PolicyStatementProps

class aws_cdk.aws_iam.PolicyStatementProps(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)

Bases: object

Interface for creating a policy statement.

Parameters:

  • actions (Optional[Sequence[str]]) – List of actions to add to the statement. Default: - no actions

  • conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition

  • effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW

  • not_actions (Optional[Sequence[str]]) – List of not actions to add to the statement. Default: - no not-actions

  • not_principals (Optional[Sequence[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals

  • not_resources (Optional[Sequence[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources

  • principals (Optional[Sequence[IPrincipal]]) – List of principals to add to the statement. Default: - no principals

  • resources (Optional[Sequence[str]]) – Resource ARNs to add to the statement. Default: - no resources

  • sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

ExampleMetadata:

infused

Example:

access_logs_bucket = s3.Bucket(self, "AccessLogsBucket",
    object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
)

access_logs_bucket.add_to_resource_policy(
    iam.PolicyStatement(
        actions=["s3:*"],
        resources=[access_logs_bucket.bucket_arn, access_logs_bucket.arn_for_objects("*")],
        principals=[iam.AnyPrincipal()]
    ))

bucket = s3.Bucket(self, "MyBucket",
    server_access_logs_bucket=access_logs_bucket,
    server_access_logs_prefix="logs"
)

Attributes

actions

List of actions to add to the statement.

Default:

  • no actions

conditions

Conditions to add to the statement.

Default:

  • no condition

effect

Whether to allow or deny the actions in this statement.

Default:

Effect.ALLOW

not_actions

List of not actions to add to the statement.

Default:

  • no not-actions

not_principals

List of not principals to add to the statement.

Default:

  • no not principals

not_resources

NotResource ARNs to add to the statement.

Default:

  • no not-resources

principals

List of principals to add to the statement.

Default:

  • no principals

resources

Resource ARNs to add to the statement.

Default:

  • no resources

sid

The Sid (statement ID) is an optional identifier that you provide for the policy statement.

You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy.

Default:

  • no sid