daniel/agent-claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
266231d070b2cfa6be9291a77022de1e61a12963
agent-claw/cdk/node_modules/aws-cdk-lib/aws-s3/lib/bucket.d.ts
daniel 732b00fb66 agent-claw: automated task changes
2026-05-06 18:55:16 -05:00

2331 lines
91 KiB
TypeScript
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import type { Construct } from 'constructs';
import { BucketGrants } from './bucket-grants';
import { BucketPolicy } from './bucket-policy';
import type { IBucketNotificationDestination } from './destination';
import type { LifecycleRule, StorageClass } from './rule';
import type { BucketReference, IBucketRef } from './s3.generated';
import { CfnBucket } from './s3.generated';
import * as events from '../../aws-events';
import * as iam from '../../aws-iam';
import type { GrantOnKeyResult, IEncryptedResource, IGrantable } from '../../aws-iam';
import * as kms from '../../aws-kms';
import type { Duration, IResource, ResourceProps } from '../../core';
import { RemovalPolicy, Resource } from '../../core';
export interface IBucket extends IResource, IBucketRef {
/**
* The ARN of the bucket.
* @attribute
*/
readonly bucketArn: string;
/**
* The name of the bucket.
* @attribute
*/
readonly bucketName: string;
/**
* The URL of the static website.
* @attribute
*/
readonly bucketWebsiteUrl: string;
/**
* The Domain name of the static website.
* @attribute
*/
readonly bucketWebsiteDomainName: string;
/**
* The IPv4 DNS name of the specified bucket.
* @attribute
*/
readonly bucketDomainName: string;
/**
* The IPv6 DNS name of the specified bucket.
* @attribute
*/
readonly bucketDualStackDomainName: string;
/**
* The regional domain name of the specified bucket.
* @attribute
*/
readonly bucketRegionalDomainName: string;
/**
* If this bucket has been configured for static website hosting.
*/
readonly isWebsite?: boolean;
/**
* Optional KMS encryption key associated with this bucket.
*/
readonly encryptionKey?: kms.IKey;
/**
* The resource policy associated with this bucket.
*
* If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
* first call to addToResourcePolicy(s).
*/
policy?: BucketPolicy;
/**
* Role used to set up permissions on this bucket for replication
*/
replicationRoleArn?: string;
/**
* Adds a statement to the resource policy for a principal (i.e.
* account/role/service) to perform actions on this bucket and/or its
* contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for
* this bucket or objects.
*
* Note that the policy statement may or may not be added to the policy.
* For example, when an `IBucket` is created from an existing bucket,
* it's not possible to tell whether the bucket already has a policy
* attached, let alone to re-use that policy to add more statements to it.
* So it's safest to do nothing in these cases.
*
* @param permission the policy statement to be added to the bucket's
* policy.
* @returns metadata about the execution of this method. If the policy
* was not added, the value of `statementAdded` will be `false`. You
* should always check this value to make sure that the operation was
* actually carried out. Otherwise, synthesis and deploy will terminate
* silently, which may be confusing.
*/
addToResourcePolicy(permission: iam.PolicyStatement): iam.AddToResourcePolicyResult;
/**
* The https URL of an S3 object. For example:
*
* - `https://s3.us-west-1.amazonaws.com/onlybucket`
* - `https://s3.us-west-1.amazonaws.com/bucket/key`
* - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
* @param key The S3 key of the object. If not specified, the URL of the
* bucket is returned.
* @returns an ObjectS3Url token
*/
urlForObject(key?: string): string;
/**
* The https Transfer Acceleration URL of an S3 object. Specify `dualStack: true` at the options
* for dual-stack endpoint (connect to the bucket over IPv6). For example:
*
* - `https://bucket.s3-accelerate.amazonaws.com`
* - `https://bucket.s3-accelerate.amazonaws.com/key`
*
* @param key The S3 key of the object. If not specified, the URL of the
* bucket is returned.
* @param options Options for generating URL.
* @returns an TransferAccelerationUrl token
*/
transferAccelerationUrlForObject(key?: string, options?: TransferAccelerationUrlOptions): string;
/**
* The virtual hosted-style URL of an S3 object. Specify `regional: false` at
* the options for non-regional URL. For example:
*
* - `https://only-bucket.s3.us-west-1.amazonaws.com`
* - `https://bucket.s3.us-west-1.amazonaws.com/key`
* - `https://bucket.s3.amazonaws.com/key`
* - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
* @param key The S3 key of the object. If not specified, the URL of the
* bucket is returned.
* @param options Options for generating URL.
* @returns an ObjectS3Url token
*/
virtualHostedUrlForObject(key?: string, options?: VirtualHostedStyleUrlOptions): string;
/**
* The S3 URL of an S3 object. For example:
* - `s3://onlybucket`
* - `s3://bucket/key`
* @param key The S3 key of the object. If not specified, the S3 URL of the
* bucket is returned.
* @returns an ObjectS3Url token
*/
s3UrlForObject(key?: string): string;
/**
* Returns an ARN that represents all objects within the bucket that match
* the key pattern specified. To represent all keys, specify ``"*"``.
*/
arnForObjects(keyPattern: string): string;
/**
* Grant read permissions for this bucket and its contents to an IAM
* principal (Role/Group/User).
*
* If encryption is used, permission to use the key to decrypt the contents
* of the bucket will also be granted to the same principal.
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
*/
grantRead(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
* Grant write permissions to this bucket to an IAM principal.
*
* If encryption is used, permission to use the key to encrypt the contents
* of written files will also be granted to the same principal.
*
* Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
* which could be used to grant read/write object access to IAM principals in other accounts.
* If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
* and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
* in the `context` key of your cdk.json file.
* If you've already updated, but still need the principal to have permissions to modify the ACLs,
* use the `grantPutAcl` method.
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
* @param allowedActionPatterns Restrict the permissions to certain list of action patterns
*/
grantWrite(identity: iam.IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): iam.Grant;
/**
* Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
*
* If encryption is used, permission to use the key to encrypt the contents
* of written files will also be granted to the same principal.
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
*/
grantPut(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
* Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
*
* If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
* calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
* in this case, if you need to modify object ACLs, call this method explicitly.
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*')
*/
grantPutAcl(identity: iam.IGrantable, objectsKeyPattern?: string): iam.Grant;
/**
* Grants s3:DeleteObject* permission to an IAM principal for objects
* in this bucket.
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
*/
grantDelete(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
* Grants read/write permissions for this bucket and its contents to an IAM
* principal (Role/Group/User).
*
* If an encryption key is used, permission to use the key for
* encrypt/decrypt will also be granted.
*
* Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
* which could be used to grant read/write object access to IAM principals in other accounts.
* If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
* and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
* in the `context` key of your cdk.json file.
* If you've already updated, but still need the principal to have permissions to modify the ACLs,
* use the `grantPutAcl` method.
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
*/
grantReadWrite(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
* Allows permissions for replication operation to bucket replication role.
*
* If an encryption key is used, permission to use the key for
* encrypt/decrypt will also be granted.
*
* @param identity The principal
* @param props The properties of the replication source and destination buckets.
* @returns The `iam.Grant` object, which represents the grant of permissions.
*/
grantReplicationPermission(identity: iam.IGrantable, props: GrantReplicationPermissionProps): iam.Grant;
/**
* Allows unrestricted access to objects from this bucket.
*
* IMPORTANT: This permission allows anyone to perform actions on S3 objects
* in this bucket, which is useful for when you configure your bucket as a
* website and want everyone to be able to read objects in the bucket without
* needing to authenticate.
*
* Without arguments, this method will grant read ("s3:GetObject") access to
* all objects ("*") in the bucket.
*
* The method returns the `iam.Grant` object, which can then be modified
* as needed. For example, you can add a condition that will restrict access only
* to an IPv4 range like this:
*
* const grant = bucket.grantPublicAccess();
* grant.resourceStatement!.addCondition(IpAddress, { “aws:SourceIp”: “54.240.143.0/24” });
*
*
* @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*".
* @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject".
* @returns The `iam.PolicyStatement` object, which can be used to apply e.g. conditions.
*/
grantPublicAccess(keyPrefix?: string, ...allowedActions: string[]): iam.Grant;
/**
* Defines a CloudWatch event that triggers when something happens to this bucket
*
* Requires that there exists at least one CloudTrail Trail in your account
* that captures the event. This method will not create the Trail.
*
* @param id The id of the rule
* @param options Options for adding the rule
*/
onCloudTrailEvent(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule;
/**
* Defines an AWS CloudWatch event that triggers when an object is uploaded
* to the specified paths (keys) in this bucket using the PutObject API call.
*
* Note that some tools like `aws s3 cp` will automatically use either
* PutObject or the multipart upload API depending on the file size,
* so using `onCloudTrailWriteObject` may be preferable.
*
* Requires that there exists at least one CloudTrail Trail in your account
* that captures the event. This method will not create the Trail.
