Skip navigation links

Package software.amazon.awscdk.services.s3

Amazon S3 Construct Library

See: Description

Package software.amazon.awscdk.services.s3 Description

Amazon S3 Construct Library

---

cfn-resources: Stable

cdk-constructs: Stable


Define an unencrypted S3 bucket.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 new Bucket(this, "MyFirstBucket");
 

Bucket constructs expose the following deploy-time attributes:

Encryption

Define a KMS-encrypted bucket:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyEncryptedBucket")
         .encryption(BucketEncryption.getKMS())
         .build();
 
 // you can access the encryption key:
 assert(bucket.getEncryptionKey() instanceof kms.getKey());
 

You can also supply your own key:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object myKmsKey = new Key(this, "MyKey");
 
 Object bucket = Bucket.Builder.create(this, "MyEncryptedBucket")
         .encryption(BucketEncryption.getKMS())
         .encryptionKey(myKmsKey)
         .build();
 
 assert(bucket.getEncryptionKey() === myKmsKey);
 

Enable KMS-SSE encryption via S3 Bucket Keys:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyEncryptedBucket")
         .encryption(BucketEncryption.getKMS())
         .bucketKeyEnabled(true)
         .build();
 
 assert(bucket.getBucketKeyEnabled() === true);
 

Use BucketEncryption.ManagedKms to use the S3 master KMS key:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "Buck")
         .encryption(BucketEncryption.getKMS_MANAGED())
         .build();
 
 assert(bucket.getEncryptionKey() == null);
 

Permissions

A bucket policy will be automatically created for the bucket upon the first call to addToResourcePolicy(statement):

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = new Bucket(this, "MyBucket");
 Object result = bucket.addToResourcePolicy(new PolicyStatement(new PolicyStatementProps()
         .actions(asList("s3:GetObject"))
         .resources(asList(bucket.arnForObjects("file.txt")))
         .principals(asList(new AccountRootPrincipal()))));
 

If you try to add a policy statement to an existing bucket, this method will not do anything:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.fromBucketName(this, "existingBucket", "bucket-name");
 
 // Nothing will change here
 Object result = bucket.addToResourcePolicy(new PolicyStatement(new PolicyStatementProps()...));
 

That's because it's not possible to tell whether the bucket already has a policy attached, let alone to re-use that policy to add more statements to it. We recommend that you always check the result of the call:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object result = bucket.addToResourcePolicy(...);
 if (~result.getStatementAdded()) {
 }
 

The bucket policy can be directly accessed after creation to add statements or adjust the removal policy.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 bucket.policy.applyRemovalPolicy(RemovalPolicy.getRETAIN());
 

Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object lambda = Function.Builder.create(this, "Lambda").build();
 
 Object bucket = new Bucket(this, "MyBucket");
 bucket.grantReadWrite(lambda);
 

Will give the Lambda's execution role permissions to read and write from the bucket.

AWS Foundational Security Best Practices

Enforcing SSL

To require all requests use Secure Socket Layer (SSL):

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "Bucket")
         .enforceSSL(true)
         .build();
 

Sharing buckets between stacks

To use a bucket in a different stack in the same CDK application, pass the object to the other stack:

 // Example automatically generated. See https://github.com/aws/jsii/issues/826
 /**
  * Stack that defines the bucket
  * /
 public class Producer extends Stack {
     public final Bucket myBucket;
 
     public Producer(App scope, String id) {
         this(scope, id, null);
     }
 
     public Producer(App scope, String id, StackProps props) {
         super(scope, id, props);
 
         Bucket bucket = new Bucket(this, "MyBucket", new BucketProps()
                 .removalPolicy(cdk.RemovalPolicy.getDESTROY()));
         this.myBucket = bucket;
     }
 }
 
 public class ConsumerProps extends StackProps {
     private IBucket userBucket;
     public IBucket getUserBucket() {
         return this.userBucket;
     }
     public ConsumerProps userBucket(IBucket userBucket) {
         this.userBucket = userBucket;
         return this;
     }
 }
 
 /**
  * Stack that consumes the bucket
  * /
 public class Consumer extends Stack {
     public Consumer(App scope, String id, ConsumerProps props) {
         super(scope, id, props);
 
