# Amazon S3 Construct Library
<!--BEGIN STABILITY BANNER-->---
> AWS CDK v1 has reached End-of-Support on 2023-06-01.
> This package is no longer being updated, and users should migrate to AWS CDK v2.
>
> For more information on how to migrate, see the [*Migrating to AWS CDK v2* guide](https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html).
---
<!--END STABILITY BANNER-->
Define an unencrypted S3 bucket.
```python
bucket = s3.Bucket(self, "MyFirstBucket")
```
`Bucket` constructs expose the following deploy-time attributes:
* `bucketArn` - the ARN of the bucket (i.e. `arn:aws:s3:::bucket_name`)
* `bucketName` - the name of the bucket (i.e. `bucket_name`)
* `bucketWebsiteUrl` - the Website URL of the bucket (i.e.
`http://bucket_name.s3-website-us-west-1.amazonaws.com`)
* `bucketDomainName` - the URL of the bucket (i.e. `bucket_name.s3.amazonaws.com`)
* `bucketDualStackDomainName` - the dual-stack URL of the bucket (i.e.
`bucket_name.s3.dualstack.eu-west-1.amazonaws.com`)
* `bucketRegionalDomainName` - the regional URL of the bucket (i.e.
`bucket_name.s3.eu-west-1.amazonaws.com`)
* `arnForObjects(pattern)` - the ARN of an object or objects within the bucket (i.e.
`arn:aws:s3:::bucket_name/exampleobject.png` or
`arn:aws:s3:::bucket_name/Development/*`)
* `urlForObject(key)` - the HTTP URL of an object within the bucket (i.e.
`https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`)
* `virtualHostedUrlForObject(key)` - the virtual-hosted style HTTP URL of an object
within the bucket (i.e. `https://china-bucket-s3.cn-north-1.amazonaws.com.cn/mykey`)
* `s3UrlForObject(key)` - the S3 URL of an object within the bucket (i.e.
`s3://bucket/mykey`)
## Encryption
Define a KMS-encrypted bucket:
```python
bucket = s3.Bucket(self, "MyEncryptedBucket",
encryption=s3.BucketEncryption.KMS
)
# you can access the encryption key:
assert(bucket.encryption_key instanceof kms.Key)
```
You can also supply your own key:
```python
my_kms_key = kms.Key(self, "MyKey")
bucket = s3.Bucket(self, "MyEncryptedBucket",
encryption=s3.BucketEncryption.KMS,
encryption_key=my_kms_key
)
assert(bucket.encryption_key == my_kms_key)
```
Enable KMS-SSE encryption via [S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html):
```python
bucket = s3.Bucket(self, "MyEncryptedBucket",
encryption=s3.BucketEncryption.KMS,
bucket_key_enabled=True
)
```
Use `BucketEncryption.ManagedKms` to use the S3 master KMS key:
```python
bucket = s3.Bucket(self, "Buck",
encryption=s3.BucketEncryption.KMS_MANAGED
)
assert(bucket.encryption_key == null)
```
## Permissions
A bucket policy will be automatically created for the bucket upon the first call to
`addToResourcePolicy(statement)`:
```python
bucket = s3.Bucket(self, "MyBucket")
result = bucket.add_to_resource_policy(iam.PolicyStatement(
actions=["s3:GetObject"],
resources=[bucket.arn_for_objects("file.txt")],
principals=[iam.AccountRootPrincipal()]
))
```
If you try to add a policy statement to an existing bucket, this method will
not do anything:
```python
bucket = s3.Bucket.from_bucket_name(self, "existingBucket", "bucket-name")
# No policy statement will be added to the resource
result = bucket.add_to_resource_policy(iam.PolicyStatement(
actions=["s3:GetObject"],
resources=[bucket.arn_for_objects("file.txt")],
principals=[iam.AccountRootPrincipal()]
))
```
That's because it's not possible to tell whether the bucket
already has a policy attached, let alone to re-use that policy to add more
statements to it. We recommend that you always check the result of the call:
```python
bucket = s3.Bucket(self, "MyBucket")
result = bucket.add_to_resource_policy(iam.PolicyStatement(
actions=["s3:GetObject"],
resources=[bucket.arn_for_objects("file.txt")],
principals=[iam.AccountRootPrincipal()]
))
if not result.statement_added:
pass
```
The bucket policy can be directly accessed after creation to add statements or
adjust the removal policy.
```python
bucket = s3.Bucket(self, "MyBucket")
bucket.policy.apply_removal_policy(cdk.RemovalPolicy.RETAIN)
```
Most of the time, you won't have to manipulate the bucket policy directly.
Instead, buckets have "grant" methods called to give prepackaged sets of permissions
to other resources. For example:
```python
# my_lambda: lambda.Function
bucket = s3.Bucket(self, "MyBucket")
bucket.grant_read_write(my_lambda)
```
Will give the Lambda's execution role permissions to read and write
from the bucket.
