aws-cdk-lib

import { Construct } from 'constructs'; import { BucketPolicy } from './bucket-policy'; import { IBucketNotificationDestination } from './destination'; import { LifecycleRule, StorageClass } from './rule'; import { CfnBucket } from './s3.generated'; import * as events from '../../aws-events'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; import { Duration, IResource, RemovalPolicy, Resource, ResourceProps } from '../../core'; export interface IBucket extends IResource { /** * The ARN of the bucket. * @attribute */ readonly bucketArn: string; /** * The name of the bucket. * @attribute */ readonly bucketName: string; /** * The URL of the static website. * @attribute */ readonly bucketWebsiteUrl: string; /** * The Domain name of the static website. * @attribute */ readonly bucketWebsiteDomainName: string; /** * The IPv4 DNS name of the specified bucket. * @attribute */ readonly bucketDomainName: string; /** * The IPv6 DNS name of the specified bucket. * @attribute */ readonly bucketDualStackDomainName: string; /** * The regional domain name of the specified bucket. * @attribute */ readonly bucketRegionalDomainName: string; /** * If this bucket has been configured for static website hosting. */ readonly isWebsite?: boolean; /** * Optional KMS encryption key associated with this bucket. */ readonly encryptionKey?: kms.IKey; /** * The resource policy associated with this bucket. * * If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the * first call to addToResourcePolicy(s). */ policy?: BucketPolicy; /** * Role used to set up permissions on this bucket for replication */ replicationRoleArn?: string; /** * Adds a statement to the resource policy for a principal (i.e. * account/role/service) to perform actions on this bucket and/or its * contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for * this bucket or objects. * * Note that the policy statement may or may not be added to the policy. * For example, when an `IBucket` is created from an existing bucket, * it's not possible to tell whether the bucket already has a policy * attached, let alone to re-use that policy to add more statements to it. * So it's safest to do nothing in these cases. * * @param permission the policy statement to be added to the bucket's * policy. * @returns metadata about the execution of this method. If the policy * was not added, the value of `statementAdded` will be `false`. You * should always check this value to make sure that the operation was * actually carried out. Otherwise, synthesis and deploy will terminate * silently, which may be confusing. */ addToResourcePolicy(permission: iam.PolicyStatement): iam.AddToResourcePolicyResult; /** * The https URL of an S3 object. For example: * * - `https://s3.us-west-1.amazonaws.com/onlybucket` * - `https://s3.us-west-1.amazonaws.com/bucket/key` * - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey` * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @returns an ObjectS3Url token */ urlForObject(key?: string): string; /** * The https Transfer Acceleration URL of an S3 object. Specify `dualStack: true` at the options * for dual-stack endpoint (connect to the bucket over IPv6). For example: * * - `https://bucket.s3-accelerate.amazonaws.com` * - `https://bucket.s3-accelerate.amazonaws.com/key` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an TransferAccelerationUrl token */ transferAccelerationUrlForObject(key?: string, options?: TransferAccelerationUrlOptions): string; /** * The virtual hosted-style URL of an S3 object. Specify `regional: false` at * the options for non-regional URL. For example: * * - `https://only-bucket.s3.us-west-1.amazonaws.com` * - `https://bucket.s3.us-west-1.amazonaws.com/key` * - `https://bucket.s3.amazonaws.com/key` * - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey` * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an ObjectS3Url token */ virtualHostedUrlForObject(key?: string, options?: VirtualHostedStyleUrlOptions): string; /** * The S3 URL of an S3 object. For example: * - `s3://onlybucket` * - `s3://bucket/key` * @param key The S3 key of the object. If not specified, the S3 URL of the * bucket is returned. * @returns an ObjectS3Url token */ s3UrlForObject(key?: string): string; /** * Returns an ARN that represents all objects within the bucket that match * the key pattern specified. To represent all keys, specify ``"*"``. */ arnForObjects(keyPattern: string): string; /** * Grant read permissions for this bucket and it's contents to an IAM * principal (Role/Group/User). * * If encryption is used, permission to use the key to decrypt the contents * of the bucket will also be granted to the same principal. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantRead(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Grant write permissions to this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * * Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`, * which could be used to grant read/write object access to IAM principals in other accounts. * If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, * and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true` * in the `context` key of your cdk.json file. * If you've already updated, but still need the principal to have permissions to modify the ACLs, * use the `grantPutAcl` method. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. * @param allowedActionPatterns Restrict the permissions to certain list of action patterns */ grantWrite(identity: iam.IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): iam.Grant; /** * Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantPut(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket. * * If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set, * calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects; * in this case, if you need to modify object ACLs, call this method explicitly. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*') */ grantPutAcl(identity: iam.IGrantable, objectsKeyPattern?: string): iam.Grant; /** * Grants s3:DeleteObject* permission to an IAM principal for objects * in this bucket. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantDelete(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Grants read/write permissions for this bucket and it's contents to an IAM * principal (Role/Group/User). * * If an encryption key is used, permission to use the key for * encrypt/decrypt will also be granted. * * Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`, * which could be used to grant read/write object access to IAM principals in other accounts. * If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, * and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true` * in the `context` key of your cdk.json file. * If you've already updated, but still need the principal to have permissions to modify the ACLs, * use the `grantPutAcl` method. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantReadWrite(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Allows unrestricted access to objects from this bucket. * * IMPORTANT: This permission allows anyone to perform actions on S3 objects * in this bucket, which is useful for when you configure your bucket as a * website and want everyone to be able to read objects in the bucket without * needing to authenticate. * * Without arguments, this method will grant read ("s3:GetObject") access to * all objects ("*") in the bucket. * * The method returns the `iam.Grant` object, which can then be modified * as needed. For example, you can add a condition that will restrict access only * to an IPv4 range like this: * * const grant = bucket.grantPublicAccess(); * grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” }); * * * @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*". * @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject". * @returns The `iam.PolicyStatement` object, which can be used to apply e.g. conditions. */ grantPublicAccess(keyPrefix?: string, ...allowedActions: string[]): iam.Grant; /** * Defines a CloudWatch event that triggers when something happens to this bucket * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailEvent(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object is uploaded * to the specified paths (keys) in this bucket using the PutObject API call. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using `onCloudTrailWriteObject` may be preferable. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailPutObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object at the * specified paths (keys) in this bucket are written to. This includes * the events PutObject, CopyObject, and CompleteMultipartUpload. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using this method may be preferable to `onCloudTrailPutObject`. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailWriteObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Adds a bucket notification event destination. * @param event The event to trigger the notification * @param dest The notification destination (Lambda, SNS Topic or SQS Queue) * * @param filters S3 object key filter rules to determine which objects * trigger this event. Each filter must include a `prefix` and/or `suffix` * that will be matched against the s3 object key. Refer to the S3 Developer Guide * for details about allowed filter rules. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#notification-how-to-filtering * * @example * * declare const myLambda: lambda.Function; * const bucket = new s3.Bucket(this, 'MyBucket'); * bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), {prefix: 'home/myusername/*'}) * * @see * https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html */ addEventNotification(event: EventType, dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Subscribes a destination to receive notifications when an object is * created in the bucket. This is identical to calling * `onEvent(s3.EventType.OBJECT_CREATED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectCreatedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Subscribes a destination to receive notifications when an object is * removed from the bucket. This is identical to calling * `onEvent(EventType.OBJECT_REMOVED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectRemovedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Enables event bridge notification, causing all events below to be sent to EventBridge: * * - Object Deleted (DeleteObject) * - Object Deleted (Lifecycle expiration) * - Object Restore Initiated * - Object Restore Completed * - Object Restore Expired * - Object Storage Class Changed * - Object Access Tier Changed * - Object ACL Updated * - Object Tags Added * - Object Tags Deleted */ enableEventBridgeNotification(): void; /** * Function to add required permissions to the destination bucket for cross account * replication. These permissions will be added as a resource based policy on the