         User user = new User(this, "MyUser");
         props.userBucket.grantReadWrite(user);
     }
 }
 
 Producer producer = new Producer(app, "ProducerStack");
 new Consumer(app, "ConsumerStack", new ConsumerProps().userBucket(producer.getMyBucket()));
 

Importing existing buckets

To import an existing bucket into your CDK application, use the Bucket.fromBucketAttributes factory method. This method accepts BucketAttributes which describes the properties of an already existing bucket:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.fromBucketAttributes(this, "ImportedBucket", Map.of(
         "bucketArn", "arn:aws:s3:::my-bucket"));
 
 // now you can just call methods on the bucket
 bucket.addEventNotification(EventType.getOBJECT_CREATED(), ...);
 

Alternatively, short-hand factories are available as Bucket.fromBucketName and Bucket.fromBucketArn, which will derive all bucket attributes from the bucket name or ARN respectively:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object byName = Bucket.fromBucketName(this, "BucketByName", "my-bucket");
 Object byArn = Bucket.fromBucketArn(this, "BucketByArn", "arn:aws:s3:::my-bucket");
 

The bucket's region defaults to the current stack's region, but can also be explicitly set in cases where one of the bucket's regional properties needs to contain the correct values.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object myCrossRegionBucket = Bucket.fromBucketAttributes(this, "CrossRegionImport", Map.of(
         "bucketArn", "arn:aws:s3:::my-bucket",
         "region", "us-east-1"));
 

Bucket Notifications

The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under [S3 Bucket Notifications] of the S3 Developer Guide.

To subscribe for bucket notifications, use the bucket.addEventNotification method. The bucket.addObjectCreatedNotification and bucket.addObjectRemovedNotification can also be used for these common use cases.

The following example will subscribe an SNS topic to be notified of all s3:ObjectCreated:* events:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.services.s3.notifications.*;
 
 Object topic = new Topic(this, "MyTopic");
 bucket.addEventNotification(s3.EventType.getOBJECT_CREATED(), new SnsDestination(topic));
 

This call will also ensure that the topic policy can accept notifications for this specific bucket.

Supported S3 notification targets are exposed by the @aws-cdk/aws-s3-notifications package.

It is also possible to specify S3 object key filters when subscribing. The following example will notify myQueue when objects prefixed with foo/ and have the .jpg suffix are removed from the bucket.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 bucket.addEventNotification(s3.EventType.getOBJECT_REMOVED(),
 new SqsDestination(myQueue), Map.of("prefix", "foo/", "suffix", ".jpg"));
 

Adding notifications on existing buckets:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.fromBucketAttributes(this, "ImportedBucket", Map.of(
         "bucketArn", "arn:aws:s3:::my-bucket"));
 bucket.addEventNotification(s3.EventType.getOBJECT_CREATED(), new SnsDestination(topic));
 

Block Public Access

Use blockPublicAccess to specify block public access settings on the bucket.

Enable all block public access settings:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyBlockedBucket")
         .blockPublicAccess(BlockPublicAccess.getBLOCK_ALL())
         .build();
 

Block and ignore public ACLs:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyBlockedBucket")
         .blockPublicAccess(BlockPublicAccess.getBLOCK_ACLS())
         .build();
 

Alternatively, specify the settings manually:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyBlockedBucket")
         .blockPublicAccess(BlockPublicAccess.Builder.create().blockPublicPolicy(true).build())
         .build();
 

When blockPublicPolicy is set to true, grantPublicRead() throws an error.

Logging configuration

Use serverAccessLogsBucket to describe where server access logs are to be stored.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object accessLogsBucket = new Bucket(this, "AccessLogsBucket");
 
 Object bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .build();
 

It's also possible to specify a prefix for Amazon S3 to assign to all log object keys.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         .build();
 

S3 Inventory

An inventory contains a list of the objects in the source bucket and metadata for each object. The inventory lists are stored in the destination bucket as a CSV file compressed with GZIP, as an Apache optimized row columnar (ORC) file compressed with ZLIB, or as an Apache Parquet (Parquet) file compressed with Snappy.