## AWS Foundational Security Best Practices
### Enforcing SSL
To require all requests use Secure Socket Layer (SSL):
```python
bucket = s3.Bucket(self, "Bucket",
enforce_sSL=True
)
```
## Sharing buckets between stacks
To use a bucket in a different stack in the same CDK application, pass the object to the other stack:
```python
#
# Stack that defines the bucket
#
class Producer(cdk.Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
bucket = s3.Bucket(self, "MyBucket",
removal_policy=cdk.RemovalPolicy.DESTROY
)
self.my_bucket = bucket
#
# Stack that consumes the bucket
#
class Consumer(cdk.Stack):
def __init__(self, scope, id, *, userBucket, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, userBucket=userBucket, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user = iam.User(self, "MyUser")
user_bucket.grant_read_write(user)
producer = Producer(app, "ProducerStack")
Consumer(app, "ConsumerStack", user_bucket=producer.my_bucket)
```
## Importing existing buckets
To import an existing bucket into your CDK application, use the `Bucket.fromBucketAttributes`
factory method. This method accepts `BucketAttributes` which describes the properties of an already
existing bucket:
```python
# my_lambda: lambda.Function
bucket = s3.Bucket.from_bucket_attributes(self, "ImportedBucket",
bucket_arn="arn:aws:s3:::my-bucket"
)
# now you can just call methods on the bucket
bucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.LambdaDestination(my_lambda), prefix="home/myusername/*")
```
Alternatively, short-hand factories are available as `Bucket.fromBucketName` and
`Bucket.fromBucketArn`, which will derive all bucket attributes from the bucket
name or ARN respectively:
```python
by_name = s3.Bucket.from_bucket_name(self, "BucketByName", "my-bucket")
by_arn = s3.Bucket.from_bucket_arn(self, "BucketByArn", "arn:aws:s3:::my-bucket")
```
The bucket's region defaults to the current stack's region, but can also be explicitly set in cases where one of the bucket's
regional properties needs to contain the correct values.
```python
my_cross_region_bucket = s3.Bucket.from_bucket_attributes(self, "CrossRegionImport",
bucket_arn="arn:aws:s3:::my-bucket",
region="us-east-1"
)
```
## Bucket Notifications
The Amazon S3 notification feature enables you to receive notifications when
certain events happen in your bucket as described under [S3 Bucket
Notifications] of the S3 Developer Guide.
To subscribe for bucket notifications, use the `bucket.addEventNotification` method. The
`bucket.addObjectCreatedNotification` and `bucket.addObjectRemovedNotification` can also be used for
these common use cases.
The following example will subscribe an SNS topic to be notified of all `s3:ObjectCreated:*` events:
```python
bucket = s3.Bucket(self, "MyBucket")
topic = sns.Topic(self, "MyTopic")
bucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.SnsDestination(topic))
```
This call will also ensure that the topic policy can accept notifications for
this specific bucket.
Supported S3 notification targets are exposed by the `@aws-cdk/aws-s3-notifications` package.
It is also possible to specify S3 object key filters when subscribing. The
following example will notify `myQueue` when objects prefixed with `foo/` and
have the `.jpg` suffix are removed from the bucket.
```python
# my_queue: sqs.Queue
bucket = s3.Bucket(self, "MyBucket")
bucket.add_event_notification(s3.EventType.OBJECT_REMOVED,
s3n.SqsDestination(my_queue), prefix="foo/", suffix=".jpg")
```
Adding notifications on existing buckets:
```python
# topic: sns.Topic
bucket = s3.Bucket.from_bucket_attributes(self, "ImportedBucket",
bucket_arn="arn:aws:s3:::my-bucket"
)
bucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.SnsDestination(topic))
```
When you add an event notification to a bucket, a custom resource is created to
manage the notifications. By default, a new role is created for the Lambda
function that implements this feature. If you want to use your own role instead,
you should provide it in the `Bucket` constructor:
```python
# my_role: iam.IRole
bucket = s3.Bucket(self, "MyBucket",
notifications_handler_role=my_role
)
```
Whatever role you provide, the CDK will try to modify it by adding the
permissions from `AWSLambdaBasicExecutionRole` (an AWS managed policy) as well
as the permissions `s3:PutBucketNotification` and `s3:GetBucketNotification`.
If you’re passing an imported role, and you don’t want this to happen, configure
it to be immutable:
```python
imported_role = iam.Role.from_role_arn(self, "role", "arn:aws:iam::123456789012:role/RoleName",
mutable=False
)
```
> If you provide an imported immutable role, make sure that it has at least all
> the permissions mentioned above. Otherwise, the deployment will fail!
### EventBridge notifications
Amazon S3 can send events to Amazon EventBridge whenever certain events happen in your bucket.
Unlike other destinations, you don't need to select which event types you want to deliver.
The following example will enable EventBridge notifications:
```python
bucket = s3.Bucket(self, "MyEventBridgeBucket",
event_bridge_enabled=True
)
```
## Block Public Access
Use `blockPublicAccess` to specify [block public access settings](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html) on the bucket.
Enable all block public access settings:
```python
bucket = s3.Bucket(self, "MyBlockedBucket",
block_public_access=s3.BlockPublicAccess.BLOCK_ALL
)
```
Block and ignore public ACLs:
```python
bucket = s3.Bucket(self, "MyBlockedBucket",
block_public_access=s3.BlockPublicAccess.BLOCK_ACLS
)
```
Alternatively, specify the settings manually:
```python
bucket = s3.Bucket(self, "MyBlockedBucket",
block_public_access=s3.BlockPublicAccess(block_public_policy=True)
)
```
When `blockPublicPolicy` is set to `true`, `grantPublicRead()` throws an error.
