BucketProps

class aws_cdk.aws_s3.BucketProps(*, access_control=None, auto_delete_objects=None, block_public_access=None, bucket_key_enabled=None, bucket_name=None, cors=None, encryption=None, encryption_key=None, enforce_ssl=None, event_bridge_enabled=None, intelligent_tiering_configurations=None, inventories=None, lifecycle_rules=None, metrics=None, minimum_tls_version=None, notifications_handler_role=None, notifications_skip_destination_validation=None, object_lock_default_retention=None, object_lock_enabled=None, object_ownership=None, public_read_access=None, removal_policy=None, server_access_logs_bucket=None, server_access_logs_prefix=None, target_object_key_format=None, transfer_acceleration=None, transition_default_minimum_object_size=None, versioned=None, website_error_document=None, website_index_document=None, website_redirect=None, website_routing_rules=None)

Bases: object

Parameters:

  • access_control (Optional[BucketAccessControl]) – Specifies a canned ACL that grants predefined permissions to the bucket. Default: BucketAccessControl.PRIVATE

  • auto_delete_objects (Optional[bool]) – Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted. Requires the removalPolicy to be set to RemovalPolicy.DESTROY. Warning if you have deployed a bucket with autoDeleteObjects: true, switching this to false in a CDK version before 1.126.0 will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version 1.126.0 or later before switching this value to false. Setting autoDeleteObjects to true on a bucket will add s3:PutBucketPolicy to the bucket policy. This is because during bucket deletion, the custom resource provider needs to update the bucket policy by adding a deny policy for s3:PutObject to prevent race conditions with external bucket writers. Default: false

  • block_public_access (Optional[BlockPublicAccess]) – The block public access configuration of this bucket. Default: - CloudFormation defaults will apply. New buckets and objects don’t allow public access, but users can modify bucket policies or object permissions to allow public access

  • bucket_key_enabled (Optional[bool]) – Whether Amazon S3 should use its own intermediary key to generate data keys. Only relevant when using KMS for encryption. - If not enabled, every object GET and PUT will cause an API call to KMS (with the attendant cost implications of that). - If enabled, S3 will use its own time-limited key instead. Only relevant, when Encryption is not set to BucketEncryption.UNENCRYPTED. Default: - false

  • bucket_name (Optional[str]) – Physical name of this bucket. Default: - Assigned by CloudFormation (recommended).

  • cors (Optional[Sequence[Union[CorsRule, Dict[str, Any]]]]) – The CORS configuration of this bucket. Default: - No CORS configuration.

  • encryption (Optional[BucketEncryption]) – The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via encryptionKey. If encryption key is not specified, a key will automatically be created. Default: - KMS if encryptionKey is specified, or UNENCRYPTED otherwise. But if UNENCRYPTED is specified, the bucket will be encrypted as S3_MANAGED automatically.

  • encryption_key (Optional[IKey]) – External KMS key to use for bucket encryption. The encryption property must be either not specified or set to KMS or DSSE. An error will be emitted if encryption is set to UNENCRYPTED or S3_MANAGED. Default: - If encryption is set to KMS and this property is undefined, a new KMS key will be created and associated with this bucket.

  • enforce_ssl (Optional[bool]) – Enforces SSL for requests. S3.5 of the AWS Foundational Security Best Practices Regarding S3. Default: false

  • event_bridge_enabled (Optional[bool]) – Whether this bucket should send notifications to Amazon EventBridge or not. Default: false

  • intelligent_tiering_configurations (Optional[Sequence[Union[IntelligentTieringConfiguration, Dict[str, Any]]]]) – Inteligent Tiering Configurations. Default: No Intelligent Tiiering Configurations.

  • inventories (Optional[Sequence[Union[Inventory, Dict[str, Any]]]]) – The inventory configuration of the bucket. Default: - No inventory configuration

  • lifecycle_rules (Optional[Sequence[Union[LifecycleRule, Dict[str, Any]]]]) – Rules that define how Amazon S3 manages objects during their lifetime. Default: - No lifecycle rules.

  • metrics (Optional[Sequence[Union[BucketMetrics, Dict[str, Any]]]]) – The metrics configuration of this bucket. Default: - No metrics configuration.

  • minimum_tls_version (Union[int, float, None]) – Enforces minimum TLS version for requests. Requires enforceSSL to be enabled. Default: No minimum TLS version is enforced.

  • notifications_handler_role (Optional[IRole]) – The role to be used by the notifications handler. Default: - a new role will be created.