bucket. * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html * If owner of the bucket needs to be overridden, set accessControlTransition to true and provide * account ID in which destination bucket is hosted. For more information on accessControlTransition * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html */ addReplicationPolicy(roleArn: string, accessControlTransition?: boolean, account?: string): void; } /** * A reference to a bucket outside this stack */ export interface BucketAttributes { /** * The ARN of the bucket. At least one of bucketArn or bucketName must be * defined in order to initialize a bucket ref. */ readonly bucketArn?: string; /** * The name of the bucket. If the underlying value of ARN is a string, the * name will be parsed from the ARN. Otherwise, the name is optional, but * some features that require the bucket name such as auto-creating a bucket * policy, won't work. */ readonly bucketName?: string; /** * The domain name of the bucket. * * @default - Inferred from bucket name */ readonly bucketDomainName?: string; /** * The website URL of the bucket (if static web hosting is enabled). * * @default - Inferred from bucket name and region */ readonly bucketWebsiteUrl?: string; /** * The regional domain name of the specified bucket. */ readonly bucketRegionalDomainName?: string; /** * The IPv6 DNS name of the specified bucket. */ readonly bucketDualStackDomainName?: string; /** * Force the format of the website URL of the bucket. This should be true for * regions launched since 2014. * * @default - inferred from available region information, `false` otherwise * * @deprecated The correct website url format can be inferred automatically from the bucket `region`. * Always provide the bucket region if the `bucketWebsiteUrl` will be used. * Alternatively provide the full `bucketWebsiteUrl` manually. */ readonly bucketWebsiteNewUrlFormat?: boolean; /** * KMS encryption key associated with this bucket. * * @default - no encryption key */ readonly encryptionKey?: kms.IKey; /** * If this bucket has been configured for static website hosting. * * @default false */ readonly isWebsite?: boolean; /** * The account this existing bucket belongs to. * * @default - it's assumed the bucket belongs to the same account as the scope it's being imported into */ readonly account?: string; /** * The region this existing bucket is in. * Features that require the region (e.g. `bucketWebsiteUrl`) won't fully work * if the region cannot be correctly inferred. * * @default - it's assumed the bucket is in the same region as the scope it's being imported into */ readonly region?: string; /** * The role to be used by the notifications handler * * @default - a new role will be created. */ readonly notificationsHandlerRole?: iam.IRole; } /** * Represents an S3 Bucket. * * Buckets can be either defined within this stack: * * new Bucket(this, 'MyBucket', { props }); * * Or imported from an existing bucket: * * Bucket.import(this, 'MyImportedBucket', { bucketArn: ... }); * * You can also export a bucket and import it into another stack: * * const ref = myBucket.export(); * Bucket.import(this, 'MyImportedBucket', ref); * */ export declare abstract class BucketBase extends Resource implements IBucket { abstract readonly bucketArn: string; abstract readonly bucketName: string; abstract readonly bucketDomainName: string; abstract readonly bucketWebsiteUrl: string; abstract readonly bucketWebsiteDomainName: string; abstract readonly bucketRegionalDomainName: string; abstract readonly bucketDualStackDomainName: string; /** * Optional KMS encryption key associated with this bucket. */ abstract readonly encryptionKey?: kms.IKey; /** * If this bucket has been configured for static website hosting. */ abstract readonly isWebsite?: boolean; /** * The resource policy associated with this bucket. * * If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the * first call to addToResourcePolicy(s). */ abstract policy?: BucketPolicy; /** * Role used to set up permissions on this bucket for replication */ abstract replicationRoleArn?: string; /** * Indicates if a bucket resource policy should automatically created upon * the first call to `addToResourcePolicy`. */ protected abstract autoCreatePolicy: boolean; /** * Whether to disallow public access */ protected abstract disallowPublicAccess?: boolean; private notifications?; protected notificationsHandlerRole?: iam.IRole; protected notificationsSkipDestinationValidation?: boolean; protected objectOwnership?: ObjectOwnership; constructor(scope: Construct, id: string, props?: ResourceProps); /** * Define a CloudWatch event that triggers when something happens to this repository * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailEvent(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object is uploaded * to the specified paths (keys) in this bucket using the PutObject API call. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using `onCloudTrailWriteObject` may be preferable. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailPutObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Defines an AWS CloudWatch event that triggers when an object at the * specified paths (keys) in this bucket are written to. This includes * the events PutObject, CopyObject, and CompleteMultipartUpload. * * Note that some tools like `aws s3 cp` will automatically use either * PutObject or the multipart upload API depending on the file size, * so using this method may be preferable to `onCloudTrailPutObject`. * * Requires that there exists at least one CloudTrail Trail in your account * that captures the event. This method will not create the Trail. * * @param id The id of the rule * @param options Options for adding the rule */ onCloudTrailWriteObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule; /** * Adds a statement to the resource policy for a principal (i.e. * account/role/service) to perform actions on this bucket and/or its * contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for * this bucket or objects. * * Note that the policy statement may or may not be added to the policy. * For example, when an `IBucket` is created from an existing bucket, * it's not possible to tell whether the bucket already has a policy * attached, let alone to re-use that policy to add more statements to it. * So it's safest to do nothing in these cases. * * @param permission the policy statement to be added to the bucket's * policy. * @returns metadata about the execution of this method. If the policy * was not added, the value of `statementAdded` will be `false`. You * should always check this value to make sure that the operation was * actually carried out. Otherwise, synthesis and deploy will terminate * silently, which may be confusing. */ addToResourcePolicy(permission: iam.PolicyStatement): iam.AddToResourcePolicyResult; /** * The https URL of an S3 object. Specify `regional: false` at the options * for non-regional URLs. For example: * * - `https://s3.us-west-1.amazonaws.com/onlybucket` * - `https://s3.us-west-1.amazonaws.com/bucket/key` * - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @returns an ObjectS3Url token */ urlForObject(key?: string): string; /** * The https Transfer Acceleration URL of an S3 object. Specify `dualStack: true` at the options * for dual-stack endpoint (connect to the bucket over IPv6). For example: * * - `https://bucket.s3-accelerate.amazonaws.com` * - `https://bucket.s3-accelerate.amazonaws.com/key` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an TransferAccelerationUrl token */ transferAccelerationUrlForObject(key?: string, options?: TransferAccelerationUrlOptions): string; /** * The virtual hosted-style URL of an S3 object. Specify `regional: false` at * the options for non-regional URL. For example: * * - `https://only-bucket.s3.us-west-1.amazonaws.com` * - `https://bucket.s3.us-west-1.amazonaws.com/key` * - `https://bucket.s3.amazonaws.com/key` * - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey` * * @param key The S3 key of the object. If not specified, the URL of the * bucket is returned. * @param options Options for generating URL. * @returns an ObjectS3Url token */ virtualHostedUrlForObject(key?: string, options?: VirtualHostedStyleUrlOptions): string; /** * The S3 URL of an S3 object. For example: * * - `s3://onlybucket` * - `s3://bucket/key` * * @param key The S3 key of the object. If not specified, the S3 URL of the * bucket is returned. * @returns an ObjectS3Url token */ s3UrlForObject(key?: string): string; /** * Returns an ARN that represents all objects within the bucket that match * the key pattern specified. To represent all keys, specify ``"*"``. * * If you need to specify a keyPattern with multiple components, concatenate them into a single string, e.g.: * * arnForObjects(`home/${team}/${user}/*`) * */ arnForObjects(keyPattern: string): string; /** * Grant read permissions for this bucket and it's contents to an IAM * principal (Role/Group/User). * * If encryption is used, permission to use the key to decrypt the contents * of the bucket will also be granted to the same principal. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantRead(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; grantWrite(identity: iam.IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): iam.Grant; /** * Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantPut(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; grantPutAcl(identity: iam.IGrantable, objectsKeyPattern?: string): iam.Grant; /** * Grants s3:DeleteObject* permission to an IAM principal for objects * in this bucket. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ grantDelete(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; grantReadWrite(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant; /** * Allows unrestricted access to objects from this bucket. * * IMPORTANT: This permission allows anyone to perform actions on S3 objects * in this bucket, which is useful for when you configure your bucket as a * website and want everyone to be able to read objects in the bucket without * needing to authenticate. * * Without arguments, this method will grant read ("s3:GetObject") access to * all objects ("*") in the bucket. * * The method returns the `iam.Grant` object, which can then be modified * as needed. For example, you can add a condition that will restrict access only * to an IPv4 range like this: * * const grant = bucket.grantPublicAccess(); * grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” }); * * Note that if this `IBucket` refers to an existing bucket, possibly not * managed by CloudFormation, this method will have no effect, since it's * impossible to modify the policy of an existing bucket. * * @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*". * @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject". */ grantPublicAccess(keyPrefix?: string, ...allowedActions: string[]): iam.Grant; /** * Adds a bucket notification event destination. * @param event The event to trigger the notification * @param dest The notification destination (Lambda, SNS Topic or SQS Queue) * * @param filters S3 object key filter rules to determine which objects * trigger this event. Each filter must include a `prefix` and/or `suffix` * that will be matched against the s3 object key. Refer to the S3 Developer Guide * for details about allowed filter rules. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#notification-how-to-filtering * * @example * * declare const myLambda: lambda.Function; * const bucket = new s3.Bucket(this, 'MyBucket'); * bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), {prefix: 'home/myusername/*'}); * * @see * https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html */ addEventNotification(event: EventType, dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; private withNotifications; /** * Subscribes a destination to receive notifications when an object is * created in the bucket. This is identical to calling * `onEvent(EventType.OBJECT_CREATED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectCreatedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Subscribes a destination to receive notifications when an object is * removed from the bucket. This is identical to calling * `onEvent(EventType.OBJECT_REMOVED)`. * * @param dest The notification destination (see onEvent) * @param filters Filters (see onEvent) */ addObjectRemovedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void; /** * Enables event bridge notification, causing all events below to be sent to EventBridge: * * - Object Deleted (DeleteObject) * - Object Deleted (Lifecycle expiration) * - Object Restore Initiated * - Object Restore Completed * - Object Restore Expired * - Object Storage Class Changed * - Object Access Tier Changed * - Object ACL Updated * - Object Tags Added * - Object Tags Deleted */ enableEventBridgeNotification(): void; /** * Function to add required permissions to the destination bucket for cross account * replication. These permissions will be added as a resource based policy on the bucket * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html * If owner of the bucket needs to be overridden, set accessControlTransition to true and provide * account ID in which destination bucket is hosted. For more information on accessControlTransition * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html */ addReplicationPolicy(roleArn: string, accessControlTransition?: boolean, account?: string): void; private get writeActions(); private get putActions(); private urlJoin; private grant; } export interface BlockPublicAccessOptions { /** * Whether to block public ACLs * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly blockPublicAcls?: boolean; /** * Whether to block public policy * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly blockPublicPolicy?: boolean; /** * Whether to ignore public ACLs * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly ignorePublicAcls?: boolean; /** * Whether to restrict public access * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options */ readonly restrictPublicBuckets?: boolean; } export declare class BlockPublicAccess { static readonly BLOCK_ALL: BlockPublicAccess; static readonly BLOCK_ACLS: BlockPublicAccess; blockPublicAcls: boolean | undefined; blockPublicPolicy: boolean | undefined; ignorePublicAcls: boolean | undefined; restrictPublicBuckets: boolean | undefined; constructor(options: BlockPublicAccessOptions); } /** * Specifies a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket. */ export interface BucketMetrics { /** * The ID used to identify the metrics configuration. */ readonly id: string; /** * The prefix that an object must have to be included in the metrics results. */ readonly prefix?: string; /** * Specifies a list of tag filters to use as a metrics configuration filter. * The metrics configuration includes only objects that meet the filter's criteria. */ readonly tagFilters?: { [tag: string]: any; }; } /** * All http request methods */ export declare enum HttpMethods { /** * The GET method requests a representation of the specified resource. */ GET = "GET", /** * The PUT method replaces all current representations of the target resource with the request payload. */ PUT = "PUT", /** * The HEAD method asks for a response identical to that of a GET request, but without the response body. */ HEAD = "HEAD", /** * The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server. */ POST = "POST", /** * The DELETE method deletes the specified resource. */ DELETE = "DELETE" } /** * Specifies a cross-origin access rule for an Amazon S3 bucket. */ export interface CorsRule { /** * A unique identifier for this rule. * * @default - No id specified. */ readonly id?: string; /** * The time in seconds that your browser is to cache the preflight response for the specified resource. * * @default - No caching. */ readonly maxAge?: number; /** * Headers that are specified in the Access-Control-Request-Headers header. * * @default - No headers allowed. */ readonly allowedHeaders?: string[]; /** * An HTTP method that you allow the origin to execute. */ readonly allowedMethods: HttpMethods[]; /** * One or more origins you want customers to be able to access the bucket from. */ readonly allowedOrigins: string[]; /** * One or more headers in the response that you want customers to be able to access from their applications. * * @default - No headers exposed. */ readonly exposedHeaders?: string[]; } /** * All