## Logging configuration
Use `serverAccessLogsBucket` to describe where server access logs are to be stored.
```python
access_logs_bucket = s3.Bucket(self, "AccessLogsBucket")
bucket = s3.Bucket(self, "MyBucket",
server_access_logs_bucket=access_logs_bucket
)
```
It's also possible to specify a prefix for Amazon S3 to assign to all log object keys.
```python
access_logs_bucket = s3.Bucket(self, "AccessLogsBucket")
bucket = s3.Bucket(self, "MyBucket",
server_access_logs_bucket=access_logs_bucket,
server_access_logs_prefix="logs"
)
```
## S3 Inventory
An [inventory](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html) contains a list of the objects in the source bucket and metadata for each object. The inventory lists are stored in the destination bucket as a CSV file compressed with GZIP, as an Apache optimized row columnar (ORC) file compressed with ZLIB, or as an Apache Parquet (Parquet) file compressed with Snappy.
You can configure multiple inventory lists for a bucket. You can configure what object metadata to include in the inventory, whether to list all object versions or only current versions, where to store the inventory list file output, and whether to generate the inventory on a daily or weekly basis.
```python
inventory_bucket = s3.Bucket(self, "InventoryBucket")
data_bucket = s3.Bucket(self, "DataBucket",
inventories=[s3.Inventory(
frequency=s3.InventoryFrequency.DAILY,
include_object_versions=s3.InventoryObjectVersion.CURRENT,
destination=s3.InventoryDestination(
bucket=inventory_bucket
)
), s3.Inventory(
frequency=s3.InventoryFrequency.WEEKLY,
include_object_versions=s3.InventoryObjectVersion.ALL,
destination=s3.InventoryDestination(
bucket=inventory_bucket,
prefix="with-all-versions"
)
)
]
)
```
If the destination bucket is created as part of the same CDK application, the necessary permissions will be automatically added to the bucket policy.
However, if you use an imported bucket (i.e `Bucket.fromXXX()`), you'll have to make sure it contains the following policy document:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InventoryAndAnalyticsExamplePolicy",
"Effect": "Allow",
"Principal": { "Service": "s3.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": ["arn:aws:s3:::destinationBucket/*"]
}
]
}
```
## Website redirection
You can use the two following properties to specify the bucket [redirection policy](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html#advanced-conditional-redirects). Please note that these methods cannot both be applied to the same bucket.
### Static redirection
You can statically redirect a to a given Bucket URL or any other host name with `websiteRedirect`:
```python
bucket = s3.Bucket(self, "MyRedirectedBucket",
website_redirect=s3.RedirectTarget(host_name="www.example.com")
)
```
### Routing rules
Alternatively, you can also define multiple `websiteRoutingRules`, to define complex, conditional redirections:
```python
bucket = s3.Bucket(self, "MyRedirectedBucket",
website_routing_rules=[s3.RoutingRule(
host_name="www.example.com",
http_redirect_code="302",
protocol=s3.RedirectProtocol.HTTPS,
replace_key=s3.ReplaceKey.prefix_with("test/"),
condition=s3.RoutingRuleCondition(
http_error_code_returned_equals="200",
key_prefix_equals="prefix"
)
)]
)
```
## Filling the bucket as part of deployment
To put files into a bucket as part of a deployment (for example, to host a
website), see the `@aws-cdk/aws-s3-deployment` package, which provides a
resource that can do just that.
## The URL for objects
S3 provides two types of URLs for accessing objects via HTTP(S). Path-Style and
[Virtual Hosted-Style](https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html)
URL. Path-Style is a classic way and will be
[deprecated](https://aws.amazon.com/jp/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story).
We recommend to use Virtual Hosted-Style URL for newly made bucket.
You can generate both of them.
```python
bucket = s3.Bucket(self, "MyBucket")
bucket.url_for_object("objectname") # Path-Style URL
bucket.virtual_hosted_url_for_object("objectname") # Virtual Hosted-Style URL
bucket.virtual_hosted_url_for_object("objectname", regional=False)
```
## Object Ownership
You can use one of following properties to specify the bucket [object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html).
### Object writer
The Uploading account will own the object.
```python
s3.Bucket(self, "MyBucket",
object_ownership=s3.ObjectOwnership.OBJECT_WRITER
)
```
### Bucket owner preferred
The bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. Without this setting and canned ACL, the object is uploaded and remains owned by the uploading account.
```python
s3.Bucket(self, "MyBucket",
object_ownership=s3.ObjectOwnership.BUCKET_OWNER_PREFERRED
)
```
### Bucket owner enforced (recommended)
ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies to define access control.
```python
s3.Bucket(self, "MyBucket",
object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
)
```
## Bucket deletion
When a bucket is removed from a stack (or the stack is deleted), the S3
bucket will be removed according to its removal policy (which by default will
simply orphan the bucket and leave it in your AWS account). If the removal
policy is set to `RemovalPolicy.DESTROY`, the bucket will be deleted as long
as it does not contain any objects.
