Package software.amazon.awscdk.services.s3

package software.amazon.awscdk.services.s3

Amazon S3 Construct Library

Define an S3 bucket. 

 Bucket bucket = new Bucket(this, "MyFirstBucket");

Bucket constructs expose the following deploy-time attributes:

  • bucketArn - the ARN of the bucket (i.e. arn:aws:s3:::amzn-s3-demo-bucket)
  • bucketName - the name of the bucket (i.e. amzn-s3-demo-bucket)
  • bucketWebsiteUrl - the Website URL of the bucket (i.e. http://amzn-s3-demo-bucket.s3-website-us-west-1.amazonaws.com)
  • bucketDomainName - the URL of the bucket (i.e. amzn-s3-demo-bucket.s3.amazonaws.com)
  • bucketDualStackDomainName - the dual-stack URL of the bucket (i.e. amzn-s3-demo-bucket.s3.dualstack.eu-west-1.amazonaws.com)
  • bucketRegionalDomainName - the regional URL of the bucket (i.e. amzn-s3-demo-bucket.s3.eu-west-1.amazonaws.com)
  • arnForObjects(pattern) - the ARN of an object or objects within the bucket (i.e. arn:aws:s3:::amzn-s3-demo-bucket/exampleobject.png or arn:aws:s3:::amzn-s3-demo-bucket/Development/*)
  • urlForObject(key) - the HTTP URL of an object within the bucket (i.e. https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey)
  • virtualHostedUrlForObject(key) - the virtual-hosted style HTTP URL of an object within the bucket (i.e. https://china-bucket-s3.cn-north-1.amazonaws.com.cn/mykey)
  • s3UrlForObject(key) - the S3 URL of an object within the bucket (i.e. s3://bucket/mykey)

Encryption

Define a KMS-encrypted bucket: 

 Bucket bucket = Bucket.Builder.create(this, "MyEncryptedBucket")
         .encryption(BucketEncryption.KMS)
         .build();
 
 // you can access the encryption key:
 assert(bucket.getEncryptionKey() instanceof Key);

You can also supply your own key: 

 Key myKmsKey = new Key(this, "MyKey");
 
 Bucket bucket = Bucket.Builder.create(this, "MyEncryptedBucket")
         .encryption(BucketEncryption.KMS)
         .encryptionKey(myKmsKey)
         .build();
 
 assert(bucket.getEncryptionKey() == myKmsKey);

Enable KMS-SSE encryption via S3 Bucket Keys: 

 Bucket bucket = Bucket.Builder.create(this, "MyEncryptedBucket")
         .encryption(BucketEncryption.KMS)
         .bucketKeyEnabled(true)
         .build();

Use BucketEncryption.ManagedKms to use the S3 master KMS key: 

 Bucket bucket = Bucket.Builder.create(this, "Buck")
         .encryption(BucketEncryption.KMS_MANAGED)
         .build();
 
 assert(bucket.getEncryptionKey() == null);

Enable DSSE encryption: 

 const bucket = new s3.Bucket(stack, 'MyDSSEBucket', {
   encryption: s3.BucketEncryption.DSSE_MANAGED,
   bucketKeyEnabled: true,
 });

Permissions

A bucket policy will be automatically created for the bucket upon the first call to addToResourcePolicy(statement): 

 Bucket bucket = new Bucket(this, "MyBucket");
 AddToResourcePolicyResult result = bucket.addToResourcePolicy(
 PolicyStatement.Builder.create()
         .actions(List.of("s3:GetObject"))
         .resources(List.of(bucket.arnForObjects("file.txt")))
         .principals(List.of(new AccountRootPrincipal()))
         .build());

If you try to add a policy statement to an existing bucket, this method will not do anything: 

 IBucket bucket = Bucket.fromBucketName(this, "existingBucket", "amzn-s3-demo-bucket");
 
 // No policy statement will be added to the resource
 AddToResourcePolicyResult result = bucket.addToResourcePolicy(
 PolicyStatement.Builder.create()
         .actions(List.of("s3:GetObject"))
         .resources(List.of(bucket.arnForObjects("file.txt")))
         .principals(List.of(new AccountRootPrincipal()))
         .build());

That's because it's not possible to tell whether the bucket already has a policy attached, let alone to re-use that policy to add more statements to it. We recommend that you always check the result of the call: 

 Bucket bucket = new Bucket(this, "MyBucket");
 AddToResourcePolicyResult result = bucket.addToResourcePolicy(
 PolicyStatement.Builder.create()
         .actions(List.of("s3:GetObject"))
         .resources(List.of(bucket.arnForObjects("file.txt")))
         .principals(List.of(new AccountRootPrincipal()))
         .build());
 
 if (!result.getStatementAdded()) {
 }

The bucket policy can be directly accessed after creation to add statements or adjust the removal policy. 