You can configure multiple inventory lists for a bucket. You can configure what object metadata to include in the inventory, whether to list all object versions or only current versions, where to store the inventory list file output, and whether to generate the inventory on a daily or weekly basis.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Bucket inventoryBucket = new Bucket(this, "InventoryBucket");
 
 Bucket dataBucket = new Bucket(this, "DataBucket", new BucketProps()
         .inventories(asList(Map.of(
                 "frequency", s3.InventoryFrequency.getDAILY(),
                 "includeObjectVersions", s3.InventoryObjectVersion.getCURRENT(),
                 "destination", Map.of(
                         "bucket", inventoryBucket)), Map.of(
                 "frequency", s3.InventoryFrequency.getWEEKLY(),
                 "includeObjectVersions", s3.InventoryObjectVersion.getALL(),
                 "destination", Map.of(
                         "bucket", inventoryBucket,
                         "prefix", "with-all-versions")))));
 

If the destination bucket is created as part of the same CDK application, the necessary permissions will be automatically added to the bucket policy. However, if you use an imported bucket (i.e Bucket.fromXXX()), you'll have to make sure it contains the following policy document:

 {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "InventoryAndAnalyticsExamplePolicy",
       "Effect": "Allow",
       "Principal": { "Service": "s3.amazonaws.com" },
       "Action": "s3:PutObject",
       "Resource": ["arn:aws:s3:::destinationBucket/*"]
     }
   ]
 }
 

Website redirection

You can use the two following properties to specify the bucket redirection policy. Please note that these methods cannot both be applied to the same bucket.

Static redirection

You can statically redirect a to a given Bucket URL or any other host name with websiteRedirect:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyRedirectedBucket")
         .websiteRedirect(Map.of("hostName", "www.example.com"))
         .build();
 

Routing rules

Alternatively, you can also define multiple websiteRoutingRules, to define complex, conditional redirections:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyRedirectedBucket")
         .websiteRoutingRules(asList(Map.of(
                 "hostName", "www.example.com",
                 "httpRedirectCode", "302",
                 "protocol", RedirectProtocol.getHTTPS(),
                 "replaceKey", ReplaceKey.prefixWith("test/"),
                 "condition", Map.of(
                         "httpErrorCodeReturnedEquals", "200",
                         "keyPrefixEquals", "prefix"))))
         .build();
 

Filling the bucket as part of deployment

To put files into a bucket as part of a deployment (for example, to host a website), see the @aws-cdk/aws-s3-deployment package, which provides a resource that can do just that.

The URL for objects

S3 provides two types of URLs for accessing objects via HTTP(S). Path-Style and Virtual Hosted-Style URL. Path-Style is a classic way and will be deprecated. We recommend to use Virtual Hosted-Style URL for newly made bucket.

You can generate both of them.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 bucket.urlForObject("objectname");// Path-Style URL
 bucket.virtualHostedUrlForObject("objectname");// Virtual Hosted-Style URL
 bucket.virtualHostedUrlForObject("objectname", Map.of("regional", false));
 

Object Ownership

You can use the two following properties to specify the bucket object Ownership.

Object writer

The Uploading account will own the object.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 new Bucket(this, "MyBucket", new BucketProps()
         .objectOwnership(s3.ObjectOwnership.getOBJECT_WRITER()));
 

Bucket owner preferred

The bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. Without this setting and canned ACL, the object is uploaded and remains owned by the uploading account.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 new Bucket(this, "MyBucket", new BucketProps()
         .objectOwnership(s3.ObjectOwnership.getBUCKET_OWNER_PREFERRED()));
 

Bucket deletion

When a bucket is removed from a stack (or the stack is deleted), the S3 bucket will be removed according to its removal policy (which by default will simply orphan the bucket and leave it in your AWS account). If the removal policy is set to RemovalPolicy.DESTROY, the bucket will be deleted as long as it does not contain any objects.

To override this and force all objects to get deleted during bucket deletion, enable theautoDeleteObjects option.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object bucket = Bucket.Builder.create(this, "MyTempFileBucket")
         .removalPolicy(RemovalPolicy.getDESTROY())
         .autoDeleteObjects(true)
         .build();
 
Skip navigation links