To override this and force all objects to get deleted during bucket deletion,
enable the`autoDeleteObjects` option.
```python
bucket = s3.Bucket(self, "MyTempFileBucket",
removal_policy=cdk.RemovalPolicy.DESTROY,
auto_delete_objects=True
)
```
**Warning** if you have deployed a bucket with `autoDeleteObjects: true`,
switching this to `false` in a CDK version *before* `1.126.0` will lead to
all objects in the bucket being deleted. Be sure to update your bucket resources
by deploying with CDK version `1.126.0` or later **before** switching this value to `false`.
## Transfer Acceleration
[Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html) can be configured to enable fast, easy, and secure transfers of files over long distances:
```python
bucket = s3.Bucket(self, "MyBucket",
transfer_acceleration=True
)
```
To access the bucket that is enabled for Transfer Acceleration, you must use a special endpoint. The URL can be generated using method `transferAccelerationUrlForObject`:
```python
bucket = s3.Bucket(self, "MyBucket",
transfer_acceleration=True
)
bucket.transfer_acceleration_url_for_object("objectname")
```
## Intelligent Tiering
[Intelligent Tiering](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html) can be configured to automatically move files to glacier:
```python
s3.Bucket(self, "MyBucket",
intelligent_tiering_configurations=[s3.IntelligentTieringConfiguration(
name="foo",
prefix="folder/name",
archive_access_tier_time=cdk.Duration.days(90),
deep_archive_access_tier_time=cdk.Duration.days(180),
tags=[s3.Tag(key="tagname", value="tagvalue")]
)]
)
```
## Lifecycle Rule
[Managing lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) can be configured transition or expiration actions.
```python
bucket = s3.Bucket(self, "MyBucket",
lifecycle_rules=[s3.LifecycleRule(
abort_incomplete_multipart_upload_after=cdk.Duration.minutes(30),
enabled=False,
expiration=cdk.Duration.days(30),
expiration_date=Date(),
expired_object_delete_marker=False,
id="id",
noncurrent_version_expiration=cdk.Duration.days(30),
# the properties below are optional
noncurrent_versions_to_retain=123,
noncurrent_version_transitions=[s3.NoncurrentVersionTransition(
storage_class=s3.StorageClass.GLACIER,
transition_after=cdk.Duration.days(30),
# the properties below are optional
noncurrent_versions_to_retain=123
)],
object_size_greater_than=500,
prefix="prefix",
object_size_less_than=10000,
transitions=[s3.Transition(
storage_class=s3.StorageClass.GLACIER,
# the properties below are optional
transition_after=cdk.Duration.days(30),
transition_date=Date()
)]
)]
)
```
Raw data
{
"_id": null,
"home_page": "https://github.com/aws/aws-cdk",
"name": "aws-cdk.aws-s3",
"maintainer": "",
"docs_url": null,
"requires_python": "~=3.7",
"maintainer_email": "",
"keywords": "",
"author": "Amazon Web Services",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/f7/87/5ec042c64dfecf89492c7720ca73787aef410d1068f2d32b164047729a79/aws-cdk.aws-s3-1.204.0.tar.gz",
"platform": null,
"description": "# Amazon S3 Construct Library\n\n<!--BEGIN STABILITY BANNER-->---\n\n\n\n\n> AWS CDK v1 has reached End-of-Support on 2023-06-01.\n> This package is no longer being updated, and users should migrate to AWS CDK v2.\n>\n> For more information on how to migrate, see the [*Migrating to AWS CDK v2* guide](https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html).\n\n---\n<!--END STABILITY BANNER-->\n\nDefine an unencrypted S3 bucket.\n\n```python\nbucket = s3.Bucket(self, \"MyFirstBucket\")\n```\n\n`Bucket` constructs expose the following deploy-time attributes:\n\n* `bucketArn` - the ARN of the bucket (i.e. `arn:aws:s3:::bucket_name`)\n* `bucketName` - the name of the bucket (i.e. `bucket_name`)\n* `bucketWebsiteUrl` - the Website URL of the bucket (i.e.\n `http://bucket_name.s3-website-us-west-1.amazonaws.com`)\n* `bucketDomainName` - the URL of the bucket (i.e. `bucket_name.s3.amazonaws.com`)\n* `bucketDualStackDomainName` - the dual-stack URL of the bucket (i.e.\n `bucket_name.s3.dualstack.eu-west-1.amazonaws.com`)\n* `bucketRegionalDomainName` - the regional URL of the bucket (i.e.\n `bucket_name.s3.eu-west-1.amazonaws.com`)\n* `arnForObjects(pattern)` - the ARN of an object or objects within the bucket (i.e.\n `arn:aws:s3:::bucket_name/exampleobject.png` or\n `arn:aws:s3:::bucket_name/Development/*`)\n* `urlForObject(key)` - the HTTP URL of an object within the bucket (i.e.\n `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`)\n* `virtualHostedUrlForObject(key)` - the virtual-hosted style HTTP URL of an object\n within the bucket (i.e. `https://china-bucket-s3.cn-north-1.amazonaws.com.cn/mykey`)\n* `s3UrlForObject(key)` - the S3 URL of an object within the bucket (i.e.