 Bucket bucket = new Bucket(this, "MyBucket");
 bucket.policy.applyRemovalPolicy(RemovalPolicy.RETAIN);

Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example: 

 Function myLambda;
 
 
 Bucket bucket = new Bucket(this, "MyBucket");
 bucket.grantReadWrite(myLambda);

Will give the Lambda's execution role permissions to read and write from the bucket.

AWS Foundational Security Best Practices

Enforcing SSL

To require all requests use Secure Socket Layer (SSL): 

 Bucket bucket = Bucket.Builder.create(this, "Bucket")
         .enforceSSL(true)
         .build();

To require a minimum TLS version for all requests: 

 Bucket bucket = Bucket.Builder.create(this, "Bucket")
         .enforceSSL(true)
         .minimumTLSVersion(1.2)
         .build();

Sharing buckets between stacks

To use a bucket in a different stack in the same CDK application, pass the object to the other stack: 

 /**
  * Stack that defines the bucket
  */
 public class Producer extends Stack {
     public final Bucket myBucket;
 
     public Producer(Construct scope, String id) {
         this(scope, id, null);
     }
 
     public Producer(Construct scope, String id, StackProps props) {
         super(scope, id, props);
 
         Bucket bucket = Bucket.Builder.create(this, "MyBucket")
                 .removalPolicy(RemovalPolicy.DESTROY)
                 .build();
         this.myBucket = bucket;
     }
 }
 
 public class ConsumerProps extends StackProps {
     private IBucket userBucket;
     public IBucket getUserBucket() {
         return this.userBucket;
     }
     public ConsumerProps userBucket(IBucket userBucket) {
         this.userBucket = userBucket;
         return this;
     }
 }
 
 /**
  * Stack that consumes the bucket
  */
 public class Consumer extends Stack {
     public Consumer(Construct scope, String id, ConsumerProps props) {
         super(scope, id, props);
 
         User user = new User(this, "MyUser");
         props.userBucket.grantReadWrite(user);
     }
 }
 
 App app = new App();
 Producer producer = new Producer(app, "ProducerStack");
 new Consumer(app, "ConsumerStack", new ConsumerProps().userBucket(producer.getMyBucket()));

Importing existing buckets

To import an existing bucket into your CDK application, use the Bucket.fromBucketAttributes factory method. This method accepts BucketAttributes which describes the properties of an already existing bucket:

Note that this method allows importing buckets with legacy names containing uppercase letters (A-Z) or underscores (_), which were permitted for buckets created before March 1, 2018. For buckets created after this date, uppercase letters and underscores are not allowed in the bucket name. 

 Function myLambda;
 
 IBucket bucket = Bucket.fromBucketAttributes(this, "ImportedBucket", BucketAttributes.builder()
         .bucketArn("arn:aws:s3:::amzn-s3-demo-bucket")
         .build());
 
 // now you can just call methods on the bucket
 bucket.addEventNotification(EventType.OBJECT_CREATED, new LambdaDestination(myLambda), NotificationKeyFilter.builder()
         .prefix("home/myusername/*")
         .build());

Alternatively, short-hand factories are available as Bucket.fromBucketName and Bucket.fromBucketArn, which will derive all bucket attributes from the bucket name or ARN respectively: 

 IBucket byName = Bucket.fromBucketName(this, "BucketByName", "amzn-s3-demo-bucket");
 IBucket byArn = Bucket.fromBucketArn(this, "BucketByArn", "arn:aws:s3:::amzn-s3-demo-bucket");

The bucket's region defaults to the current stack's region, but can also be explicitly set in cases where one of the bucket's regional properties needs to contain the correct values. 