*
* @param id The id of the rule
* @param options Options for adding the rule
*/
onCloudTrailPutObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule;
/**
* Defines an AWS CloudWatch event that triggers when an object at the
* specified paths (keys) in this bucket are written to. This includes
* the events PutObject, CopyObject, and CompleteMultipartUpload.
*
* Note that some tools like `aws s3 cp` will automatically use either
* PutObject or the multipart upload API depending on the file size,
* so using this method may be preferable to `onCloudTrailPutObject`.
*
* Requires that there exists at least one CloudTrail Trail in your account
* that captures the event. This method will not create the Trail.
*
* @param id The id of the rule
* @param options Options for adding the rule
*/
onCloudTrailWriteObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule;
/**
* Adds a bucket notification event destination.
* @param event The event to trigger the notification
* @param dest The notification destination (Lambda, SNS Topic or SQS Queue)
*
* @param filters S3 object key filter rules to determine which objects
* trigger this event. Each filter must include a `prefix` and/or `suffix`
* that will be matched against the s3 object key. Refer to the S3 Developer Guide
* for details about allowed filter rules.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html
*
* @example
*
* declare const myLambda: lambda.Function;
* const bucket = new s3.Bucket(this, 'MyBucket');
* const filter: s3.NotificationKeyFilter = { prefix: 'home/myusername/*' };
* bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), filter);
*
* @see
* https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html
*/
addEventNotification(event: EventType, dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void;
/**
* Subscribes a destination to receive notifications when an object is
* created in the bucket. This is identical to calling
* `onEvent(s3.EventType.OBJECT_CREATED)`.
*
* @param dest The notification destination (see onEvent)
* @param filters Filters (see onEvent)
*/
addObjectCreatedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void;
/**
* Subscribes a destination to receive notifications when an object is
* removed from the bucket. This is identical to calling
* `onEvent(EventType.OBJECT_REMOVED)`.
*
* @param dest The notification destination (see onEvent)
* @param filters Filters (see onEvent)
*/
addObjectRemovedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void;
/**
* Enables event bridge notification, causing all events below to be sent to EventBridge:
*
* - Object Deleted (DeleteObject)
* - Object Deleted (Lifecycle expiration)
* - Object Restore Initiated
* - Object Restore Completed
* - Object Restore Expired
* - Object Storage Class Changed
* - Object Access Tier Changed
* - Object ACL Updated
* - Object Tags Added
* - Object Tags Deleted
*/
enableEventBridgeNotification(): void;
/**
* Function to add required permissions to the destination bucket for cross account
* replication. These permissions will be added as a resource based policy on the bucket.
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html
* If owner of the bucket needs to be overridden, set accessControlTransition to true and provide
* account ID in which destination bucket is hosted. For more information on accessControlTransition
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html
*/
addReplicationPolicy(roleArn: string, accessControlTransition?: boolean, account?: string): void;
}
/**
* A reference to a bucket outside this stack
*/
export interface BucketAttributes {
/**
* The ARN of the bucket. At least one of bucketArn or bucketName must be
* defined in order to initialize a bucket ref.
*/
readonly bucketArn?: string;
/**
* The name of the bucket. If the underlying value of ARN is a string, the
* name will be parsed from the ARN. Otherwise, the name is optional, but
* some features that require the bucket name such as auto-creating a bucket
* policy, won't work.
*/
readonly bucketName?: string;
/**
* The domain name of the bucket.
*
* @default - Inferred from bucket name
*/
readonly bucketDomainName?: string;
/**
* The website URL of the bucket (if static web hosting is enabled).
*
* @default - Inferred from bucket name and region
*/
readonly bucketWebsiteUrl?: string;
/**
* The regional domain name of the specified bucket.
*/
readonly bucketRegionalDomainName?: string;
/**
* The IPv6 DNS name of the specified bucket.
*/
readonly bucketDualStackDomainName?: string;
/**
* Force the format of the website URL of the bucket. This should be true for
* regions launched since 2014.
*
* @default - inferred from available region information, `false` otherwise
*
* @deprecated The correct website url format can be inferred automatically from the bucket `region`.
* Always provide the bucket region if the `bucketWebsiteUrl` will be used.
* Alternatively provide the full `bucketWebsiteUrl` manually.
*/
readonly bucketWebsiteNewUrlFormat?: boolean;
/**
* KMS encryption key associated with this bucket.
*
* @default - no encryption key
*/
readonly encryptionKey?: kms.IKey;
/**
* If this bucket has been configured for static website hosting.
*
* @default false
*/
readonly isWebsite?: boolean;
/**
* The account this existing bucket belongs to.
*
* @default - it's assumed the bucket belongs to the same account as the scope it's being imported into
*/
readonly account?: string;
/**
* The region this existing bucket is in.
* Features that require the region (e.g. `bucketWebsiteUrl`) won't fully work
* if the region cannot be correctly inferred.
*
* @default - it's assumed the bucket is in the same region as the scope it's being imported into
*/
readonly region?: string;
/**
* The role to be used by the notifications handler
*
* @default - a new role will be created.
*/
readonly notificationsHandlerRole?: iam.IRole;
}
/**
* The properties for the destination bucket for granting replication permission.
*/
export interface GrantReplicationPermissionDestinationProps {
/**
* The destination bucket
*/
readonly bucket: IBucket;
/**
* The KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key.
*
* @default - no KMS key is used for replication.
*/
readonly encryptionKey?: kms.IKey;
}
/**
* The properties for the destination bucket for granting replication permission.
*/
export interface GrantReplicationPermissionProps {
/**
* The KMS key used to decrypt objects in the source bucket for replication.
* **Required if** the source bucket is encrypted with a customer-managed KMS key.
*
* @default - it's assumed the source bucket is not encrypted with a customer-managed KMS key.
*/
readonly sourceDecryptionKey?: kms.IKey;
/**
* The destination buckets for replication.
* Specify the KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key.
* One or more destination buckets are required if replication configuration is enabled (i.e., `replicationRole` is specified).
*
* @default - empty array (valid only if the `replicationRole` property is NOT specified)
*/
readonly destinations: GrantReplicationPermissionDestinationProps[];
}
/**
* Represents an S3 Bucket.
*
* Buckets can be either defined within this stack:
*
* new Bucket(this, 'MyBucket', { props });
*
* Or imported from an existing bucket:
*
* Bucket.import(this, 'MyImportedBucket', { bucketArn: ... });
*
* You can also export a bucket and import it into another stack:
*
* const ref = myBucket.export();
* Bucket.import(this, 'MyImportedBucket', ref);
*
*/
export declare abstract class BucketBase extends Resource implements IBucket, IEncryptedResource {
abstract readonly bucketArn: string;
abstract readonly bucketName: string;
abstract readonly bucketDomainName: string;
abstract readonly bucketWebsiteUrl: string;
abstract readonly bucketWebsiteDomainName: string;
abstract readonly bucketRegionalDomainName: string;
abstract readonly bucketDualStackDomainName: string;
/**
* Optional KMS encryption key associated with this bucket.
*/
abstract readonly encryptionKey?: kms.IKey;
/**
* If this bucket has been configured for static website hosting.
*/
abstract readonly isWebsite?: boolean;
/**
* The resource policy associated with this bucket.
*
* If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
* first call to addToResourcePolicy(s).
*/
abstract policy?: BucketPolicy;
/**
* Role used to set up permissions on this bucket for replication
*/
abstract replicationRoleArn?: string;
/**
* Indicates if a bucket resource policy should automatically created upon
* the first call to `addToResourcePolicy`.
*/
protected abstract autoCreatePolicy: boolean;
/**
* Whether to disallow public access
*/
abstract disallowPublicAccess?: boolean;
private notifications?;
protected notificationsHandlerRole?: iam.IRole;
protected notificationsSkipDestinationValidation?: boolean;
protected objectOwnership?: ObjectOwnership;
constructor(scope: Construct, id: string, props?: ResourceProps);
grantOnKey(grantee: IGrantable, ...actions: string[]): GrantOnKeyResult;
/**
* Collection of grant methods for a Bucket
*/
get grants(): BucketGrants;
/**
* Define a CloudWatch event that triggers when something happens to this repository
*
* Requires that there exists at least one CloudTrail Trail in your account
* that captures the event. This method will not create the Trail.
*
* @param id The id of the rule
* @param options Options for adding the rule
*/
onCloudTrailEvent(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule;
/**
* Defines an AWS CloudWatch event that triggers when an object is uploaded
* to the specified paths (keys) in this bucket using the PutObject API call.
*
* Note that some tools like `aws s3 cp` will automatically use either
* PutObject or the multipart upload API depending on the file size,
* so using `onCloudTrailWriteObject` may be preferable.
*
* Requires that there exists at least one CloudTrail Trail in your account
* that captures the event. This method will not create the Trail.