http request methods */ export declare enum RedirectProtocol { HTTP = "http", HTTPS = "https" } /** * Specifies a redirect behavior of all requests to a website endpoint of a bucket. */ export interface RedirectTarget { /** * Name of the host where requests are redirected */ readonly hostName: string; /** * Protocol to use when redirecting requests * * @default - The protocol used in the original request. */ readonly protocol?: RedirectProtocol; } /** * All supported inventory list formats. */ export declare enum InventoryFormat { /** * Generate the inventory list as CSV. */ CSV = "CSV", /** * Generate the inventory list as Parquet. */ PARQUET = "Parquet", /** * Generate the inventory list as ORC. */ ORC = "ORC" } /** * All supported inventory frequencies. */ export declare enum InventoryFrequency { /** * A report is generated every day. */ DAILY = "Daily", /** * A report is generated every Sunday (UTC timezone) after the initial report. */ WEEKLY = "Weekly" } /** * Inventory version support. */ export declare enum InventoryObjectVersion { /** * Includes all versions of each object in the report. */ ALL = "All", /** * Includes only the current version of each object in the report. */ CURRENT = "Current" } /** * The destination of the inventory. */ export interface InventoryDestination { /** * Bucket where all inventories will be saved in. */ readonly bucket: IBucket; /** * The prefix to be used when saving the inventory. * * @default - No prefix. */ readonly prefix?: string; /** * The account ID that owns the destination S3 bucket. * If no account ID is provided, the owner is not validated before exporting data. * It's recommended to set an account ID to prevent problems if the destination bucket ownership changes. * * @default - No account ID. */ readonly bucketOwner?: string; } /** * Specifies the inventory configuration of an S3 Bucket. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html */ export interface Inventory { /** * The destination of the inventory. */ readonly destination: InventoryDestination; /** * The inventory will only include objects that meet the prefix filter criteria. * * @default - No objects prefix */ readonly objectsPrefix?: string; /** * The format of the inventory. * * @default InventoryFormat.CSV */ readonly format?: InventoryFormat; /** * Whether the inventory is enabled or disabled. * * @default true */ readonly enabled?: boolean; /** * The inventory configuration ID. * Should be limited to 64 characters and can only contain letters, numbers, periods, dashes, and underscores. * * @default - generated ID. */ readonly inventoryId?: string; /** * Frequency at which the inventory should be generated. * * @default InventoryFrequency.WEEKLY */ readonly frequency?: InventoryFrequency; /** * If the inventory should contain all the object versions or only the current one. * * @default InventoryObjectVersion.ALL */ readonly includeObjectVersions?: InventoryObjectVersion; /** * A list of optional fields to be included in the inventory result. * * @default - No optional fields. */ readonly optionalFields?: string[]; } /** * The ObjectOwnership of the bucket. * * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html * */ export declare enum ObjectOwnership { /** * ACLs are disabled, and the bucket owner automatically owns * and has full control over every object in the bucket. * ACLs no longer affect permissions to data in the S3 bucket. * The bucket uses policies to define access control. */ BUCKET_OWNER_ENFORCED = "BucketOwnerEnforced", /** * The bucket owner will own the object if the object is uploaded with * the bucket-owner-full-control canned ACL. Without this setting and * canned ACL, the object is uploaded and remains owned by the uploading account. */ BUCKET_OWNER_PREFERRED = "BucketOwnerPreferred", /** * The uploading account will own the object. */ OBJECT_WRITER = "ObjectWriter" } /** * The intelligent tiering configuration. */ export interface IntelligentTieringConfiguration { /** * Configuration name */ readonly name: string; /** * Add a filter to limit the scope of this configuration to a single prefix. * * @default this configuration will apply to **all** objects in the bucket. */ readonly prefix?: string; /** * You can limit the scope of this rule to the key value pairs added below. * * @default No filtering will be performed on tags */ readonly tags?: Tag[]; /** * When enabled, Intelligent-Tiering will automatically move objects that * haven’t been accessed for a minimum of 90 days to the Archive Access tier. * * @default Objects will not move to Glacier */ readonly archiveAccessTierTime?: Duration; /** * When enabled, Intelligent-Tiering will automatically move objects that * haven’t been accessed for a minimum of 180 days to the Deep Archive Access * tier. * * @default Objects will not move to Glacier Deep Access */ readonly deepArchiveAccessTierTime?: Duration; } /** * The date source for the partitioned prefix. */ export declare enum PartitionDateSource { /** * The year, month, and day will be based on the timestamp of the S3 event in the file that's been delivered. */ EVENT_TIME = "EventTime", /** * The year, month, and day will be based on the time when the log file was delivered to S3. */ DELIVERY_TIME = "DeliveryTime" } /** * The key format for the log object. */ export declare abstract class TargetObjectKeyFormat { /** * Use partitioned prefix for log objects. * If you do not specify the dateSource argument, the default is EventTime. * * The