\n `s3://bucket/mykey`)\n\n## Encryption\n\nDefine a KMS-encrypted bucket:\n\n```python\nbucket = s3.Bucket(self, \"MyEncryptedBucket\",\n encryption=s3.BucketEncryption.KMS\n)\n\n# you can access the encryption key:\nassert(bucket.encryption_key instanceof kms.Key)\n```\n\nYou can also supply your own key:\n\n```python\nmy_kms_key = kms.Key(self, \"MyKey\")\n\nbucket = s3.Bucket(self, \"MyEncryptedBucket\",\n encryption=s3.BucketEncryption.KMS,\n encryption_key=my_kms_key\n)\n\nassert(bucket.encryption_key == my_kms_key)\n```\n\nEnable KMS-SSE encryption via [S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html):\n\n```python\nbucket = s3.Bucket(self, \"MyEncryptedBucket\",\n encryption=s3.BucketEncryption.KMS,\n bucket_key_enabled=True\n)\n```\n\nUse `BucketEncryption.ManagedKms` to use the S3 master KMS key:\n\n```python\nbucket = s3.Bucket(self, \"Buck\",\n encryption=s3.BucketEncryption.KMS_MANAGED\n)\n\nassert(bucket.encryption_key == null)\n```\n\n## Permissions\n\nA bucket policy will be automatically created for the bucket upon the first call to\n`addToResourcePolicy(statement)`:\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\")\nresult = bucket.add_to_resource_policy(iam.PolicyStatement(\n actions=[\"s3:GetObject\"],\n resources=[bucket.arn_for_objects(\"file.txt\")],\n principals=[iam.AccountRootPrincipal()]\n))\n```\n\nIf you try to add a policy statement to an existing bucket, this method will\nnot do anything:\n\n```python\nbucket = s3.Bucket.from_bucket_name(self, \"existingBucket\", \"bucket-name\")\n\n# No policy statement will be added to the resource\nresult = bucket.add_to_resource_policy(iam.PolicyStatement(\n actions=[\"s3:GetObject\"],\n resources=[bucket.arn_for_objects(\"file.txt\")],\n principals=[iam.AccountRootPrincipal()]\n))\n```\n\nThat's because it's not possible to tell whether the bucket\nalready has a policy attached, let alone to re-use that policy to add more\nstatements to it. We recommend that you always check the result of the call:\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\")\nresult = bucket.add_to_resource_policy(iam.PolicyStatement(\n actions=[\"s3:GetObject\"],\n resources=[bucket.arn_for_objects(\"file.txt\")],\n principals=[iam.AccountRootPrincipal()]\n))\n\nif not result.statement_added:\n pass\n```\n\nThe bucket policy can be directly accessed after creation to add statements or\nadjust the removal policy.\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\")\nbucket.policy.apply_removal_policy(cdk.RemovalPolicy.RETAIN)\n```\n\nMost of the time, you won't have to manipulate the bucket policy directly.\nInstead, buckets have \"grant\" methods called to give prepackaged sets of permissions\nto other resources. For example:\n\n```python\n# my_lambda: lambda.Function\n\n\nbucket = s3.Bucket(self, \"MyBucket\")\nbucket.grant_read_write(my_lambda)\n```\n\nWill give the Lambda's execution role permissions to read and write\nfrom the bucket.\n\n## AWS Foundational Security Best Practices\n\n### Enforcing SSL\n\nTo require all requests use Secure Socket Layer (SSL):\n\n```python\nbucket = s3.Bucket(self, \"Bucket\",\n enforce_sSL=True\n)\n```\n\n## Sharing buckets between stacks\n\nTo use a bucket in a different stack in the same CDK application, pass the object to the other stack:\n\n```python\n#\n# Stack that defines the bucket\n#\nclass Producer(cdk.Stack):\n\n def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):\n super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)\n\n bucket = s3.Bucket(self, \"MyBucket\",\n removal_policy=cdk.RemovalPolicy.DESTROY\n )\n self.my_bucket = bucket\n\n#\n# Stack that consumes the bucket\n#\nclass Consumer(cdk.Stack):\n def __init__(self, scope, id, *, userBucket, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):\n super().__init__(scope, id, userBucket=userBucket, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)\n\n user = iam.User(self, \"MyUser\")\n user_bucket.grant_read_write(user)\n\nproducer = Producer(app, \"ProducerStack\")\nConsumer(app, \"ConsumerStack\", user_bucket=producer.my_bucket)\n```\n\n## Importing existing buckets\n\nTo import an existing bucket into your CDK application, use the `Bucket.fromBucketAttributes`\nfactory method. This method accepts `BucketAttributes` which describes the properties of an already\nexisting bucket:\n\n```python\n# my_lambda: lambda.Function\n\nbucket = s3.Bucket.from_bucket_attributes(self, \"ImportedBucket\",\n bucket_arn=\"arn:aws:s3:::my-bucket\"\n)\n\n# now you can just call methods on the bucket\nbucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.LambdaDestination(my_lambda), prefix=\"home/myusername/*\")\n```\n\nAlternatively, short-hand factories are available as `Bucket.fromBucketName` and\n`Bucket.fromBucketArn`, which will derive all bucket attributes from the bucket\nname or ARN respectively:\n\n```python\nby_name = s3.Bucket.from_bucket_name(self, \"BucketByName\", \"my-bucket\")\nby_arn = s3.Bucket.from_bucket_arn(self, \"BucketByArn\", \"arn:aws:s3:::my-bucket\")\n```\n\nThe bucket's region defaults to the current stack's region, but can also be explicitly set in cases where one of the bucket's\nregional properties needs to contain the correct values.