*
* @param id The id of the rule
* @param options Options for adding the rule
*/
onCloudTrailPutObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule;
/**
* Defines an AWS CloudWatch event that triggers when an object at the
* specified paths (keys) in this bucket are written to. This includes
* the events PutObject, CopyObject, and CompleteMultipartUpload.
*
* Note that some tools like `aws s3 cp` will automatically use either
* PutObject or the multipart upload API depending on the file size,
* so using this method may be preferable to `onCloudTrailPutObject`.
*
* Requires that there exists at least one CloudTrail Trail in your account
* that captures the event. This method will not create the Trail.
*
* @param id The id of the rule
* @param options Options for adding the rule
*/
onCloudTrailWriteObject(id: string, options?: OnCloudTrailBucketEventOptions): events.Rule;
/**
* Adds a statement to the resource policy for a principal (i.e.
* account/role/service) to perform actions on this bucket and/or its
* contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for
* this bucket or objects.
*
* Note that the policy statement may or may not be added to the policy.
* For example, when an `IBucket` is created from an existing bucket,
* it's not possible to tell whether the bucket already has a policy
* attached, let alone to re-use that policy to add more statements to it.
* So it's safest to do nothing in these cases.
*
* @param permission the policy statement to be added to the bucket's
* policy.
* @returns metadata about the execution of this method. If the policy
* was not added, the value of `statementAdded` will be `false`. You
* should always check this value to make sure that the operation was
* actually carried out. Otherwise, synthesis and deploy will terminate
* silently, which may be confusing.
*/
addToResourcePolicy(permission: iam.PolicyStatement): iam.AddToResourcePolicyResult;
/**
* Ensures a bucket policy exists on the L2 if `autoCreatePolicy` is set.
*/
protected maybeAutoCreatePolicy(): void;
/**
* The https URL of an S3 object. Specify `regional: false` at the options
* for non-regional URLs. For example:
*
* - `https://s3.us-west-1.amazonaws.com/onlybucket`
* - `https://s3.us-west-1.amazonaws.com/bucket/key`
* - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
*
* @param key The S3 key of the object. If not specified, the URL of the
* bucket is returned.
* @returns an ObjectS3Url token
*/
urlForObject(key?: string): string;
/**
* The https Transfer Acceleration URL of an S3 object. Specify `dualStack: true` at the options
* for dual-stack endpoint (connect to the bucket over IPv6). For example:
*
* - `https://bucket.s3-accelerate.amazonaws.com`
* - `https://bucket.s3-accelerate.amazonaws.com/key`
*
* @param key The S3 key of the object. If not specified, the URL of the
* bucket is returned.
* @param options Options for generating URL.
* @returns an TransferAccelerationUrl token
*/
transferAccelerationUrlForObject(key?: string, options?: TransferAccelerationUrlOptions): string;
/**
* The virtual hosted-style URL of an S3 object. Specify `regional: false` at
* the options for non-regional URL. For example:
*
* - `https://only-bucket.s3.us-west-1.amazonaws.com`
* - `https://bucket.s3.us-west-1.amazonaws.com/key`
* - `https://bucket.s3.amazonaws.com/key`
* - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
*
* @param key The S3 key of the object. If not specified, the URL of the
* bucket is returned.
* @param options Options for generating URL.
* @returns an ObjectS3Url token
*/
virtualHostedUrlForObject(key?: string, options?: VirtualHostedStyleUrlOptions): string;
/**
* The S3 URL of an S3 object. For example:
*
* - `s3://onlybucket`
* - `s3://bucket/key`
*
* @param key The S3 key of the object. If not specified, the S3 URL of the
* bucket is returned.
* @returns an ObjectS3Url token
*/
s3UrlForObject(key?: string): string;
/**
* Returns an ARN that represents all objects within the bucket that match
* the key pattern specified. To represent all keys, specify ``"*"``.
*
* If you need to specify a keyPattern with multiple components, concatenate them into a single string, e.g.:
*
* arnForObjects(`home/${team}/${user}/*`)
*
*/
arnForObjects(keyPattern: string): string;
/**
* Grant read permissions for this bucket and its contents to an IAM
* principal (Role/Group/User).
*
* If encryption is used, permission to use the key to decrypt the contents
* of the bucket will also be granted to the same principal.
*
*
* The use of this method is discouraged. Please use `grants.read()` instead.
*
* [disable-awslint:no-grants]
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
*/
grantRead(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
*
* The use of this method is discouraged. Please use `grants.write()` instead.
*
* [disable-awslint:no-grants]
*/
grantWrite(identity: iam.IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): iam.Grant;
/**
* Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
*
* If encryption is used, permission to use the key to encrypt the contents
* of written files will also be granted to the same principal.
*
*
* The use of this method is discouraged. Please use `grants.put()` instead.
*
* [disable-awslint:no-grants]
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
*/
grantPut(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
*
* The use of this method is discouraged. Please use `grants.putAcl()` instead.
*
* [disable-awslint:no-grants]
*/
grantPutAcl(identity: iam.IGrantable, objectsKeyPattern?: string): iam.Grant;
/**
* Grants s3:DeleteObject* permission to an IAM principal for objects
* in this bucket.
*
*
* The use of this method is discouraged. Please use `grants.delete()` instead.
*
* [disable-awslint:no-grants]
*
* @param identity The principal
* @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
*/
grantDelete(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
*
* The use of this method is discouraged. Please use `grants.readWrite()` instead.
*
* [disable-awslint:no-grants]
*/
grantReadWrite(identity: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
/**
* Grant replication permission to a principal.
* This method allows the principal to perform replication operations on this bucket.
*
* Note that when calling this function for source or destination buckets that support KMS encryption,
* you need to specify the KMS key for encryption and the KMS key for decryption, respectively.
*
*
* The use of this method is discouraged. Please use `grants.replicationPermission()` instead.
*
* [disable-awslint:no-grants]
*
* @param identity The principal to grant replication permission to.
* @param props The properties of the replication source and destination buckets.
*/
grantReplicationPermission(identity: iam.IGrantable, props: GrantReplicationPermissionProps): iam.Grant;
/**
* Allows unrestricted access to objects from this bucket.
*
* IMPORTANT: This permission allows anyone to perform actions on S3 objects
* in this bucket, which is useful for when you configure your bucket as a
* website and want everyone to be able to read objects in the bucket without
* needing to authenticate.
*
* Without arguments, this method will grant read ("s3:GetObject") access to
* all objects ("*") in the bucket.
*
* The method returns the `iam.Grant` object, which can then be modified
* as needed. For example, you can add a condition that will restrict access only
* to an IPv4 range like this:
*
* const grant = bucket.grantPublicAccess();
* grant.resourceStatement!.addCondition(IpAddress, { “aws:SourceIp”: “54.240.143.0/24” });
*
* Note that if this `IBucket` refers to an existing bucket, possibly not
* managed by CloudFormation, this method will have no effect, since it's
* impossible to modify the policy of an existing bucket.
*
*
* The use of this method is discouraged. Please use `grants.publicAccess()` instead.
*
* [disable-awslint:no-grants]
*
* @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*".
* @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject".
*/
grantPublicAccess(keyPrefix?: string, ...allowedActions: string[]): iam.Grant;
/**
* Adds a bucket notification event destination.
* @param event The event to trigger the notification
* @param dest The notification destination (Lambda, SNS Topic or SQS Queue)
*
* @param filters S3 object key filter rules to determine which objects
* trigger this event. Each filter must include a `prefix` and/or `suffix`
* that will be matched against the s3 object key. Refer to the S3 Developer Guide
* for details about allowed filter rules.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html
*
* @example
*
* declare const myLambda: lambda.Function;
* const bucket = new s3.Bucket(this, 'MyBucket');
* const filter: s3.NotificationKeyFilter = { prefix: 'home/myusername/*' };
* bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(myLambda), filter);
*
* @see
* https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html
*/
addEventNotification(event: EventType, dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void;
private withNotifications;
/**
* Subscribes a destination to receive notifications when an object is
* created in the bucket. This is identical to calling
* `onEvent(EventType.OBJECT_CREATED)`.
*
* @param dest The notification destination (see onEvent)
* @param filters Filters (see onEvent)
*/
addObjectCreatedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void;
/**
* Subscribes a destination to receive notifications when an object is
* removed from the bucket. This is identical to calling
* `onEvent(EventType.OBJECT_REMOVED)`.