 IBucket myCrossRegionBucket = Bucket.fromBucketAttributes(this, "CrossRegionImport", BucketAttributes.builder()
         .bucketArn("arn:aws:s3:::amzn-s3-demo-bucket")
         .region("us-east-1")
         .build());

Bucket Notifications

The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.

To subscribe for bucket notifications, use the bucket.addEventNotification method. The bucket.addObjectCreatedNotification and bucket.addObjectRemovedNotification can also be used for these common use cases.

The following example will subscribe an SNS topic to be notified of all s3:ObjectCreated:* events: 

 Bucket bucket = new Bucket(this, "MyBucket");
 Topic topic = new Topic(this, "MyTopic");
 bucket.addEventNotification(EventType.OBJECT_CREATED, new SnsDestination(topic));

This call will also ensure that the topic policy can accept notifications for this specific bucket.

Supported S3 notification targets are exposed by the aws-cdk-lib/aws-s3-notifications package.

It is also possible to specify S3 object key filters when subscribing. The following example will notify myQueue when objects prefixed with foo/ and have the .jpg suffix are removed from the bucket. 

 Queue myQueue;
 
 Bucket bucket = new Bucket(this, "MyBucket");
 bucket.addEventNotification(EventType.OBJECT_REMOVED, new SqsDestination(myQueue), NotificationKeyFilter.builder()
         .prefix("foo/")
         .suffix(".jpg")
         .build());

Adding notifications on existing buckets: 

 Topic topic;
 
 IBucket bucket = Bucket.fromBucketAttributes(this, "ImportedBucket", BucketAttributes.builder()
         .bucketArn("arn:aws:s3:::amzn-s3-demo-bucket")
         .build());
 bucket.addEventNotification(EventType.OBJECT_CREATED, new SnsDestination(topic));

If you do not want for S3 to validate permissions of Amazon SQS, Amazon SNS, and Lambda destinations you can use the notificationsSkipDestinationValidation flag: 

 Queue myQueue;
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .notificationsSkipDestinationValidation(true)
         .build();
 bucket.addEventNotification(EventType.OBJECT_REMOVED, new SqsDestination(myQueue));

When you add an event notification to a bucket, a custom resource is created to manage the notifications. By default, a new role is created for the Lambda function that implements this feature. If you want to use your own role instead, you should provide it in the Bucket constructor: 

 IRole myRole;
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .notificationsHandlerRole(myRole)
         .build();

Whatever role you provide, the CDK will try to modify it by adding the permissions from AWSLambdaBasicExecutionRole (an AWS managed policy) as well as the permissions s3:PutBucketNotification and s3:GetBucketNotification. If you’re passing an imported role, and you don’t want this to happen, configure it to be immutable: 

 IRole importedRole = Role.fromRoleArn(this, "role", "arn:aws:iam::123456789012:role/RoleName", FromRoleArnOptions.builder()
         .mutable(false)
         .build());

If you provide an imported immutable role, make sure that it has at least all the permissions mentioned above. Otherwise, the deployment will fail!

EventBridge notifications

Amazon S3 can send events to Amazon EventBridge whenever certain events happen in your bucket. Unlike other destinations, you don't need to select which event types you want to deliver.

The following example will enable EventBridge notifications: 

 Bucket bucket = Bucket.Builder.create(this, "MyEventBridgeBucket")
         .eventBridgeEnabled(true)
         .build();

Block Public Access

Use blockPublicAccess to specify block public access settings on the bucket.

Enable all block public access settings: 

 Bucket bucket = Bucket.Builder.create(this, "MyBlockedBucket")
         .blockPublicAccess(BlockPublicAccess.BLOCK_ALL)
         .build();

Block and ignore public ACLs: 

 Bucket bucket = Bucket.Builder.create(this, "MyBlockedBucket")
         .blockPublicAccess(BlockPublicAccess.BLOCK_ACLS)
         .build();

Alternatively, specify the settings manually: 

 Bucket bucket = Bucket.Builder.create(this, "MyBlockedBucket")
         .blockPublicAccess(BlockPublicAccess.Builder.create().blockPublicPolicy(true).build())
         .build();

When blockPublicPolicy is set to true, grantPublicRead() throws an error.

