Class BucketPolicy

The bucket policy for an Amazon S3 bucket.

Inheritance

object

Resource

BucketPolicy

Implements

IResource

IBucketPolicyRef

IConstruct

IDependable

IEnvironmentAware

Inherited Members

Resource.IsOwnedResource(IConstruct)

Resource.IsResource(IConstruct)

Resource.GeneratePhysicalName()

Resource.GetResourceArnAttribute(string, IArnComponents)

Resource.GetResourceNameAttribute(string)

Resource.With(params IMixin[])

Resource.Env

Resource.PhysicalName

Resource.Stack

Namespace: Amazon.CDK.AWS.S3

Assembly: Amazon.CDK.Lib.dll

Syntax (csharp)

public class BucketPolicy : Resource, IResource, IBucketPolicyRef, IConstruct, IDependable, IEnvironmentAware

Syntax (vb)

Public Class BucketPolicy Inherits Resource Implements IResource, IBucketPolicyRef, IConstruct, IDependable, IEnvironmentAware

Remarks

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

The bucket policy method is implemented differently than addToResourcePolicy() as BucketPolicy() creates a new policy without knowing one earlier existed. e.g. if during Bucket creation, if autoDeleteObject:true, these policies are added to the bucket policy: ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"], and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on this existing bucket, invoking BucketPolicy() will create a new Policy without knowing one earlier exists already, so it creates a new one. In this case, the custom resource handler will not have access to s3:GetBucketTagging action which will cause failure during deletion of stack.

Hence its strongly recommended to use addToResourcePolicy() method to add new permissions to existing policy.

ExampleMetadata: infused

Examples

var bucketName = "amzn-s3-demo-bucket";
             var accessLogsBucket = new Bucket(this, "AccessLogsBucket", new BucketProps {
                 ObjectOwnership = ObjectOwnership.BUCKET_OWNER_ENFORCED,
                 BucketName = bucketName
             });

             var bucketPolicy = new CfnBucketPolicy(this, "BucketPolicy", new CfnBucketPolicyProps {
                 Bucket = bucketName,
                 PolicyDocument = new Dictionary<string, object> {
                     { "Statement", new [] { new Struct {
                         Action = "s3:*",
                         Effect = "Deny",
                         Principal = new Struct {
                             AWS = "*"
                         },
                         Resource = new [] { accessLogsBucket.BucketArn, $"{accessLogsBucket.bucketArn}/*" }
                     } } },
                     { "Version", "2012-10-17" }
                 }
             });

             // Wrap L1 Construct with L2 Bucket Policy Construct. Subsequent
             // generated bucket policy to allow access log delivery would append
             // to the current policy.
             BucketPolicy.FromCfnBucketPolicy(bucketPolicy);

             var bucket = new Bucket(this, "MyBucket", new BucketProps {
                 ServerAccessLogsBucket = accessLogsBucket,
                 ServerAccessLogsPrefix = "logs"
             });

Synopsis

Constructors

BucketPolicy(Construct, string, IBucketPolicyProps)

The bucket policy for an Amazon S3 bucket.

Properties

Bucket	The Bucket this Policy applies to.
BucketPolicyRef	A reference to a BucketPolicy resource.
Document	A policy document containing permissions to add to the specified bucket.
PROPERTY_INJECTION_ID	Uniquely identifies this class.

Methods

ApplyRemovalPolicy(RemovalPolicy)	Sets the removal policy for the BucketPolicy.
FromCfnBucketPolicy(CfnBucketPolicy)	Create a mutable BucketPolicy from a CfnBucketPolicy.

Constructors

BucketPolicy(Construct, string, IBucketPolicyProps)

The bucket policy for an Amazon S3 bucket.

public BucketPolicy(Construct scope, string id, IBucketPolicyProps props)

Parameters

scope Construct

id string

props IBucketPolicyProps

Remarks

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

The bucket policy method is implemented differently than addToResourcePolicy() as BucketPolicy() creates a new policy without knowing one earlier existed. e.g. if during Bucket creation, if autoDeleteObject:true, these policies are added to the bucket policy: ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"], and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on this existing bucket, invoking BucketPolicy() will create a new Policy without knowing one earlier exists already, so it creates a new one. In this case, the custom resource handler will not have access to s3:GetBucketTagging action which will cause failure during deletion of stack.

Hence its strongly recommended to use addToResourcePolicy() method to add new permissions to existing policy.