*
* @param dest The notification destination (see onEvent)
* @param filters Filters (see onEvent)
*/
addObjectRemovedNotification(dest: IBucketNotificationDestination, ...filters: NotificationKeyFilter[]): void;
/**
* Enables event bridge notification, causing all events below to be sent to EventBridge:
*
* - Object Deleted (DeleteObject)
* - Object Deleted (Lifecycle expiration)
* - Object Restore Initiated
* - Object Restore Completed
* - Object Restore Expired
* - Object Storage Class Changed
* - Object Access Tier Changed
* - Object ACL Updated
* - Object Tags Added
* - Object Tags Deleted
*/
enableEventBridgeNotification(): void;
/**
* Function to add required permissions to the destination bucket for cross account
* replication. These permissions will be added as a resource based policy on the bucket
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html
* If owner of the bucket needs to be overridden, set accessControlTransition to true and provide
* account ID in which destination bucket is hosted. For more information on accessControlTransition
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-accesscontroltranslation.html
*/
addReplicationPolicy(roleArn: string, accessControlTransition?: boolean, account?: string): void;
private urlJoin;
get bucketRef(): BucketReference;
}
export interface BlockPublicAccessOptions {
/**
* Whether to block public ACLs
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
*/
readonly blockPublicAcls?: boolean;
/**
* Whether to block public policy
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
*/
readonly blockPublicPolicy?: boolean;
/**
* Whether to ignore public ACLs
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
*/
readonly ignorePublicAcls?: boolean;
/**
* Whether to restrict public access
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
*/
readonly restrictPublicBuckets?: boolean;
}
export declare class BlockPublicAccess {
/**
* Use this option if you want to ensure every public access method is blocked.
* However keep in mind that this is the default state of an S3 bucket, and leaving blockPublicAccess undefined would also work.
*/
static readonly BLOCK_ALL: BlockPublicAccess;
/**
*
* @deprecated Use `BLOCK_ACLS_ONLY` instead.
*/
static readonly BLOCK_ACLS: BlockPublicAccess;
/**
* Use this option if you want to only block the ACLs, using this will set blockPublicPolicy and restrictPublicBuckets to false.
*/
static readonly BLOCK_ACLS_ONLY: BlockPublicAccess;
blockPublicAcls: boolean | undefined;
blockPublicPolicy: boolean | undefined;
ignorePublicAcls: boolean | undefined;
restrictPublicBuckets: boolean | undefined;
constructor(options: BlockPublicAccessOptions);
}
/**
* Specifies a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket.
*/
export interface BucketMetrics {
/**
* The ID used to identify the metrics configuration.
*/
readonly id: string;
/**
* The prefix that an object must have to be included in the metrics results.
*/
readonly prefix?: string;
/**
* Specifies a list of tag filters to use as a metrics configuration filter.
* The metrics configuration includes only objects that meet the filter's criteria.
*/
readonly tagFilters?: {
[tag: string]: any;
};
}
/**
* All http request methods
*/
export declare enum HttpMethods {
/**
* The GET method requests a representation of the specified resource.
*/
GET = "GET",
/**
* The PUT method replaces all current representations of the target resource with the request payload.
*/
PUT = "PUT",
/**
* The HEAD method asks for a response identical to that of a GET request, but without the response body.
*/
HEAD = "HEAD",
/**
* The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
*/
POST = "POST",
/**
* The DELETE method deletes the specified resource.
*/
DELETE = "DELETE"
}
/**
* Specifies a cross-origin access rule for an Amazon S3 bucket.
*/
export interface CorsRule {
/**
* A unique identifier for this rule.
*
* @default - No id specified.
*/
readonly id?: string;
/**
* The time in seconds that your browser is to cache the preflight response for the specified resource.
*
* @default - No caching.
*/
readonly maxAge?: number;
/**
* Headers that are specified in the Access-Control-Request-Headers header.
*
* @default - No headers allowed.
*/
readonly allowedHeaders?: string[];
/**
* An HTTP method that you allow the origin to execute.
*/
readonly allowedMethods: HttpMethods[];
/**
* One or more origins you want customers to be able to access the bucket from.
*/
readonly allowedOrigins: string[];
/**
* One or more headers in the response that you want customers to be able to access from their applications.
*
* @default - No headers exposed.
*/
readonly exposedHeaders?: string[];
}
/**
* All http request methods
*/
export declare enum RedirectProtocol {
HTTP = "http",
HTTPS = "https"
}
/**
* Specifies a redirect behavior of all requests to a website endpoint of a bucket.
*/
export interface RedirectTarget {
/**
* Name of the host where requests are redirected
*/
readonly hostName: string;
/**
* Protocol to use when redirecting requests
*
* @default - The protocol used in the original request.
*/
readonly protocol?: RedirectProtocol;
}
/**
* All supported inventory list formats.
*/
export declare enum InventoryFormat {
/**
* Generate the inventory list as CSV.
*/
CSV = "CSV",
/**
* Generate the inventory list as Parquet.
*/
PARQUET = "Parquet",
/**
* Generate the inventory list as ORC.
*/
ORC = "ORC"
}
/**
* All supported inventory frequencies.
*/
export declare enum InventoryFrequency {
/**
* A report is generated every day.
*/
DAILY = "Daily",
/**
* A report is generated every Sunday (UTC timezone) after the initial report.
*/
WEEKLY = "Weekly"
}
/**
* Inventory version support.
*/
export declare enum InventoryObjectVersion {
/**
* Includes all versions of each object in the report.
*/
ALL = "All",
/**
* Includes only the current version of each object in the report.
*/
CURRENT = "Current"
}
/**
* The destination of the inventory.
*/
export interface InventoryDestination {
/**
* Bucket where all inventories will be saved in.
*/
readonly bucket: IBucket;
/**
* The prefix to be used when saving the inventory.
*
* @default - No prefix.
*/
readonly prefix?: string;
/**
* The account ID that owns the destination S3 bucket.
* If no account ID is provided, the owner is not validated before exporting data.
* It's recommended to set an account ID to prevent problems if the destination bucket ownership changes.
*
* @default - No account ID.
*/
readonly bucketOwner?: string;
}
/**
* Specifies the inventory configuration of an S3 Bucket.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html
*/
export interface Inventory {
/**
* The destination of the inventory.
*/
readonly destination: InventoryDestination;
/**
* The inventory will only include objects that meet the prefix filter criteria.
*
* @default - No objects prefix
*/
readonly objectsPrefix?: string;
/**
* The format of the inventory.
*
* @default InventoryFormat.CSV
*/
readonly format?: InventoryFormat;
/**
* Whether the inventory is enabled or disabled.
*
* @default true
*/
readonly enabled?: boolean;
/**
* The inventory configuration ID.
* Should be limited to 64 characters and can only contain letters, numbers, periods, dashes, and underscores.
*
* @default - generated ID.
*/
readonly inventoryId?: string;
/**
* Frequency at which the inventory should be generated.
*
* @default InventoryFrequency.WEEKLY
*/
readonly frequency?: InventoryFrequency;
/**
* If the inventory should contain all the object versions or only the current one.
*
* @default InventoryObjectVersion.ALL
*/
readonly includeObjectVersions?: InventoryObjectVersion;
/**
* A list of optional fields to be included in the inventory result.
*
* @default - No optional fields.
*/
readonly optionalFields?: string[];
}
/**
* The ObjectOwnership of the bucket.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html
*
*/
export declare enum ObjectOwnership {
/**
* ACLs are disabled, and the bucket owner automatically owns
* and has full control over every object in the bucket.
* ACLs no longer affect permissions to data in the S3 bucket.
* The bucket uses policies to define access control.
*/
BUCKET_OWNER_ENFORCED = "BucketOwnerEnforced",
/**
* The bucket owner will own the object if the object is uploaded with
* the bucket-owner-full-control canned ACL. Without this setting and
* canned ACL, the object is uploaded and remains owned by the uploading account.
*/
BUCKET_OWNER_PREFERRED = "BucketOwnerPreferred",
/**
* The uploading account will own the object.
*/
OBJECT_WRITER = "ObjectWriter"
}
/**
* The intelligent tiering configuration.
*/
export interface IntelligentTieringConfiguration {
/**
* Configuration name
*/
readonly name: string;
/**
* Add a filter to limit the scope of this configuration to a single prefix.
*
* @default this configuration will apply to **all** objects in the bucket.
*/
readonly prefix?: string;
/**
* You can limit the scope of this rule to the key value pairs added below.
*
* @default No filtering will be performed on tags
*/
readonly tags?: Tag[];
/**
* When enabled, Intelligent-Tiering will automatically move objects that
* havent been accessed for a minimum of 90 days to the Archive Access tier.
*
* @default Objects will not move to Glacier
*/
readonly archiveAccessTierTime?: Duration;
/**
* When enabled, Intelligent-Tiering will automatically move objects that
* havent been accessed for a minimum of 180 days to the Deep Archive Access
* tier.
*
* @default Objects will not move to Glacier Deep Access
*/
readonly deepArchiveAccessTierTime?: Duration;
}
/**
* The date source for the partitioned prefix.
*/
export declare enum PartitionDateSource {
/**
* The year, month, and day will be based on the timestamp of the S3 event in the file that's been delivered.
*/
EVENT_TIME = "EventTime",
/**
* The year, month, and day will be based on the time when the log file was delivered to S3.
*/
DELIVERY_TIME = "DeliveryTime"
}
/**
* The key format for the log object.