Public Read Access

Use publicReadAccess to allow public read access to the bucket.

Note that to enable publicReadAccess, make sure both bucket-level and account-level block public access control is disabled.

Bucket-level block public access control can be configured through blockPublicAccess property. Account-level block public access control can be configured on AWS Console -> S3 -> Block Public Access settings for this account (Navigation Panel). 

 Bucket bucket = Bucket.Builder.create(this, "Bucket")
         .publicReadAccess(true)
         .blockPublicAccess(Map.of(
                 "blockPublicPolicy", false,
                 "blockPublicAcls", false,
                 "ignorePublicAcls", false,
                 "restrictPublicBuckets", false))
         .build();

Logging configuration

Use serverAccessLogsBucket to describe where server access logs are to be stored. 

 Bucket accessLogsBucket = new Bucket(this, "AccessLogsBucket");
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .build();

It's also possible to specify a prefix for Amazon S3 to assign to all log object keys. 

 Bucket accessLogsBucket = new Bucket(this, "AccessLogsBucket");
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         .build();

You have two options for the log object key format. Non-date-based partitioning is the default log object key format and appears as follows: 

 [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
 

 Bucket accessLogsBucket = new Bucket(this, "AccessLogsBucket");
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         // You can use a simple prefix with `TargetObjectKeyFormat.simplePrefix()`, but it is the same even if you do not specify `targetObjectKeyFormat` property.
         .targetObjectKeyFormat(TargetObjectKeyFormat.simplePrefix())
         .build();

Another option is Date-based partitioning. If you choose this format, you can select either the event time or the delivery time of the log file as the date source used in the log format. This format appears as follows: 

 [DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
 

 Bucket accessLogsBucket = new Bucket(this, "AccessLogsBucket");
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         .targetObjectKeyFormat(TargetObjectKeyFormat.partitionedPrefix(PartitionDateSource.EVENT_TIME))
         .build();

Allowing access log delivery using a Bucket Policy (recommended)

When possible, it is recommended to use a bucket policy to grant access instead of using ACLs. When the @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy feature flag is enabled, this is done by default for server access logs. If S3 Server Access Logs are the only logs delivered to your bucket (or if all other services logging to the bucket support using bucket policy instead of ACLs), you can set object ownership to bucket owner enforced, as is recommended. 

 Bucket accessLogsBucket = Bucket.Builder.create(this, "AccessLogsBucket")
         .objectOwnership(ObjectOwnership.BUCKET_OWNER_ENFORCED)
         .build();
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         .build();

The above code will create a new bucket policy if none exists or update the existing bucket policy to allow access log delivery.

However, there could be an edge case if the accessLogsBucket also defines a bucket policy resource using the L1 Construct. Although the mixing of L1 and L2 Constructs is not recommended, there are no mechanisms in place to prevent users from doing this at the moment. 

 String bucketName = "amzn-s3-demo-bucket";
 Bucket accessLogsBucket = Bucket.Builder.create(this, "AccessLogsBucket")
         .objectOwnership(ObjectOwnership.BUCKET_OWNER_ENFORCED)
         .bucketName(bucketName)
         .build();
 
 // Creating a bucket policy using L1
 CfnBucketPolicy bucketPolicy = CfnBucketPolicy.Builder.create(this, "BucketPolicy")
         .bucket(bucketName)
         .policyDocument(Map.of(
                 "Statement", List.of(Map.of(
                         "Action", "s3:*",
                         "Effect", "Deny",
                         "Principal", Map.of(
                                 "AWS", "*"),
                         "Resource", List.of(accessLogsBucket.getBucketArn(), String.format("%s/*", accessLogsBucket.getBucketArn())))),
                 "Version", "2012-10-17"))
         .build();
 
 // 'serverAccessLogsBucket' will create a new L2 bucket policy
 // to allow log delivery and overwrite the L1 bucket policy.
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         .build();

The above example uses the L2 Bucket Construct with the L1 CfnBucketPolicy Construct. However, when serverAccessLogsBucket is set, a new L2 Bucket Policy resource will be created which overwrites the permissions defined in the L1 Bucket Policy causing unintended behaviours.