partitioned prefix format as follow: * [DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] */ static partitionedPrefix(dateSource?: PartitionDateSource): TargetObjectKeyFormat; /** * Use the simple prefix for log objects. * * The simple prefix format as follow: * [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] */ static simplePrefix(): TargetObjectKeyFormat; /** * Render the log object key format. * * @internal */ abstract _render(): CfnBucket.LoggingConfigurationProperty['targetObjectKeyFormat']; } /** * The replication time value used for S3 Replication Time Control (S3 RTC). */ export declare class ReplicationTimeValue { readonly minutes: number; /** * Fifteen minutes. */ static readonly FIFTEEN_MINUTES: ReplicationTimeValue; /** * @param minutes the time in minutes */ private constructor(); } /** * Specifies which Amazon S3 objects to replicate and where to store the replicas. */ export interface ReplicationRule { /** * The destination bucket for the replicated objects. * * The destination can be either in the same AWS account or a cross account. * * If you want to configure cross-account replication, * the destination bucket must have a policy that allows the source bucket to replicate objects to it. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html */ readonly destination: IBucket; /** * Whether to want to change replica ownership to the AWS account that owns the destination bucket. * * This can only be specified if the source bucket and the destination bucket are not in the same AWS account. * * @default - The replicas are owned by same AWS account that owns the source object */ readonly accessControlTransition?: boolean; /** * Specifying S3 Replication Time Control (S3 RTC), * including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. * * @default - S3 Replication Time Control is not enabled */ readonly replicationTimeControl?: ReplicationTimeValue; /** * A container specifying replication metrics-related settings enabling replication metrics and events. * * When a value is set, metrics will be output to indicate whether the replication took longer than the specified time. * * @default - Replication metrics are not enabled */ readonly metrics?: ReplicationTimeValue; /** * The customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. * Amazon S3 uses this key to encrypt replica objects. * * Amazon S3 only supports symmetric encryption KMS keys. * * @see https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html * * @default - Amazon S3 uses the AWS managed KMS key for encryption */ readonly kmsKey?: kms.IKey; /** * The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. * * @default - The storage class of the source object */ readonly storageClass?: StorageClass; /** * Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service. * * @default false */ readonly sseKmsEncryptedObjects?: boolean; /** * Specifies whether Amazon S3 replicates modifications on replicas. * * @default false */ readonly replicaModifications?: boolean; /** * The priority indicates which rule has precedence whenever two or more replication rules conflict. * * Amazon S3 will attempt to replicate objects according to all replication rules. * However, if there are two or more rules with the same destination bucket, * then objects will be replicated according to the rule with the highest priority. * * The higher the number, the higher the priority. * * It is essential to specify priority explicitly when the replication configuration has multiple rules. * * @default 0 */ readonly priority?: number; /** * Specifies whether Amazon S3 replicates delete markers. * * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html * * @default - delete markers in source bucket is not replicated to destination bucket */ readonly deleteMarkerReplication?: boolean; /** * A unique identifier for the rule. * * The maximum value is 255 characters. * * @default - auto generated random ID */ readonly id?: string; /** * A filter that identifies the subset of objects to which the replication rule applies. * * @default - applies to all objects */ readonly filter?: Filter; } /** * A filter that identifies the subset of objects to which the replication rule applies. */ export interface Filter { /** * An object key name prefix that identifies the object or objects to which the rule applies. * * @default - applies to all objects */ readonly prefix?: string; /** * The tag array used for tag filters. * * The rule applies only to objects that have the tag in this set. * * @default - applies to all objects */ readonly tags?: Tag[]; } /** * The transition default minimum object size for lifecycle */ export declare enum TransitionDefaultMinimumObjectSize { /** * Objects smaller than 128 KB will not transition to any storage class by default. */ ALL_STORAGE_CLASSES_128_K = "all_storage_classes_128K", /** * Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier * Deep Archive storage classes. * * By default, all other storage classes will prevent transitions smaller than 128 KB. */ VARIES_BY_STORAGE_CLASS = "varies_by_storage_class" } export interface BucketProps { /** * The kind of server-side encryption to apply to this bucket. * * If you choose KMS, you can specify a KMS key via `encryptionKey`. If * encryption key is not specified, a key will automatically be created. * * @default - `KMS` if `encryptionKey` is specified, or `UNENCRYPTED` otherwise. * But if `UNENCRYPTED` is specified, the bucket will be encrypted as `S3_MANAGED` auto