*/
export declare abstract class TargetObjectKeyFormat {
/**
* Use partitioned prefix for log objects.
* If you do not specify the dateSource argument, the default is EventTime.
*
* The partitioned prefix format as follow:
* [DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
*/
static partitionedPrefix(dateSource?: PartitionDateSource): TargetObjectKeyFormat;
/**
* Use the simple prefix for log objects.
*
* The simple prefix format as follow:
* [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
*/
static simplePrefix(): TargetObjectKeyFormat;
/**
* Render the log object key format.
*
* @internal
*/
abstract _render(): CfnBucket.LoggingConfigurationProperty['targetObjectKeyFormat'];
}
/**
* The replication time value used for S3 Replication Time Control (S3 RTC).
*/
export declare class ReplicationTimeValue {
readonly minutes: number;
/**
* Fifteen minutes.
*/
static readonly FIFTEEN_MINUTES: ReplicationTimeValue;
/**
* @param minutes the time in minutes
*/
private constructor();
}
/**
* Specifies which Amazon S3 objects to replicate and where to store the replicas.
*/
export interface ReplicationRule {
/**
* The destination bucket for the replicated objects.
*
* The destination can be either in the same AWS account or a cross account.
*
* If you want to configure cross-account replication,
* the destination bucket must have a policy that allows the source bucket to replicate objects to it.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html
*/
readonly destination: IBucket;
/**
* Whether to want to change replica ownership to the AWS account that owns the destination bucket.
*
* This can only be specified if the source bucket and the destination bucket are not in the same AWS account.
*
* @default - The replicas are owned by same AWS account that owns the source object
*/
readonly accessControlTransition?: boolean;
/**
* Specifying S3 Replication Time Control (S3 RTC),
* including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated.
*
* @default - S3 Replication Time Control is not enabled
*/
readonly replicationTimeControl?: ReplicationTimeValue;
/**
* A container specifying replication metrics-related settings enabling replication metrics and events.
*
* When a value is set, metrics will be output to indicate whether the replication took longer than the specified time.
*
* @default - Replication metrics are not enabled
*/
readonly metrics?: ReplicationTimeValue;
/**
* The customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket.
* Amazon S3 uses this key to encrypt replica objects.
*
* Amazon S3 only supports symmetric encryption KMS keys.
*
* @see https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
*
* @default - Amazon S3 uses the AWS managed KMS key for encryption
*/
readonly kmsKey?: kms.IKey;
/**
* The storage class to use when replicating objects, such as S3 Standard or reduced redundancy.
*
* @default - The storage class of the source object
*/
readonly storageClass?: StorageClass;
/**
* Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service.
*
* @default false
*/
readonly sseKmsEncryptedObjects?: boolean;
/**
* Specifies whether Amazon S3 replicates modifications on replicas.
*
* @default false
*/
readonly replicaModifications?: boolean;
/**
* The priority indicates which rule has precedence whenever two or more replication rules conflict.
*
* Amazon S3 will attempt to replicate objects according to all replication rules.
* However, if there are two or more rules with the same destination bucket,
* then objects will be replicated according to the rule with the highest priority.
*
* The higher the number, the higher the priority.
*
* It is essential to specify priority explicitly when the replication configuration has multiple rules.
*
* @default 0
*/
readonly priority?: number;
/**
* Specifies whether Amazon S3 replicates delete markers.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html
*
* @default - delete markers in source bucket is not replicated to destination bucket
*/
readonly deleteMarkerReplication?: boolean;
/**
* A unique identifier for the rule.
*
* The maximum value is 255 characters.
*
* @default - auto generated random ID
*/
readonly id?: string;
/**
* A filter that identifies the subset of objects to which the replication rule applies.
*
* @default - applies to all objects
*/
readonly filter?: Filter;
}
/**
* A filter that identifies the subset of objects to which the replication rule applies.
*/
export interface Filter {
/**
* An object key name prefix that identifies the object or objects to which the rule applies.
*
* @default - applies to all objects
*/
readonly prefix?: string;
/**
* The tag array used for tag filters.
*
* The rule applies only to objects that have the tag in this set.
*
* @default - applies to all objects
*/
readonly tags?: Tag[];
}
/**
* The transition default minimum object size for lifecycle
*/
export declare enum TransitionDefaultMinimumObjectSize {
/**
* Objects smaller than 128 KB will not transition to any storage class by default.
*/
ALL_STORAGE_CLASSES_128_K = "all_storage_classes_128K",
/**
* Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier
* Deep Archive storage classes.
*
* By default, all other storage classes will prevent transitions smaller than 128 KB.
*/
VARIES_BY_STORAGE_CLASS = "varies_by_storage_class"
}
export interface BucketProps {
/**
* The kind of server-side encryption to apply to this bucket.
*
* If you choose KMS, you can specify a KMS key via `encryptionKey`. If
* encryption key is not specified, a key will automatically be created.
*
* @default - `KMS` if `encryptionKey` is specified, or `S3_MANAGED` otherwise.
*/
readonly encryption?: BucketEncryption;
/**
* External KMS key to use for bucket encryption.
*
* The `encryption` property must be either not specified or set to `KMS` or `DSSE`.
* An error will be emitted if `encryption` is set to `UNENCRYPTED` or `S3_MANAGED`.
*
* @default - If `encryption` is set to `KMS` and this property is undefined,
* a new KMS key will be created and associated with this bucket.
*/
readonly encryptionKey?: kms.IKey;
/**
* Encryption types that should be blocked for this bucket. Use `NONE` to allow all
* encryption types.
*
* At least one `BlockedEncryptionType` must be given. If `NONE` is given, it must be
* the only `BlockedEncryptionType` in the list.
*
* @default - Amazon S3 determines which encryption types to block.
*/
readonly blockedEncryptionTypes?: BlockedEncryptionType[];
/**
* Enforces SSL for requests. S3.5 of the AWS Foundational Security Best Practices Regarding S3.
* @see https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html
*
* @default false
*/
readonly enforceSSL?: boolean;
/**
* Whether Amazon S3 should use its own intermediary key to generate data keys.
*
* Only relevant when using KMS for encryption.
*
* - If not enabled, every object GET and PUT will cause an API call to KMS (with the
* attendant cost implications of that).
* - If enabled, S3 will use its own time-limited key instead.
*
* Only relevant, when Encryption is not set to `BucketEncryption.UNENCRYPTED`.
*
* @default - false
*/
readonly bucketKeyEnabled?: boolean;
/**
* Physical name of this bucket.
*
* @default - Assigned by CloudFormation (recommended).
*/
readonly bucketName?: string;
/**
* Policy to apply when the bucket is removed from this stack.
*
* @default - The bucket will be orphaned.
*/
readonly removalPolicy?: RemovalPolicy;
/**
* Whether all objects should be automatically deleted when the bucket is
* removed from the stack or when the stack is deleted.
*
* Requires the `removalPolicy` to be set to `RemovalPolicy.DESTROY`.
*
* **Warning** if you have deployed a bucket with `autoDeleteObjects: true`,
* switching this to `false` in a CDK version *before* `1.126.0` will lead to
* all objects in the bucket being deleted. Be sure to update your bucket resources
* by deploying with CDK version `1.126.0` or later **before** switching this value to `false`.
*
* Setting `autoDeleteObjects` to true on a bucket will add `s3:PutBucketPolicy` to the
* bucket policy. This is because during bucket deletion, the custom resource provider
* needs to update the bucket policy by adding a deny policy for `s3:PutObject` to
* prevent race conditions with external bucket writers.
*
* @default false
*/
readonly autoDeleteObjects?: boolean;
/**
* Whether this bucket should have versioning turned on or not.
*
* @default false (unless object lock is enabled, then true)
*/
readonly versioned?: boolean;
/**
* Enable object lock on the bucket.
*
* Enabling object lock for existing buckets is not supported. Object lock must be
* enabled when the bucket is created.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable
*
* @default false, unless objectLockDefaultRetention is set (then, true)
*/
readonly objectLockEnabled?: boolean;
/**
* Enables Amazon S3 to evaluate the ABAC policy in the request.
* Set to true to enable ABAC, false to explicitly disable it.
*
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-abacstatus
*
* @default - The ABAC status is not set
*/
readonly abacStatus?: boolean;
/**
* The default retention mode and rules for S3 Object Lock.
*
* Default retention can be configured after a bucket is created if the bucket already
* has object lock enabled. Enabling object lock for existing buckets is not supported.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config-enable
*
* @default no default retention period
*/
readonly objectLockDefaultRetention?: ObjectLockRetention;
/**
* Whether this bucket should send notifications to Amazon EventBridge or not.
*
* @default false
*/
readonly eventBridgeEnabled?: boolean;
/**
* Rules that define how Amazon S3 manages objects during their lifetime.
*
* @default - No lifecycle rules.
*/
readonly lifecycleRules?: LifecycleRule[];
/**
* Indicates which default minimum object size behavior is applied to the lifecycle configuration.