As noted above, we highly discourage the mixed usage of L1 and L2 Constructs. The recommended approach would to define the bucket policy using addToResourcePolicy method. 

 Bucket accessLogsBucket = Bucket.Builder.create(this, "AccessLogsBucket")
         .objectOwnership(ObjectOwnership.BUCKET_OWNER_ENFORCED)
         .build();
 
 accessLogsBucket.addToResourcePolicy(
 PolicyStatement.Builder.create()
         .actions(List.of("s3:*"))
         .resources(List.of(accessLogsBucket.getBucketArn(), accessLogsBucket.arnForObjects("*")))
         .principals(List.of(new AnyPrincipal()))
         .build());
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         .build();

Alternatively, users can use the L2 Bucket Policy Construct BucketPolicy.fromCfnBucketPolicy to wrap around CfnBucketPolicy Construct. This will allow the subsequent bucket policy generated by serverAccessLogsBucket usage to append to the existing bucket policy instead of overwriting. 

 String bucketName = "amzn-s3-demo-bucket";
 Bucket accessLogsBucket = Bucket.Builder.create(this, "AccessLogsBucket")
         .objectOwnership(ObjectOwnership.BUCKET_OWNER_ENFORCED)
         .bucketName(bucketName)
         .build();
 
 CfnBucketPolicy bucketPolicy = CfnBucketPolicy.Builder.create(this, "BucketPolicy")
         .bucket(bucketName)
         .policyDocument(Map.of(
                 "Statement", List.of(Map.of(
                         "Action", "s3:*",
                         "Effect", "Deny",
                         "Principal", Map.of(
                                 "AWS", "*"),
                         "Resource", List.of(accessLogsBucket.getBucketArn(), String.format("%s/*", accessLogsBucket.getBucketArn())))),
                 "Version", "2012-10-17"))
         .build();
 
 // Wrap L1 Construct with L2 Bucket Policy Construct. Subsequent
 // generated bucket policy to allow access log delivery would append
 // to the current policy.
 BucketPolicy.fromCfnBucketPolicy(bucketPolicy);
 
 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .serverAccessLogsBucket(accessLogsBucket)
         .serverAccessLogsPrefix("logs")
         .build();

S3 Inventory

An inventory contains a list of the objects in the source bucket and metadata for each object. The inventory lists are stored in the destination bucket as a CSV file compressed with GZIP, as an Apache optimized row columnar (ORC) file compressed with ZLIB, or as an Apache Parquet (Parquet) file compressed with Snappy.

You can configure multiple inventory lists for a bucket. You can configure what object metadata to include in the inventory, whether to list all object versions or only current versions, where to store the inventory list file output, and whether to generate the inventory on a daily or weekly basis. 

 Bucket inventoryBucket = new Bucket(this, "InventoryBucket");
 
 Bucket dataBucket = Bucket.Builder.create(this, "DataBucket")
         .inventories(List.of(Inventory.builder()
                 .frequency(InventoryFrequency.DAILY)
                 .includeObjectVersions(InventoryObjectVersion.CURRENT)
                 .destination(InventoryDestination.builder()
                         .bucket(inventoryBucket)
                         .build())
                 .build(), Inventory.builder()
                 .frequency(InventoryFrequency.WEEKLY)
                 .includeObjectVersions(InventoryObjectVersion.ALL)
                 .destination(InventoryDestination.builder()
                         .bucket(inventoryBucket)
                         .prefix("with-all-versions")
                         .build())
                 .build()))
         .build();

If the destination bucket is created as part of the same CDK application, the necessary permissions will be automatically added to the bucket policy. However, if you use an imported bucket (i.e Bucket.fromXXX()), you'll have to make sure it contains the following policy document: 

 {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "InventoryAndAnalyticsExamplePolicy",
       "Effect": "Allow",
       "Principal": { "Service": "s3.amazonaws.com" },
       "Action": "s3:PutObject",
       "Resource": ["arn:aws:s3:::amzn-s3-demo-destination-bucket/*"]
     }
   ]
 }

Website redirection

You can use the two following properties to specify the bucket redirection policy. Please note that these methods cannot both be applied to the same bucket.

