Amazon S3 Construct Library
Define an unencrypted S3 bucket.
new Bucketthis, 'MyFirstBucket';
Bucket constructs expose the following deploy-time attributes:
bucketArn- the ARN of the bucket (i.e.
bucketName- the name of the bucket (i.e.
bucketWebsiteUrl- the Website URL of the bucket (i.e.
bucketDomainName- the URL of the bucket (i.e.
bucketDualStackDomainName- the dual-stack URL of the bucket (i.e.
bucketRegionalDomainName- the regional URL of the bucket (i.e.
arnForObjects(pattern)- the ARN of an object or objects within the bucket (i.e.
urlForObject(key)- the HTTP URL of an object within the bucket (i.e.
s3UrlForObject(key)- the S3 URL of an object within the bucket (i.e.
Define a KMS-encrypted bucket:
;// you can access the encryption key:assertbucket.encryptionKey instanceof kms.Key;
You can also supply your own key:
;;assertbucket.encryptionKey === myKmsKey;
BucketEncryption.ManagedKms to use the S3 master KMS key:
;assertbucket.encryptionKey == null;
A bucket policy will be automatically created for the bucket upon the first call to
The bucket policy can be directly accessed after creation to add statements or adjust the removal policy.
Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example:
Will give the Lambda's execution role permissions to read and write from the bucket.
Sharing buckets between stacks
To use a bucket in a different stack in the same CDK application, pass the object to the other stack:
Importing existing buckets
To import an existing bucket into your CDK application, use the
factory method. This method accepts
BucketAttributes which describes the properties of an already
;// now you can just call methods on the bucketbucket.grantReadWriteuser;
Alternatively, short-hand factories are available as
Bucket.fromBucketArn, which will derive all bucket attributes from the bucket
name or ARN respectively:
The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.
To subscribe for bucket notifications, use the
bucket.addEventNotification method. The
bucket.addObjectRemovedNotification can also be used for
these common use cases.
The following example will subscribe an SNS topic to be notified of all
;;bucket.addEventNotifications3.EventType.OBJECT_CREATED, new s3n.SnsDestinationtopic;
This call will also ensure that the topic policy can accept notifications for this specific bucket.
Supported S3 notification targets are exposed by the
It is also possible to specify S3 object key filters when subscribing. The
following example will notify
myQueue when objects prefixed with
.jpg suffix are removed from the bucket.
Block Public Access
blockPublicAccess to specify block public access settings on the bucket.
Enable all block public access settings:
Block and ignore public ACLs:
Alternatively, specify the settings manually:
blockPublicPolicy is set to
grantPublicRead() throws an error.
serverAccessLogsBucket to describe where server access logs are to be stored.
It's also possible to specify a prefix for Amazon S3 to assign to all log object keys.
You can use the two following properties to specify the bucket redirection policy. Please note that these methods cannot both be applied to the same bucket.
You can statically redirect a to a given Bucket URL or any other host name with
Alternatively, you can also define multiple
websiteRoutingRules, to define complex, conditional redirections:
Filling the bucket as part of deployment
To put files into a bucket as part of a deployment (for example, to host a
website), see the
@aws-cdk/aws-s3-deployment package, which provides a
resource that can do just that.