ExampleMetadata: infused

Examples

var bucketName = "amzn-s3-demo-bucket";
             var accessLogsBucket = new Bucket(this, "AccessLogsBucket", new BucketProps {
                 ObjectOwnership = ObjectOwnership.BUCKET_OWNER_ENFORCED,
                 BucketName = bucketName
             });

             var bucketPolicy = new CfnBucketPolicy(this, "BucketPolicy", new CfnBucketPolicyProps {
                 Bucket = bucketName,
                 PolicyDocument = new Dictionary<string, object> {
                     { "Statement", new [] { new Struct {
                         Action = "s3:*",
                         Effect = "Deny",
                         Principal = new Struct {
                             AWS = "*"
                         },
                         Resource = new [] { accessLogsBucket.BucketArn, $"{accessLogsBucket.bucketArn}/*" }
                     } } },
                     { "Version", "2012-10-17" }
                 }
             });

             // Wrap L1 Construct with L2 Bucket Policy Construct. Subsequent
             // generated bucket policy to allow access log delivery would append
             // to the current policy.
             BucketPolicy.FromCfnBucketPolicy(bucketPolicy);

             var bucket = new Bucket(this, "MyBucket", new BucketProps {
                 ServerAccessLogsBucket = accessLogsBucket,
                 ServerAccessLogsPrefix = "logs"
             });

Properties

Bucket

The Bucket this Policy applies to.

public virtual IBucket Bucket { get; }

Property Value

IBucket

Remarks

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

The bucket policy method is implemented differently than addToResourcePolicy() as BucketPolicy() creates a new policy without knowing one earlier existed. e.g. if during Bucket creation, if autoDeleteObject:true, these policies are added to the bucket policy: ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"], and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on this existing bucket, invoking BucketPolicy() will create a new Policy without knowing one earlier exists already, so it creates a new one. In this case, the custom resource handler will not have access to s3:GetBucketTagging action which will cause failure during deletion of stack.

Hence its strongly recommended to use addToResourcePolicy() method to add new permissions to existing policy.

ExampleMetadata: infused

BucketPolicyRef

A reference to a BucketPolicy resource.

public virtual IBucketPolicyReference BucketPolicyRef { get; }

Property Value

IBucketPolicyReference

Remarks

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

The bucket policy method is implemented differently than addToResourcePolicy() as BucketPolicy() creates a new policy without knowing one earlier existed. e.g. if during Bucket creation, if autoDeleteObject:true, these policies are added to the bucket policy: ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"], and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on this existing bucket, invoking BucketPolicy() will create a new Policy without knowing one earlier exists already, so it creates a new one. In this case, the custom resource handler will not have access to s3:GetBucketTagging action which will cause failure during deletion of stack.

Hence its strongly recommended to use addToResourcePolicy() method to add new permissions to existing policy.

ExampleMetadata: infused

Document

A policy document containing permissions to add to the specified bucket.

public virtual PolicyDocument Document { get; }

Property Value

PolicyDocument

Remarks

For more information, see Access Policy Language Overview in the Amazon Simple Storage Service Developer Guide.

PROPERTY_INJECTION_ID

Uniquely identifies this class.

public static string PROPERTY_INJECTION_ID { get; }

Property Value

string

Remarks

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

The bucket policy method is implemented differently than addToResourcePolicy() as BucketPolicy() creates a new policy without knowing one earlier existed. e.g. if during Bucket creation, if autoDeleteObject:true, these policies are added to the bucket policy: ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"], and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on this existing bucket, invoking BucketPolicy() will create a new Policy without knowing one earlier exists already, so it creates a new one. In this case, the custom resource handler will not have access to s3:GetBucketTagging action which will cause failure during deletion of stack.

Hence its strongly recommended to use addToResourcePolicy() method to add new permissions to existing policy.

ExampleMetadata: infused

Methods

ApplyRemovalPolicy(RemovalPolicy)

Sets the removal policy for the BucketPolicy.

public override void ApplyRemovalPolicy(RemovalPolicy removalPolicy)

Parameters

removalPolicy RemovalPolicy

the RemovalPolicy to set.

Overrides

Resource.ApplyRemovalPolicy(RemovalPolicy)

Remarks

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

The bucket policy method is implemented differently than addToResourcePolicy() as BucketPolicy() creates a new policy without knowing one earlier existed. e.g. if during Bucket creation, if autoDeleteObject:true, these policies are added to the bucket policy: ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"], and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on this existing bucket, invoking BucketPolicy() will create a new Policy without knowing one earlier exists already, so it creates a new one. In this case, the custom resource handler will not have access to s3:GetBucketTagging action which will cause failure during deletion of stack.

Hence its strongly recommended to use addToResourcePolicy() method to add new permissions to existing policy.

ExampleMetadata: infused

FromCfnBucketPolicy(CfnBucketPolicy)

Create a mutable BucketPolicy from a CfnBucketPolicy.

public static BucketPolicy FromCfnBucketPolicy(CfnBucketPolicy cfnBucketPolicy)

Parameters

cfnBucketPolicy CfnBucketPolicy

Returns

BucketPolicy

Remarks

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

The bucket policy method is implemented differently than addToResourcePolicy() as BucketPolicy() creates a new policy without knowing one earlier existed. e.g. if during Bucket creation, if autoDeleteObject:true, these policies are added to the bucket policy: ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"], and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on this existing bucket, invoking BucketPolicy() will create a new Policy without knowing one earlier exists already, so it creates a new one. In this case, the custom resource handler will not have access to s3:GetBucketTagging action which will cause failure during deletion of stack.

Hence its strongly recommended to use addToResourcePolicy() method to add new permissions to existing policy.

ExampleMetadata: infused

Implements

IResource

IBucketPolicyRef

Constructs.IConstruct

Constructs.IDependable

IEnvironmentAware