Static redirection

You can statically redirect a to a given Bucket URL or any other host name with websiteRedirect: 

 Bucket bucket = Bucket.Builder.create(this, "MyRedirectedBucket")
         .websiteRedirect(RedirectTarget.builder().hostName("www.example.com").build())
         .build();

Routing rules

Alternatively, you can also define multiple websiteRoutingRules, to define complex, conditional redirections: 

 Bucket bucket = Bucket.Builder.create(this, "MyRedirectedBucket")
         .websiteRoutingRules(List.of(RoutingRule.builder()
                 .hostName("www.example.com")
                 .httpRedirectCode("302")
                 .protocol(RedirectProtocol.HTTPS)
                 .replaceKey(ReplaceKey.prefixWith("test/"))
                 .condition(RoutingRuleCondition.builder()
                         .httpErrorCodeReturnedEquals("200")
                         .keyPrefixEquals("prefix")
                         .build())
                 .build()))
         .build();

Filling the bucket as part of deployment

To put files into a bucket as part of a deployment (for example, to host a website), see the aws-cdk-lib/aws-s3-deployment package, which provides a resource that can do just that.

The URL for objects

S3 provides two types of URLs for accessing objects via HTTP(S). Path-Style and Virtual Hosted-Style URL. Path-Style is a classic way and will be deprecated. We recommend to use Virtual Hosted-Style URL for newly made bucket.

You can generate both of them. 

 Bucket bucket = new Bucket(this, "MyBucket");
 bucket.urlForObject("objectname"); // Path-Style URL
 bucket.virtualHostedUrlForObject("objectname"); // Virtual Hosted-Style URL
 bucket.virtualHostedUrlForObject("objectname", VirtualHostedStyleUrlOptions.builder().regional(false).build());

Object Ownership

You can use one of following properties to specify the bucket object Ownership.

Object writer

The Uploading account will own the object. 

 Bucket.Builder.create(this, "MyBucket")
         .objectOwnership(ObjectOwnership.OBJECT_WRITER)
         .build();

Bucket owner preferred

The bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. Without this setting and canned ACL, the object is uploaded and remains owned by the uploading account. 

 Bucket.Builder.create(this, "MyBucket")
         .objectOwnership(ObjectOwnership.BUCKET_OWNER_PREFERRED)
         .build();

Bucket owner enforced (recommended)

ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies to define access control. 

 Bucket.Builder.create(this, "MyBucket")
         .objectOwnership(ObjectOwnership.BUCKET_OWNER_ENFORCED)
         .build();

Some services may not not support log delivery to buckets that have object ownership set to bucket owner enforced, such as S3 buckets using ACLs or CloudFront Distributions.

Bucket deletion

When a bucket is removed from a stack (or the stack is deleted), the S3 bucket will be removed according to its removal policy (which by default will simply orphan the bucket and leave it in your AWS account). If the removal policy is set to RemovalPolicy.DESTROY, the bucket will be deleted as long as it does not contain any objects.

To override this and force all objects to get deleted during bucket deletion, enable theautoDeleteObjects option.

When autoDeleteObjects is enabled, s3:PutBucketPolicy is added to the bucket policy. This is done to allow the custom resource this feature is built on to add a deny policy for s3:PutObject to the bucket policy when a delete stack event occurs. Adding this deny policy prevents new objects from being written to the bucket. Doing this prevents race conditions with external bucket writers during the deletion process. 

 Bucket bucket = Bucket.Builder.create(this, "MyTempFileBucket")
         .removalPolicy(RemovalPolicy.DESTROY)
         .autoDeleteObjects(true)
         .build();

Warning if you have deployed a bucket with autoDeleteObjects: true, switching this to false in a CDK version before 1.126.0 will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version 1.126.0 or later before switching this value to false.