*
* To customize the minimum object size for any transition you can add a filter that specifies a custom
* `objectSizeGreaterThan` or `objectSizeLessThan` for `lifecycleRules` property. Custom filters always
* take precedence over the default transition behavior.
*
* @default - TransitionDefaultMinimumObjectSize.VARIES_BY_STORAGE_CLASS before September 2024,
* otherwise TransitionDefaultMinimumObjectSize.ALL_STORAGE_CLASSES_128_K.
*/
readonly transitionDefaultMinimumObjectSize?: TransitionDefaultMinimumObjectSize;
/**
* The name of the index document (e.g. "index.html") for the website. Enables static website
* hosting for this bucket.
*
* @default - No index document.
*/
readonly websiteIndexDocument?: string;
/**
* The name of the error document (e.g. "404.html") for the website.
* `websiteIndexDocument` must also be set if this is set.
*
* @default - No error document.
*/
readonly websiteErrorDocument?: string;
/**
* Specifies the redirect behavior of all requests to a website endpoint of a bucket.
*
* If you specify this property, you can't specify "websiteIndexDocument", "websiteErrorDocument" nor , "websiteRoutingRules".
*
* @default - No redirection.
*/
readonly websiteRedirect?: RedirectTarget;
/**
* Rules that define when a redirect is applied and the redirect behavior
*
* @default - No redirection rules.
*/
readonly websiteRoutingRules?: RoutingRule[];
/**
* Specifies a canned ACL that grants predefined permissions to the bucket.
*
* @default BucketAccessControl.PRIVATE
*/
readonly accessControl?: BucketAccessControl;
/**
* Grants public read access to all objects in the bucket.
* Similar to calling `bucket.grantPublicAccess()`
*
* @default false
*/
readonly publicReadAccess?: boolean;
/**
* The block public access configuration of this bucket.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
*
*
* @default - CloudFormation defaults will apply. New buckets and objects don't allow public access, but users can modify bucket policies or object permissions to allow public access
*/
readonly blockPublicAccess?: BlockPublicAccess;
/**
* The metrics configuration of this bucket.
*
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metricsconfiguration.html
*
* @default - No metrics configuration.
*/
readonly metrics?: BucketMetrics[];
/**
* The CORS configuration of this bucket.
*
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html
*
* @default - No CORS configuration.
*/
readonly cors?: CorsRule[];
/**
* Destination bucket for the server access logs.
* @default - If "serverAccessLogsPrefix" undefined - access logs disabled, otherwise - log to current bucket.
*/
readonly serverAccessLogsBucket?: IBucket;
/**
* Optional log file prefix to use for the bucket's access logs.
* If defined without "serverAccessLogsBucket", enables access logs to current bucket with this prefix.
* @default - No log file prefix
*/
readonly serverAccessLogsPrefix?: string;
/**
* Optional key format for log objects.
*
* @default - the default key format is: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
*/
readonly targetObjectKeyFormat?: TargetObjectKeyFormat;
/**
* The inventory configuration of the bucket.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html
*
* @default - No inventory configuration
*/
readonly inventories?: Inventory[];
/**
* The objectOwnership of the bucket.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html
*
* @default - No ObjectOwnership configuration. By default, Amazon S3 sets Object Ownership to `Bucket owner enforced`.
* This means ACLs are disabled and the bucket owner will own every object.
*
*/
readonly objectOwnership?: ObjectOwnership;
/**
* Whether this bucket should have transfer acceleration turned on or not.
*
* @default false
*/
readonly transferAcceleration?: boolean;
/**
* The role to be used by the notifications handler
*
* @default - a new role will be created.
*/
readonly notificationsHandlerRole?: iam.IRole;
/**
* Skips notification validation of Amazon SQS, Amazon SNS, and Lambda destinations.
*
* @default false
*/
readonly notificationsSkipDestinationValidation?: boolean;
/**
* Intelligent Tiering Configurations
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html
*
* @default No Intelligent Tiering Configurations.
*/
readonly intelligentTieringConfigurations?: IntelligentTieringConfiguration[];
/**
* Enforces minimum TLS version for requests.
*
* Requires `enforceSSL` to be enabled.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-object-tls-version
*
* @default No minimum TLS version is enforced.
*/
readonly minimumTLSVersion?: number;
/**
* The role to be used by the replication.
*
* When setting this property, you must also set `replicationRules`.
*
* @default - a new role will be created.
*/
readonly replicationRole?: iam.IRole;
/**
* A container for one or more replication rules.
*
* @default - No replication
*/
readonly replicationRules?: ReplicationRule[];
}
/**
* Tag
*/
export interface Tag {
/**
* key to e tagged
*/
readonly key: string;
/**
* additional value
*/
readonly value: string;
}
/**
* An S3 bucket with associated policy objects
*
* This bucket does not yet have all features that exposed by the underlying
* BucketResource.
*
* @example
* import { RemovalPolicy } from 'aws-cdk-lib';
*
* new s3.Bucket(scope, 'Bucket', {
* blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
* encryption: s3.BucketEncryption.S3_MANAGED,
* enforceSSL: true,
* versioned: true,
* removalPolicy: RemovalPolicy.RETAIN,
* });
*
*/
export declare class Bucket extends BucketBase {
/**
* Uniquely identifies this class.
*/
static readonly PROPERTY_INJECTION_ID: string;
static fromBucketArn(scope: Construct, id: string, bucketArn: string): IBucket;
static fromBucketName(scope: Construct, id: string, bucketName: string): IBucket;
/**
* Creates a Bucket construct that represents an external bucket.
*
* @param scope The parent creating construct (usually `this`).
* @param id The construct's name.
* @param attrs A `BucketAttributes` object. Can be obtained from a call to
* `bucket.export()` or manually created.
*/
static fromBucketAttributes(scope: Construct, id: string, attrs: BucketAttributes): IBucket;
/**
* Create a mutable `IBucket` based on a low-level `CfnBucket`.
*/
static fromCfnBucket(cfnBucket: CfnBucket): IBucket;
/**
* Thrown an exception if the given bucket name is not valid.
*
* @param physicalName name of the bucket.
* @param allowLegacyBucketNaming allow legacy bucket naming style, default is false.
*/
static validateBucketName(physicalName: string, allowLegacyBucketNaming?: boolean): void;
/**
* Return any errors against the bucket name
*/
private static _validateBucketName;
/**
* Like 'validateBucketName', but has an instance to throw a scoped ValidationError against
*/
private static validateBucketNameScoped;
get bucketArn(): string;
get bucketName(): string;
readonly bucketDomainName: string;
readonly bucketWebsiteUrl: string;
get bucketWebsiteDomainName(): string;
readonly bucketDualStackDomainName: string;
readonly bucketRegionalDomainName: string;
readonly encryptionKey?: kms.IKey;
get isWebsite(): boolean | undefined;
policy?: BucketPolicy;
replicationRoleArn?: string;
protected autoCreatePolicy: boolean;
get disallowPublicAccess(): boolean | undefined;
set disallowPublicAccess(_value: boolean | undefined);
private accessControl?;
private readonly lifecycleRules;
private readonly transitionDefaultMinimumObjectSize?;
private readonly eventBridgeEnabled?;
private readonly metrics;
private readonly cors;
private readonly inventories;
private readonly _resource;
private readonly reflection;
constructor(scope: Construct, id: string, props?: BucketProps);
/**
* Add a lifecycle rule to the bucket
*
* @param rule The rule to add
*/
addLifecycleRule(rule: LifecycleRule): void;
/**
* Adds a metrics configuration for the CloudWatch request metrics from the bucket.
*
* @param metric The metric configuration to add
*/
addMetric(metric: BucketMetrics): void;
/**
* Adds a cross-origin access configuration for objects in an Amazon S3 bucket
*
* @param rule The CORS configuration rule to add
*/
addCorsRule(rule: CorsRule): void;
/**
* Add an inventory configuration.
*
* @param inventory configuration to add
*/
addInventory(inventory: Inventory): void;
/**
* Adds an iam statement to enforce SSL requests only.
*/
private enforceSSLStatement;
/**
* Adds an iam statement to allow requests with a minimum TLS
* version only.
