission to a certain key pattern (default '*'). Parameter type is any but string should be passed in.

      • OptionalallowedActionPatterns: string[]

        Restrict the permissions to certain list of action patterns

      Returns Grant

    • Define a CloudWatch event that triggers when something happens to this repository

      Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail.

      Parameters

      • id: string

        The id of the rule

      • Optionaloptions: OnCloudTrailBucketEventOptions

        Options for adding the rule

      Returns Rule

    • Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.

      Note that some tools like aws s3 cp will automatically use either PutObject or the multipart upload API depending on the file size, so using onCloudTrailWriteObject may be preferable.

      Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail.

      Parameters

      • id: string

        The id of the rule

      • Optionaloptions: OnCloudTrailBucketEventOptions

        Options for adding the rule

      Returns Rule

    • Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to. This includes the events PutObject, CopyObject, and CompleteMultipartUpload.

      Note that some tools like aws s3 cp will automatically use either PutObject or the multipart upload API depending on the file size, so using this method may be preferable to onCloudTrailPutObject.

      Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail.

      Parameters

      • id: string

        The id of the rule

      • Optionaloptions: OnCloudTrailBucketEventOptions

        Options for adding the rule

      Returns Rule

    • The S3 URL of an S3 object. For example:

      • s3://onlybucket
      • s3://bucket/key

      Parameters

      • Optionalkey: string

        The S3 key of the object. If not specified, the S3 URL of the bucket is returned.

      Returns string

      an ObjectS3Url token

    • Returns a string representation of an object.

      Returns string

    • The https Transfer Acceleration URL of an S3 object. Specify dualStack: true at the options for dual-stack endpoint (connect to the bucket over IPv6). For example:

      • https://bucket.s3-accelerate.amazonaws.com
      • https://bucket.s3-accelerate.amazonaws.com/key

      Parameters

      • Optionalkey: string

        The S3 key of the object. If not specified, the URL of the bucket is returned.

      • Optionaloptions: TransferAccelerationUrlOptions

        Options for generating URL.

      Returns string

      an TransferAccelerationUrl token

    • The https URL of an S3 object. Specify regional: false at the options for non-regional URLs. For example:

      • https://s3.us-west-1.amazonaws.com/onlybucket
      • https://s3.us-west-1.amazonaws.com/bucket/key
      • https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey

      Parameters

      • Optionalkey: string

        The S3 key of the object. If not specified, the URL of the bucket is returned.

      Returns string

      an ObjectS3Url token

    • The virtual hosted-style URL of an S3 object. Specify regional: false at the options for non-regional URL. For example:

      • https://only-bucket.s3.us-west-1.amazonaws.com
      • https://bucket.s3.us-west-1.amazonaws.com/key
      • https://bucket.s3.amazonaws.com/key
      • https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey

      Parameters

      • Optionalkey: string

        The S3 key of the object. If not specified, the URL of the bucket is returned.

      • Optionaloptions: VirtualHostedStyleUrlOptions

        Options for generating URL.

      Returns string

      an ObjectS3Url token

    • Parameters

      • scope: Construct
      • id: string
      • bucketArn: string

      Returns IBucket

    • Creates a Bucket construct that represents an external bucket.

      Parameters

      • scope: Construct

        The parent creating construct (usually this).

      • id: string

        The construct's name.

      • attrs: BucketAttributes

        A BucketAttributes object. Can be obtained from a call to bucket.export() or manually created.

      Returns IBucket

    • Parameters

      • scope: Construct
      • id: string
      • bucketName: string

      Returns IBucket

    • Create a mutable IBucket based on a low-level CfnBucket.

      Parameters

      • cfnBucket: CfnBucket

      Returns IBucket

    • Checks if x is a construct.

      Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

      Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

      Parameters

      • x: any

        Any object

      Returns x is Construct

      true if x is an object created from a class which extends Construct.

    • Returns true if the construct was created by CDK, and false otherwise

      Parameters

      • construct: IConstruct

      Returns boolean

    • Check whether the given construct is a Resource

      Parameters

      • construct: IConstruct

      Returns construct is Resource

    • Thrown an exception if the given bucket name is not valid.

      Parameters

      • physicalName: string

        name of the bucket.

      • OptionalallowLegacyBucketNaming: boolean

        allow legacy bucket naming style, default is false.

      Returns void

    Settings

    Member Visibility

    On This Page

    Constructors
    Properties
    Accessors
    Methods