Transfer Acceleration

Transfer Acceleration can be configured to enable fast, easy, and secure transfers of files over long distances: 

 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .transferAcceleration(true)
         .build();

To access the bucket that is enabled for Transfer Acceleration, you must use a special endpoint. The URL can be generated using method transferAccelerationUrlForObject: 

 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .transferAcceleration(true)
         .build();
 bucket.transferAccelerationUrlForObject("objectname");

Intelligent Tiering

Intelligent Tiering can be configured to automatically move files to glacier: 

 Bucket.Builder.create(this, "MyBucket")
         .intelligentTieringConfigurations(List.of(IntelligentTieringConfiguration.builder()
                 .name("foo")
                 .prefix("folder/name")
                 .archiveAccessTierTime(Duration.days(90))
                 .deepArchiveAccessTierTime(Duration.days(180))
                 .tags(List.of(Tag.builder().key("tagname").value("tagvalue").build()))
                 .build()))
         .build();

Lifecycle Rule

Managing lifecycle can be configured transition or expiration actions. 

 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .lifecycleRules(List.of(LifecycleRule.builder()
                 .abortIncompleteMultipartUploadAfter(Duration.minutes(30))
                 .enabled(false)
                 .expiration(Duration.days(30))
                 .expirationDate(new Date())
                 .expiredObjectDeleteMarker(false)
                 .id("id")
                 .noncurrentVersionExpiration(Duration.days(30))
 
                 // the properties below are optional
                 .noncurrentVersionsToRetain(123)
                 .noncurrentVersionTransitions(List.of(NoncurrentVersionTransition.builder()
                         .storageClass(StorageClass.GLACIER)
                         .transitionAfter(Duration.days(30))
 
                         // the properties below are optional
                         .noncurrentVersionsToRetain(123)
                         .build()))
                 .objectSizeGreaterThan(500)
                 .prefix("prefix")
                 .objectSizeLessThan(10000)
                 .transitions(List.of(Transition.builder()
                         .storageClass(StorageClass.GLACIER)
 
                         // the properties below are optional
                         .transitionAfter(Duration.days(30))
                         .transitionDate(new Date())
                         .build()))
                 .build()))
         .build();

To indicate which default minimum object size behavior is applied to the lifecycle configuration, use the transitionDefaultMinimumObjectSize property.

The default value of the property before September 2024 is TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS that allows objects smaller than 128 KB to be transitioned only to the S3 Glacier and S3 Glacier Deep Archive storage classes, otherwise TransitionDefaultMinimumObjectSize.ALL_STORAGE_CLASSES_128_K that prevents objects smaller than 128 KB from being transitioned to any storage class.

To customize the minimum object size for any transition you can add a filter that specifies a custom objectSizeGreaterThan or objectSizeLessThan for lifecycleRules property. Custom filters always take precedence over the default transition behavior. 

 Bucket.Builder.create(this, "MyBucket")
         .transitionDefaultMinimumObjectSize(TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS)
         .lifecycleRules(List.of(LifecycleRule.builder()
                 .transitions(List.of(Transition.builder()
                         .storageClass(StorageClass.DEEP_ARCHIVE)
                         .transitionAfter(Duration.days(30))
                         .build()))
                 .build(), LifecycleRule.builder()
                 .objectSizeLessThan(300000)
                 .objectSizeGreaterThan(200000)
                 .transitions(List.of(Transition.builder()
                         .storageClass(StorageClass.ONE_ZONE_INFREQUENT_ACCESS)
                         .transitionAfter(Duration.days(30))
                         .build()))
                 .build()))
         .build();

Object Lock Configuration

Object Lock can be configured to enable a write-once-read-many model for an S3 bucket. Object Lock must be configured when a bucket is created; if a bucket is created without Object Lock, it cannot be enabled later via the CDK.

Object Lock can be enabled on an S3 bucket by specifying: 

 Bucket bucket = Bucket.Builder.create(this, "MyBucket")
         .objectLockEnabled(true)
         .build();

Usually, it is desired to not just enable Object Lock for a bucket but to also configure a retention mode and a retention period. These can be specified by providing objectLockDefaultRetention: 

 // Configure for governance mode with a duration of 7 years
 // Configure for governance mode with a duration of 7 years
 Bucket.Builder.create(this, "Bucket1")
         .objectLockDefaultRetention(ObjectLockRetention.governance(Duration.days(7 * 365)))
         .build();
 
 // Configure for compliance mode with a duration of 1 year
 // Configure for compliance mode with a duration of 1 year
 Bucket.Builder.create(this, "Bucket2")
         .objectLockDefaultRetention(ObjectLockRetention.compliance(Duration.days(365)))
         .build();