*/
private minimumTLSVersionStatement;
/**
* Set up key properties and return the Bucket encryption property from the
* user's configuration, according to the following table:
*
* | props.encryption | props.encryptionKey | props.bucketKeyEnabled | bucketEncryption (return value) | encryptionKey (return value) |
* |------------------|---------------------|------------------------|---------------------------------|------------------------------|
* | undefined | undefined | e | undefined | undefined |
* | UNENCRYPTED | undefined | false | undefined | undefined |
* | undefined | k | e | SSE-KMS, bucketKeyEnabled = e | k |
* | KMS | k | e | SSE-KMS, bucketKeyEnabled = e | k |
* | KMS | undefined | e | SSE-KMS, bucketKeyEnabled = e | new key |
* | KMS_MANAGED | undefined | e | SSE-KMS, bucketKeyEnabled = e | undefined |
* | S3_MANAGED | undefined | false | SSE-S3 | undefined |
* | S3_MANAGED | undefined | e | SSE-S3, bucketKeyEnabled = e | undefined |
* | UNENCRYPTED | undefined | true | ERROR! | ERROR! |
* | UNENCRYPTED | k | e | ERROR! | ERROR! |
* | KMS_MANAGED | k | e | ERROR! | ERROR! |
* | S3_MANAGED | undefined | true | ERROR! | ERROR! |
* | S3_MANAGED | k | e | ERROR! | ERROR! |
*/
private parseEncryption;
/**
* Parse the lifecycle configuration out of the bucket props
* @param props Par
*/
private parseLifecycleConfiguration;
private parseServerAccessLogs;
private parseMetricConfiguration;
private parseCorsConfiguration;
private parseTagFilters;
private parseOwnershipControls;
private parseTieringConfig;
private parseObjectLockConfig;
private renderWebsiteConfiguration;
private renderReplicationConfiguration;
/**
* Allows Log Delivery to the S3 bucket, using a Bucket Policy if the relevant feature
* flag is enabled, otherwise the canned ACL is used.
*
* If log delivery is to be allowed using the ACL and an ACL has already been set, this fails.
*
* @see
* https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
*/
private allowLogDelivery;
private parseInventoryConfiguration;
private enableAutoDeleteObjects;
/**
* Function to set the blockPublicAccessOptions to a true default if not defined.
* If no blockPublicAccessOptions are specified at all, this is already the case as an s3 default in aws
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
*/
private setDefaultPublicAccessBlockConfig;
}
/**
* What kind of server-side encryption to apply to this bucket
*/
export declare enum BucketEncryption {
/**
* Previous option. Buckets can not be unencrypted now.
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
* @deprecated S3 applies server-side encryption with SSE-S3 for every bucket
* that default encryption is not configured.
*/
UNENCRYPTED = "UNENCRYPTED",
/**
* Server-side KMS encryption with a master key managed by KMS.
*/
KMS_MANAGED = "KMS_MANAGED",
/**
* Server-side encryption with a master key managed by S3.
*/
S3_MANAGED = "S3_MANAGED",
/**
* Server-side encryption with a KMS key managed by the user.
* If `encryptionKey` is specified, this key will be used, otherwise, one will be defined.
*/
KMS = "KMS",
/**
* Double server-side KMS encryption with a master key managed by KMS.
*/
DSSE_MANAGED = "DSSE_MANAGED",
/**
* Double server-side encryption with a KMS key managed by the user.
* If `encryptionKey` is specified, this key will be used, otherwise, one will be defined.
*/
DSSE = "DSSE"
}
/**
* Encryption types that can be blocked on an S3 bucket.
*/
export declare class BlockedEncryptionType {
readonly name: string;
/** Special value - all encryption types are allowed */
static readonly NONE: BlockedEncryptionType;
/** Server-Side Encryption with customer-provided keys (SSE-C) is blocked */
static readonly SSE_C: BlockedEncryptionType;
/**
* Use this constructor only if S3 releases a new BlockedEncryptionType
* that is unknown to CDK. Otherwise, use this class's static constants.
*/
static custom(name: string): BlockedEncryptionType;
/**
* @param name The name for this blocked encryption type used in the API
*/
private constructor();
}
/**
* Notification event types.
* @link https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-event-types-and-destinations.html#supported-notification-event-types
*/
export declare enum EventType {
/**
* Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using
* these event types, you can enable notification when an object is created
* using a specific API, or you can use the s3:ObjectCreated:* event type to
* request notification regardless of the API that was used to create an
* object.
*/
OBJECT_CREATED = "s3:ObjectCreated:*",
/**
* Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using
* these event types, you can enable notification when an object is created
* using a specific API, or you can use the s3:ObjectCreated:* event type to
* request notification regardless of the API that was used to create an
* object.
*/
OBJECT_CREATED_PUT = "s3:ObjectCreated:Put",
/**
* Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using
* these event types, you can enable notification when an object is created
* using a specific API, or you can use the s3:ObjectCreated:* event type to
* request notification regardless of the API that was used to create an
* object.
*/
OBJECT_CREATED_POST = "s3:ObjectCreated:Post",
/**
* Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using
* these event types, you can enable notification when an object is created
* using a specific API, or you can use the s3:ObjectCreated:* event type to
* request notification regardless of the API that was used to create an
* object.
*/
OBJECT_CREATED_COPY = "s3:ObjectCreated:Copy",
/**
* Amazon S3 APIs such as PUT, POST, and COPY can create an object. Using
* these event types, you can enable notification when an object is created
* using a specific API, or you can use the s3:ObjectCreated:* event type to
* request notification regardless of the API that was used to create an
* object.
*/
OBJECT_CREATED_COMPLETE_MULTIPART_UPLOAD = "s3:ObjectCreated:CompleteMultipartUpload",
/**
* By using the ObjectRemoved event types, you can enable notification when
* an object or a batch of objects is removed from a bucket.
*
* You can request notification when an object is deleted or a versioned
* object is permanently deleted by using the s3:ObjectRemoved:Delete event
* type. Or you can request notification when a delete marker is created for
* a versioned object by using s3:ObjectRemoved:DeleteMarkerCreated. For
* information about deleting versioned objects, see Deleting Object
* Versions. You can also use a wildcard s3:ObjectRemoved:* to request
* notification anytime an object is deleted.
*
* You will not receive event notifications from automatic deletes from
* lifecycle policies or from failed operations.
*/
OBJECT_REMOVED = "s3:ObjectRemoved:*",
/**
* By using the ObjectRemoved event types, you can enable notification when
* an object or a batch of objects is removed from a bucket.
*
* You can request notification when an object is deleted or a versioned
* object is permanently deleted by using the s3:ObjectRemoved:Delete event
* type. Or you can request notification when a delete marker is created for
* a versioned object by using s3:ObjectRemoved:DeleteMarkerCreated. For
* information about deleting versioned objects, see Deleting Object
* Versions. You can also use a wildcard s3:ObjectRemoved:* to request
* notification anytime an object is deleted.
*
* You will not receive event notifications from automatic deletes from
* lifecycle policies or from failed operations.
*/
OBJECT_REMOVED_DELETE = "s3:ObjectRemoved:Delete",
/**
* By using the ObjectRemoved event types, you can enable notification when
* an object or a batch of objects is removed from a bucket.
*
* You can request notification when an object is deleted or a versioned
* object is permanently deleted by using the s3:ObjectRemoved:Delete event
* type. Or you can request notification when a delete marker is created for
* a versioned object by using s3:ObjectRemoved:DeleteMarkerCreated. For
* information about deleting versioned objects, see Deleting Object
* Versions. You can also use a wildcard s3:ObjectRemoved:* to request
* notification anytime an object is deleted.
*
* You will not receive event notifications from automatic deletes from
* lifecycle policies or from failed operations.
*/
OBJECT_REMOVED_DELETE_MARKER_CREATED = "s3:ObjectRemoved:DeleteMarkerCreated",
/**
* Using restore object event types you can receive notifications for
* initiation and completion when restoring objects from the S3 Glacier
* storage class.
*
* You use s3:ObjectRestore:Post to request notification of object restoration
* initiation.
*/
OBJECT_RESTORE_POST = "s3:ObjectRestore:Post",
/**
* Using restore object event types you can receive notifications for
* initiation and completion when restoring objects from the S3 Glacier
* storage class.
*
* You use s3:ObjectRestore:Completed to request notification of
* restoration completion.
*/
OBJECT_RESTORE_COMPLETED = "s3:ObjectRestore:Completed",
/**
* Using restore object event types you can receive notifications for
* initiation and completion when restoring objects from the S3 Glacier
* storage class.
*
* You use s3:ObjectRestore:Delete to request notification of
* restoration completion.
*/
OBJECT_RESTORE_DELETE = "s3:ObjectRestore:Delete",
/**
* You can use this event type to request Amazon S3 to send a notification
* message when Amazon S3 detects that an object of the RRS storage class is
* lost.
*/
REDUCED_REDUNDANCY_LOST_OBJECT = "s3:ReducedRedundancyLostObject",
/**
* You receive this notification event when an object that was eligible for
* replication using Amazon S3 Replication Time Control failed to replicate.
*/
REPLICATION_OPERATION_FAILED_REPLICATION = "s3:Replication:OperationFailedReplication",
/**
* You receive this notification event when an object that was eligible for
* replication using Amazon S3 Replication Time Control exceeded the 15-minute
* threshold for replication.
*/
REPLICATION_OPERATION_MISSED_THRESHOLD = "s3:Replication:OperationMissedThreshold",
/**
* You receive this notification event for an object that was eligible for
* replication using the Amazon S3 Replication Time Control feature replicated
* after the 15-minute threshold.