\n\n```python\nmy_cross_region_bucket = s3.Bucket.from_bucket_attributes(self, \"CrossRegionImport\",\n bucket_arn=\"arn:aws:s3:::my-bucket\",\n region=\"us-east-1\"\n)\n```\n\n## Bucket Notifications\n\nThe Amazon S3 notification feature enables you to receive notifications when\ncertain events happen in your bucket as described under [S3 Bucket\nNotifications] of the S3 Developer Guide.\n\nTo subscribe for bucket notifications, use the `bucket.addEventNotification` method. The\n`bucket.addObjectCreatedNotification` and `bucket.addObjectRemovedNotification` can also be used for\nthese common use cases.\n\nThe following example will subscribe an SNS topic to be notified of all `s3:ObjectCreated:*` events:\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\")\ntopic = sns.Topic(self, \"MyTopic\")\nbucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.SnsDestination(topic))\n```\n\nThis call will also ensure that the topic policy can accept notifications for\nthis specific bucket.\n\nSupported S3 notification targets are exposed by the `@aws-cdk/aws-s3-notifications` package.\n\nIt is also possible to specify S3 object key filters when subscribing. The\nfollowing example will notify `myQueue` when objects prefixed with `foo/` and\nhave the `.jpg` suffix are removed from the bucket.\n\n```python\n# my_queue: sqs.Queue\n\nbucket = s3.Bucket(self, \"MyBucket\")\nbucket.add_event_notification(s3.EventType.OBJECT_REMOVED,\n s3n.SqsDestination(my_queue), prefix=\"foo/\", suffix=\".jpg\")\n```\n\nAdding notifications on existing buckets:\n\n```python\n# topic: sns.Topic\n\nbucket = s3.Bucket.from_bucket_attributes(self, \"ImportedBucket\",\n bucket_arn=\"arn:aws:s3:::my-bucket\"\n)\nbucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.SnsDestination(topic))\n```\n\nWhen you add an event notification to a bucket, a custom resource is created to\nmanage the notifications. By default, a new role is created for the Lambda\nfunction that implements this feature. If you want to use your own role instead,\nyou should provide it in the `Bucket` constructor:\n\n```python\n# my_role: iam.IRole\n\nbucket = s3.Bucket(self, \"MyBucket\",\n notifications_handler_role=my_role\n)\n```\n\nWhatever role you provide, the CDK will try to modify it by adding the\npermissions from `AWSLambdaBasicExecutionRole` (an AWS managed policy) as well\nas the permissions `s3:PutBucketNotification` and `s3:GetBucketNotification`.\nIf you\u2019re passing an imported role, and you don\u2019t want this to happen, configure\nit to be immutable:\n\n```python\nimported_role = iam.Role.from_role_arn(self, \"role\", \"arn:aws:iam::123456789012:role/RoleName\",\n mutable=False\n)\n```\n\n> If you provide an imported immutable role, make sure that it has at least all\n> the permissions mentioned above. Otherwise, the deployment will fail!\n\n### EventBridge notifications\n\nAmazon S3 can send events to Amazon EventBridge whenever certain events happen in your bucket.\nUnlike other destinations, you don't need to select which event types you want to deliver.\n\nThe following example will enable EventBridge notifications:\n\n```python\nbucket = s3.Bucket(self, \"MyEventBridgeBucket\",\n event_bridge_enabled=True\n)\n```\n\n## Block Public Access\n\nUse `blockPublicAccess` to specify [block public access settings](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html) on the bucket.\n\nEnable all block public access settings:\n\n```python\nbucket = s3.Bucket(self, \"MyBlockedBucket\",\n block_public_access=s3.BlockPublicAccess.BLOCK_ALL\n)\n```\n\nBlock and ignore public ACLs:\n\n```python\nbucket = s3.Bucket(self, \"MyBlockedBucket\",\n block_public_access=s3.BlockPublicAccess.BLOCK_ACLS\n)\n```\n\nAlternatively, specify the settings manually:\n\n```python\nbucket = s3.Bucket(self, \"MyBlockedBucket\",\n block_public_access=s3.BlockPublicAccess(block_public_policy=True)\n)\n```\n\nWhen `blockPublicPolicy` is set to `true`, `grantPublicRead()` throws an error.\n\n## Logging configuration\n\nUse `serverAccessLogsBucket` to describe where server access logs are to be stored.\n\n```python\naccess_logs_bucket = s3.Bucket(self, \"AccessLogsBucket\")\n\nbucket = s3.Bucket(self, \"MyBucket\",\n server_access_logs_bucket=access_logs_bucket\n)\n```\n\nIt's also possible to specify a prefix for Amazon S3 to assign to all log object keys.