  • notifications_skip_destination_validation (Optional[bool]) – Skips notification validation of Amazon SQS, Amazon SNS, and Lambda destinations. Default: false

  • object_lock_default_retention (Optional[ObjectLockRetention]) – The default retention mode and rules for S3 Object Lock. Default retention can be configured after a bucket is created if the bucket already has object lock enabled. Enabling object lock for existing buckets is not supported. Default: no default retention period

  • object_lock_enabled (Optional[bool]) – Enable object lock on the bucket. Enabling object lock for existing buckets is not supported. Object lock must be enabled when the bucket is created. Default: false, unless objectLockDefaultRetention is set (then, true)

  • object_ownership (Optional[ObjectOwnership]) – The objectOwnership of the bucket. Default: - No ObjectOwnership configuration. By default, Amazon S3 sets Object Ownership to Bucket owner enforced. This means ACLs are disabled and the bucket owner will own every object.

  • public_read_access (Optional[bool]) – Grants public read access to all objects in the bucket. Similar to calling bucket.grantPublicAccess() Default: false

  • removal_policy (Optional[RemovalPolicy]) – Policy to apply when the bucket is removed from this stack. Default: - The bucket will be orphaned.

  • server_access_logs_bucket (Optional[IBucket]) – Destination bucket for the server access logs. Default: - If “serverAccessLogsPrefix” undefined - access logs disabled, otherwise - log to current bucket.

  • server_access_logs_prefix (Optional[str]) – Optional log file prefix to use for the bucket’s access logs. If defined without “serverAccessLogsBucket”, enables access logs to current bucket with this prefix. Default: - No log file prefix

  • target_object_key_format (Optional[TargetObjectKeyFormat]) – Optional key format for log objects. Default: - the default key format is: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]

  • transfer_acceleration (Optional[bool]) – Whether this bucket should have transfer acceleration turned on or not. Default: false

  • transition_default_minimum_object_size (Optional[TransitionDefaultMinimumObjectSize]) – Indicates which default minimum object size behavior is applied to the lifecycle configuration. To customize the minimum object size for any transition you can add a filter that specifies a custom objectSizeGreaterThan or objectSizeLessThan for lifecycleRules property. Custom filters always take precedence over the default transition behavior. Default: - TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS before September 2024, otherwise TransitionDefaultMinimumObjectSize.ALL_STORAGE_CLASSES_128_K.

  • versioned (Optional[bool]) – Whether this bucket should have versioning turned on or not. Default: false (unless object lock is enabled, then true)

  • website_error_document (Optional[str]) – The name of the error document (e.g. “404.html”) for the website. websiteIndexDocument must also be set if this is set. Default: - No error document.

  • website_index_document (Optional[str]) – The name of the index document (e.g. “index.html”) for the website. Enables static website hosting for this bucket. Default: - No index document.

  • website_redirect (Union[RedirectTarget, Dict[str, Any], None]) – Specifies the redirect behavior of all requests to a website endpoint of a bucket. If you specify this property, you can’t specify “websiteIndexDocument”, “websiteErrorDocument” nor , “websiteRoutingRules”. Default: - No redirection.

  • website_routing_rules (Optional[Sequence[Union[RoutingRule, Dict[str, Any]]]]) – Rules that define when a redirect is applied and the redirect behavior. Default: - No redirection rules.

ExampleMetadata:

infused

Example:

import aws_cdk.aws_kms as kms


my_kms_key = kms.Key(self, "myKMSKey")
my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
    encryption=s3.BucketEncryption.KMS,
    encryption_key=my_kms_key,
    object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
)
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
    )
)

Attributes

access_control

Specifies a canned ACL that grants predefined permissions to the bucket.

Default:

BucketAccessControl.PRIVATE

auto_delete_objects

Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted.

Requires the removalPolicy to be set to RemovalPolicy.DESTROY.

Warning if you have deployed a bucket with autoDeleteObjects: true, switching this to false in a CDK version before 1.126.0 will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version 1.126.0 or later before switching this value to false.

Setting autoDeleteObjects to true on a bucket will add s3:PutBucketPolicy to the bucket policy. This is because during bucket deletion, the custom resource provider needs to update the bucket policy by adding a deny policy for s3:PutObject to prevent race conditions with external bucket writers.

Default:

false

block_public_access

The block public access configuration of this bucket.

Default:

  • CloudFormation defaults will apply. New buckets and objects don’t allow public access, but users can modify bucket policies or object permissions to allow public access

See:

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

bucket_key_enabled

Whether Amazon S3 should use its own intermediary key to generate data keys.

Only relevant when using KMS for encryption.

  • If not enabled, every object GET and PUT will cause an API call to KMS (with the attendant cost implications of that).

  • If enabled, S3 will use its own time-limited key instead.

Only relevant, when Encryption is not set to BucketEncryption.UNENCRYPTED.

Default:

  • false

bucket_name

Physical name of this bucket.