*/
REPLICATION_OPERATION_REPLICATED_AFTER_THRESHOLD = "s3:Replication:OperationReplicatedAfterThreshold",
/**
* You receive this notification event for an object that was eligible for
* replication using Amazon S3 Replication Time Control but is no longer tracked
* by replication metrics.
*/
REPLICATION_OPERATION_NOT_TRACKED = "s3:Replication:OperationNotTracked",
/**
* By using the LifecycleExpiration event types, you can receive a notification
* when Amazon S3 deletes an object based on your S3 Lifecycle configuration.
*/
LIFECYCLE_EXPIRATION = "s3:LifecycleExpiration:*",
/**
* The s3:LifecycleExpiration:Delete event type notifies you when an object
* in an unversioned bucket is deleted.
* It also notifies you when an object version is permanently deleted by an
* S3 Lifecycle configuration.
*/
LIFECYCLE_EXPIRATION_DELETE = "s3:LifecycleExpiration:Delete",
/**
* The s3:LifecycleExpiration:DeleteMarkerCreated event type notifies you
* when S3 Lifecycle creates a delete marker when a current version of an
* object in versioned bucket is deleted.
*/
LIFECYCLE_EXPIRATION_DELETE_MARKER_CREATED = "s3:LifecycleExpiration:DeleteMarkerCreated",
/**
* You receive this notification event when an object is transitioned to
* another Amazon S3 storage class by an S3 Lifecycle configuration.
*/
LIFECYCLE_TRANSITION = "s3:LifecycleTransition",
/**
* You receive this notification event when an object within the
* S3 Intelligent-Tiering storage class moved to the Archive Access tier or
* Deep Archive Access tier.
*/
INTELLIGENT_TIERING = "s3:IntelligentTiering",
/**
* By using the ObjectTagging event types, you can enable notification when
* an object tag is added or deleted from an object.
*/
OBJECT_TAGGING = "s3:ObjectTagging:*",
/**
* The s3:ObjectTagging:Put event type notifies you when a tag is PUT on an
* object or an existing tag is updated.
*/
OBJECT_TAGGING_PUT = "s3:ObjectTagging:Put",
/**
* The s3:ObjectTagging:Delete event type notifies you when a tag is removed
* from an object.
*/
OBJECT_TAGGING_DELETE = "s3:ObjectTagging:Delete",
/**
* You receive this notification event when an ACL is PUT on an object or when
* an existing ACL is changed.
* An event is not generated when a request results in no change to an
* objects ACL.
*/
OBJECT_ACL_PUT = "s3:ObjectAcl:Put",
/**
* Using restore object event types you can receive notifications for
* initiation and completion when restoring objects from the S3 Glacier
* storage class.
*
* You use s3:ObjectRestore:* to request notification of
* any restoration event.
*/
OBJECT_RESTORE = "s3:ObjectRestore:*",
/**
* You receive this notification event for any object replication event.
*/
REPLICATION = "s3:Replication:*"
}
export interface NotificationKeyFilter {
/**
* S3 keys must have the specified prefix.
*/
readonly prefix?: string;
/**
* S3 keys must have the specified suffix.
*/
readonly suffix?: string;
}
/**
* Options for the onCloudTrailPutObject method
*/
export interface OnCloudTrailBucketEventOptions extends events.OnEventOptions {
/**
* Only watch changes to these object paths
*
* @default - Watch changes to all objects
*/
readonly paths?: string[];
}
/**
* Default bucket access control types.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
*/
export declare enum BucketAccessControl {
/**
* Owner gets FULL_CONTROL. No one else has access rights.
*/
PRIVATE = "Private",
/**
* Owner gets FULL_CONTROL. The AllUsers group gets READ access.
*/
PUBLIC_READ = "PublicRead",
/**
* Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access.
* Granting this on a bucket is generally not recommended.
*/
PUBLIC_READ_WRITE = "PublicReadWrite",
/**
* Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access.
*/
AUTHENTICATED_READ = "AuthenticatedRead",
/**
* The LogDelivery group gets WRITE and READ_ACP permissions on the bucket.
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
*/
LOG_DELIVERY_WRITE = "LogDeliveryWrite",
/**
* Object owner gets FULL_CONTROL. Bucket owner gets READ access.
* If you specify this canned ACL when creating a bucket, Amazon S3 ignores it.
*/
BUCKET_OWNER_READ = "BucketOwnerRead",
/**
* Both the object owner and the bucket owner get FULL_CONTROL over the object.
* If you specify this canned ACL when creating a bucket, Amazon S3 ignores it.
*/
BUCKET_OWNER_FULL_CONTROL = "BucketOwnerFullControl",
/**
* Owner gets FULL_CONTROL. Amazon EC2 gets READ access to GET an Amazon Machine Image (AMI) bundle from Amazon S3.
*/
AWS_EXEC_READ = "AwsExecRead"
}
export interface RoutingRuleCondition {
/**
* The HTTP error code when the redirect is applied
*
* In the event of an error, if the error code equals this value, then the specified redirect is applied.
*
* If both condition properties are specified, both must be true for the redirect to be applied.
*
* @default - The HTTP error code will not be verified
*/
readonly httpErrorCodeReturnedEquals?: string;
/**
* The object key name prefix when the redirect is applied
*
* If both condition properties are specified, both must be true for the redirect to be applied.
*
* @default - The object key name will not be verified
*/
readonly keyPrefixEquals?: string;
}
export declare class ReplaceKey {
readonly withKey?: string | undefined;
readonly prefixWithKey?: string | undefined;
/**
* The specific object key to use in the redirect request
*/
static with(keyReplacement: string): ReplaceKey;
/**
* The object key prefix to use in the redirect request
*/
static prefixWith(keyReplacement: string): ReplaceKey;
private constructor();
}
/**
* Rule that define when a redirect is applied and the redirect behavior.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html
*/
export interface RoutingRule {
/**
* The host name to use in the redirect request
*
* @default - The host name used in the original request.
*/
readonly hostName?: string;
/**
* The HTTP redirect code to use on the response
*
* @default "301" - Moved Permanently
*/
readonly httpRedirectCode?: string;
/**
* Protocol to use when redirecting requests
*
* @default - The protocol used in the original request.
*/
readonly protocol?: RedirectProtocol;
/**
* Specifies the object key prefix to use in the redirect request
*
* @default - The key will not be replaced
*/
readonly replaceKey?: ReplaceKey;
/**
* Specifies a condition that must be met for the specified redirect to apply.
*
* @default - No condition
*/
readonly condition?: RoutingRuleCondition;
}
/**
* Modes in which S3 Object Lock retention can be configured.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-retention-modes
*/
export declare enum ObjectLockMode {
/**
* The Governance retention mode.
*
* With governance mode, you protect objects against being deleted by most users, but you can
* still grant some users permission to alter the retention settings or delete the object if
* necessary. You can also use governance mode to test retention-period settings before
* creating a compliance-mode retention period.
*/
GOVERNANCE = "GOVERNANCE",
/**
* The Compliance retention mode.
*
* When an object is locked in compliance mode, its retention mode can't be changed, and
* its retention period can't be shortened. Compliance mode helps ensure that an object
* version can't be overwritten or deleted for the duration of the retention period.
*/
COMPLIANCE = "COMPLIANCE"
}
/**
* The default retention settings for an S3 Object Lock configuration.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html
*/
export declare class ObjectLockRetention {
/**
* Configure for Governance retention for a specified duration.
*
* With governance mode, you protect objects against being deleted by most users, but you can
* still grant some users permission to alter the retention settings or delete the object if
* necessary. You can also use governance mode to test retention-period settings before
* creating a compliance-mode retention period.
*
* @param duration the length of time for which objects should retained
* @returns the ObjectLockRetention configuration
*/
static governance(duration: Duration): ObjectLockRetention;
/**
* Configure for Compliance retention for a specified duration.
*
* When an object is locked in compliance mode, its retention mode can't be changed, and
* its retention period can't be shortened. Compliance mode helps ensure that an object
* version can't be overwritten or deleted for the duration of the retention period.
*
* @param duration the length of time for which objects should be retained
* @returns the ObjectLockRetention configuration
*/
static compliance(duration: Duration): ObjectLockRetention;
/**
* The default period for which objects should be retained.
*/
readonly duration: Duration;
/**
* The retention mode to use for the object lock configuration.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-retention-modes
*/
readonly mode: ObjectLockMode;
private constructor();
}
/**
* Options for creating Virtual-Hosted style URL.
*/
export interface VirtualHostedStyleUrlOptions {
/**
* Specifies the URL includes the region.
*
* @default - true
*/
readonly regional?: boolean;
}
/**
* Options for creating a Transfer Acceleration URL.
*/
export interface TransferAccelerationUrlOptions {
/**
* Dual-stack support to connect to the bucket over IPv6.
*
* @default - false
*/
readonly dualStack?: boolean;
}
Reference in New Issue View Git Blame Copy Permalink