\n\n```python\naccess_logs_bucket = s3.Bucket(self, \"AccessLogsBucket\")\n\nbucket = s3.Bucket(self, \"MyBucket\",\n server_access_logs_bucket=access_logs_bucket,\n server_access_logs_prefix=\"logs\"\n)\n```\n\n## S3 Inventory\n\nAn [inventory](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html) contains a list of the objects in the source bucket and metadata for each object. The inventory lists are stored in the destination bucket as a CSV file compressed with GZIP, as an Apache optimized row columnar (ORC) file compressed with ZLIB, or as an Apache Parquet (Parquet) file compressed with Snappy.\n\nYou can configure multiple inventory lists for a bucket. You can configure what object metadata to include in the inventory, whether to list all object versions or only current versions, where to store the inventory list file output, and whether to generate the inventory on a daily or weekly basis.\n\n```python\ninventory_bucket = s3.Bucket(self, \"InventoryBucket\")\n\ndata_bucket = s3.Bucket(self, \"DataBucket\",\n inventories=[s3.Inventory(\n frequency=s3.InventoryFrequency.DAILY,\n include_object_versions=s3.InventoryObjectVersion.CURRENT,\n destination=s3.InventoryDestination(\n bucket=inventory_bucket\n )\n ), s3.Inventory(\n frequency=s3.InventoryFrequency.WEEKLY,\n include_object_versions=s3.InventoryObjectVersion.ALL,\n destination=s3.InventoryDestination(\n bucket=inventory_bucket,\n prefix=\"with-all-versions\"\n )\n )\n ]\n)\n```\n\nIf the destination bucket is created as part of the same CDK application, the necessary permissions will be automatically added to the bucket policy.\nHowever, if you use an imported bucket (i.e `Bucket.fromXXX()`), you'll have to make sure it contains the following policy document:\n\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"InventoryAndAnalyticsExamplePolicy\",\n \"Effect\": \"Allow\",\n \"Principal\": { \"Service\": \"s3.amazonaws.com\" },\n \"Action\": \"s3:PutObject\",\n \"Resource\": [\"arn:aws:s3:::destinationBucket/*\"]\n }\n ]\n}\n```\n\n## Website redirection\n\nYou can use the two following properties to specify the bucket [redirection policy](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html#advanced-conditional-redirects). Please note that these methods cannot both be applied to the same bucket.\n\n### Static redirection\n\nYou can statically redirect a to a given Bucket URL or any other host name with `websiteRedirect`:\n\n```python\nbucket = s3.Bucket(self, \"MyRedirectedBucket\",\n website_redirect=s3.RedirectTarget(host_name=\"www.example.com\")\n)\n```\n\n### Routing rules\n\nAlternatively, you can also define multiple `websiteRoutingRules`, to define complex, conditional redirections:\n\n```python\nbucket = s3.Bucket(self, \"MyRedirectedBucket\",\n website_routing_rules=[s3.RoutingRule(\n host_name=\"www.example.com\",\n http_redirect_code=\"302\",\n protocol=s3.RedirectProtocol.HTTPS,\n replace_key=s3.ReplaceKey.prefix_with(\"test/\"),\n condition=s3.RoutingRuleCondition(\n http_error_code_returned_equals=\"200\",\n key_prefix_equals=\"prefix\"\n )\n )]\n)\n```\n\n## Filling the bucket as part of deployment\n\nTo put files into a bucket as part of a deployment (for example, to host a\nwebsite), see the `@aws-cdk/aws-s3-deployment` package, which provides a\nresource that can do just that.\n\n## The URL for objects\n\nS3 provides two types of URLs for accessing objects via HTTP(S). Path-Style and\n[Virtual Hosted-Style](https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html)\nURL. Path-Style is a classic way and will be\n[deprecated](https://aws.amazon.com/jp/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story).\nWe recommend to use Virtual Hosted-Style URL for newly made bucket.\n\nYou can generate both of them.\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\")\nbucket.url_for_object(\"objectname\") # Path-Style URL\nbucket.virtual_hosted_url_for_object(\"objectname\") # Virtual Hosted-Style URL\nbucket.virtual_hosted_url_for_object(\"objectname\", regional=False)\n```\n\n## Object Ownership\n\nYou can use one of following properties to specify the bucket [object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html).\n\n### Object writer\n\nThe Uploading account will own the object.\n\n```python\ns3.Bucket(self, \"MyBucket\",\n object_ownership=s3.ObjectOwnership.OBJECT_WRITER\n)\n```\n\n### Bucket owner preferred\n\nThe bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. Without this setting and canned ACL, the object is uploaded and remains owned by the uploading account.\n\n```python\ns3.Bucket(self, \"MyBucket\",\n object_ownership=s3.ObjectOwnership.BUCKET_OWNER_PREFERRED\n)\n```\n\n### Bucket owner enforced (recommended)\n\nACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies to define access control.