Default:

  • Assigned by CloudFormation (recommended).

cors

The CORS configuration of this bucket.

Default:

  • No CORS configuration.

See:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html

encryption

The kind of server-side encryption to apply to this bucket.

If you choose KMS, you can specify a KMS key via encryptionKey. If encryption key is not specified, a key will automatically be created.

Default:

  • KMS if encryptionKey is specified, or UNENCRYPTED otherwise.

But if UNENCRYPTED is specified, the bucket will be encrypted as S3_MANAGED automatically.

encryption_key

External KMS key to use for bucket encryption.

The encryption property must be either not specified or set to KMS or DSSE. An error will be emitted if encryption is set to UNENCRYPTED or S3_MANAGED.

Default:

  • If encryption is set to KMS and this property is undefined,

a new KMS key will be created and associated with this bucket.

enforce_ssl

Enforces SSL for requests.

S3.5 of the AWS Foundational Security Best Practices Regarding S3.

Default:

false

See:

https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html

event_bridge_enabled

Whether this bucket should send notifications to Amazon EventBridge or not.

Default:

false

intelligent_tiering_configurations

Inteligent Tiering Configurations.

Default:

No Intelligent Tiiering Configurations.

See:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html

inventories

The inventory configuration of the bucket.

Default:

  • No inventory configuration

See:

https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html

lifecycle_rules

Rules that define how Amazon S3 manages objects during their lifetime.

Default:

  • No lifecycle rules.

metrics

The metrics configuration of this bucket.

Default:

  • No metrics configuration.

See:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metricsconfiguration.html

minimum_tls_version

Enforces minimum TLS version for requests.

Requires enforceSSL to be enabled.

Default:

No minimum TLS version is enforced.

See:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-object-tls-version

notifications_handler_role

The role to be used by the notifications handler.

Default:

  • a new role will be created.

notifications_skip_destination_validation

Skips notification validation of Amazon SQS, Amazon SNS, and Lambda destinations.

Default:

false

object_lock_default_retention

The default retention mode and rules for S3 Object Lock.

Default retention can be configured after a bucket is created if the bucket already has object lock enabled. Enabling object lock for existing buckets is not supported.

Default:

no default retention period

See:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable

object_lock_enabled

Enable object lock on the bucket.

Enabling object lock for existing buckets is not supported. Object lock must be enabled when the bucket is created.

Default:

false, unless objectLockDefaultRetention is set (then, true)

See:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable

object_ownership

The objectOwnership of the bucket.

Default:

  • No ObjectOwnership configuration. By default, Amazon S3 sets Object Ownership to Bucket owner enforced.

This means ACLs are disabled and the bucket owner will own every object.

See:

https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html

public_read_access

Grants public read access to all objects in the bucket.

Similar to calling bucket.grantPublicAccess()

Default:

false

removal_policy

Policy to apply when the bucket is removed from this stack.

Default:

  • The bucket will be orphaned.

server_access_logs_bucket

Destination bucket for the server access logs.

Default:

  • If “serverAccessLogsPrefix” undefined - access logs disabled, otherwise - log to current bucket.

server_access_logs_prefix

Optional log file prefix to use for the bucket’s access logs.

If defined without “serverAccessLogsBucket”, enables access logs to current bucket with this prefix.

Default:

  • No log file prefix

target_object_key_format

Optional key format for log objects.

Default:

  • the default key format is: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]

transfer_acceleration

Whether this bucket should have transfer acceleration turned on or not.

Default:

false

transition_default_minimum_object_size

Indicates which default minimum object size behavior is applied to the lifecycle configuration.

To customize the minimum object size for any transition you can add a filter that specifies a custom objectSizeGreaterThan or objectSizeLessThan for lifecycleRules property. Custom filters always take precedence over the default transition behavior.

Default:

  • TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS before September 2024,

otherwise TransitionDefaultMinimumObjectSize.ALL_STORAGE_CLASSES_128_K.

versioned

Whether this bucket should have versioning turned on or not.

Default:

false (unless object lock is enabled, then true)

website_error_document

The name of the error document (e.g. “404.html”) for the website. websiteIndexDocument must also be set if this is set.

Default:

  • No error document.

website_index_document

The name of the index document (e.g. “index.html”) for the website. Enables static website hosting for this bucket.

Default:

  • No index document.

website_redirect

Specifies the redirect behavior of all requests to a website endpoint of a bucket.

If you specify this property, you can’t specify “websiteIndexDocument”, “websiteErrorDocument” nor , “websiteRoutingRules”.

Default:

  • No redirection.

website_routing_rules

Rules that define when a redirect is applied and the redirect behavior.

Default:

  • No redirection rules.