\n\n```python\ns3.Bucket(self, \"MyBucket\",\n object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED\n)\n```\n\n## Bucket deletion\n\nWhen a bucket is removed from a stack (or the stack is deleted), the S3\nbucket will be removed according to its removal policy (which by default will\nsimply orphan the bucket and leave it in your AWS account). If the removal\npolicy is set to `RemovalPolicy.DESTROY`, the bucket will be deleted as long\nas it does not contain any objects.\n\nTo override this and force all objects to get deleted during bucket deletion,\nenable the`autoDeleteObjects` option.\n\n```python\nbucket = s3.Bucket(self, \"MyTempFileBucket\",\n removal_policy=cdk.RemovalPolicy.DESTROY,\n auto_delete_objects=True\n)\n```\n\n**Warning** if you have deployed a bucket with `autoDeleteObjects: true`,\nswitching this to `false` in a CDK version *before* `1.126.0` will lead to\nall objects in the bucket being deleted. Be sure to update your bucket resources\nby deploying with CDK version `1.126.0` or later **before** switching this value to `false`.\n\n## Transfer Acceleration\n\n[Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html) can be configured to enable fast, easy, and secure transfers of files over long distances:\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\",\n transfer_acceleration=True\n)\n```\n\nTo access the bucket that is enabled for Transfer Acceleration, you must use a special endpoint. The URL can be generated using method `transferAccelerationUrlForObject`:\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\",\n transfer_acceleration=True\n)\nbucket.transfer_acceleration_url_for_object(\"objectname\")\n```\n\n## Intelligent Tiering\n\n[Intelligent Tiering](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html) can be configured to automatically move files to glacier:\n\n```python\ns3.Bucket(self, \"MyBucket\",\n intelligent_tiering_configurations=[s3.IntelligentTieringConfiguration(\n name=\"foo\",\n prefix=\"folder/name\",\n archive_access_tier_time=cdk.Duration.days(90),\n deep_archive_access_tier_time=cdk.Duration.days(180),\n tags=[s3.Tag(key=\"tagname\", value=\"tagvalue\")]\n )]\n)\n```\n\n## Lifecycle Rule\n\n[Managing lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) can be configured transition or expiration actions.\n\n```python\nbucket = s3.Bucket(self, \"MyBucket\",\n lifecycle_rules=[s3.LifecycleRule(\n abort_incomplete_multipart_upload_after=cdk.Duration.minutes(30),\n enabled=False,\n expiration=cdk.Duration.days(30),\n expiration_date=Date(),\n expired_object_delete_marker=False,\n id=\"id\",\n noncurrent_version_expiration=cdk.Duration.days(30),\n\n # the properties below are optional\n noncurrent_versions_to_retain=123,\n noncurrent_version_transitions=[s3.NoncurrentVersionTransition(\n storage_class=s3.StorageClass.GLACIER,\n transition_after=cdk.Duration.days(30),\n\n # the properties below are optional\n noncurrent_versions_to_retain=123\n )],\n object_size_greater_than=500,\n prefix=\"prefix\",\n object_size_less_than=10000,\n transitions=[s3.Transition(\n storage_class=s3.StorageClass.GLACIER,\n\n # the properties below are optional\n transition_after=cdk.Duration.days(30),\n transition_date=Date()\n )]\n )]\n)\n```\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "The CDK Construct Library for AWS::S3",
"version": "1.204.0",
"project_urls": {
"Homepage": "https://github.com/aws/aws-cdk",
"Source": "https://github.com/aws/aws-cdk.git"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "836c2571d53762d2ae9ea56c26f0e078ba07eaef9f8f6cb95ac4c09de385c7cd",
"md5": "e5deb2acaf5ac85c0f4e3e8821e5bf82",
"sha256": "387941a809445102be103cce96d3d0a6ae7190dd0b56207caa5300d9d0f4d68e"
},
"downloads": -1,
"filename": "aws_cdk.aws_s3-1.204.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "e5deb2acaf5ac85c0f4e3e8821e5bf82",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "~=3.7",
"size": 555906,
"upload_time": "2023-06-19T21:00:55",
"upload_time_iso_8601": "2023-06-19T21:00:55.419863Z",
"url": "https://files.pythonhosted.org/packages/83/6c/2571d53762d2ae9ea56c26f0e078ba07eaef9f8f6cb95ac4c09de385c7cd/aws_cdk.aws_s3-1.204.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "f7875ec042c64dfecf89492c7720ca73787aef410d1068f2d32b164047729a79",
"md5": "9a859ff86644632f8f06afff5881bb4e",
"sha256": "174b4daae7d881f311b556b2b8cd55e035beaafe90ef7909e88fec0ae7aaa105"
},
"downloads": -1,
"filename": "aws-cdk.aws-s3-1.204.0.tar.gz",
"has_sig": false,
"md5_digest": "9a859ff86644632f8f06afff5881bb4e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "~=3.7",
"size": 555767,
"upload_time": "2023-06-19T21:07:07",
"upload_time_iso_8601": "2023-06-19T21:07:07.337383Z",
"url": "https://files.pythonhosted.org/packages/f7/87/5ec042c64dfecf89492c7720ca73787aef410d1068f2d32b164047729a79/aws-cdk.aws-s3-1.204.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-06-19 21:07:07",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "aws",
"github_project": "aws-cdk",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "aws-cdk.aws-s3"
}
JSON
