README
¶
Vibe-io CDK-Extensions S3 Buckets Construct Library
The cdk-extensions/s3_buckets package contains advanced constructs and patterns for setting up S3 Buckets. The constructs presented here are intended to be replacements for equivalent AWS constructs in the CDK module, but with additional features included. All defaults follow best practices, and utilize secure settings.
To import and use this module within your CDK project:
Typescript
import * as s3_buckets from 'cdk-extensions/s3-buckets';
Python
import cdk_extensions.s3_buckets as s3_buckets
Common defaults
All S3 buckets extend the private RawBucket resource, which implements the
iBucket interface to expose all
resource configurations and creates a CfnBucket resource.
All buckets have a default Removal Policy applied, retaining them if the stack is deleted.
- ApplyRemovalPolicy: Defaults to
RETAIN.
AWS Logging Buckets
These buckets are utilized as part of the logging strategy defined by stacks/AwsLoggingStack, but can be deployed individually. When applicable, storing these logs in S3 offers significant cost savings over CloudWatch. Additionally, Glue and Athena can be utilized for fast and efficient analysis of data stored in S3.
Common Settings
By default, for each service in the AwsLoggingStack a Glue crawler performs an ETL process to analyze and categorize the stored data and store the associated metadata in the AWS Glue Data Catalog.
Several default named Athena queries are defined that aid in improving the security posture of your AWS Account. These default named queries have been defined for each AWS service.
Set createQueries to false to skip query creation.
Examples
TypeScript
const alb_bucket_with_queries = new s3_buckets.AlbLogsBucket(this, "AlbLogsBucket")
const cloudtrail_bucket_without_queries = new s3_buckets.CloudtrailBucket(this, 'CloudtrailBucket', {
createQueries: false
})
Python
alb_bucket_with_queries = s3_buckets.AlbLogsBucket(self, 'AlbLogsBucket')
cloudtrail_bucket_without_queries = s3_buckets.CloudTrailBucket(self, 'CloudTrailBucket', create_queries=False)
Buckets
All log buckets are CfnBucket constructs
with the additional secure defaults:
-
All
PublicAccessBlockConfigurationproperties default totrue. (i.e.blockPublicAcls,blockPublicPolicy,ignorePublicAcls,restrictPublicBuckets) -
Versioning is set to
Enabled -
Server side bucket encryption using AES256
- Managed KMS encryption is not supported for Service logs
AlbLogsBucket
Creates an S3 Bucket and Glue jobs for storing and analyzing Elastic Load Balancer access logs. By default, creates named Athena Queries useful in querying ELB access log data.
Usage
TypeScript
import { AlbLogsBucket } from 'cdk-extensions/s3-buckets';
new AlbLogsBucket(this, 'AlbLogsBucket')
Python
from cdk_extensions.s3_buckets import (
AlbLogsBucket
)
alb_logs_bucket = AlbLogsBucket(self, 'AlbLogsBucket')
Glue
By default creates database and tables from ALB logs bucket, using cdk-extensions construct AlbLogTables, from the glue-tables module. Glue crawler performs an ETL process to analyze and categorize data in Amazon S3 and store the associated metadata in the AWS Glue Data Catalog.
Athena Queries
Two Athena CfnNamedQueries are created by default:
- alb-top-ips: Gets the 100 most active IP addresses by request count.
- alb-5xx-errors: Gets the 100 most recent ELB 5XX responses
CloudFrontLogsBucket
Creates an S3 Bucket and Glue jobs for storing and analyzing CloudFront access logs. By default generates a Glue Database and Table, and creates named Athena Queries useful in querying CloudFront log data.
Usage
TypeScript
import { CloudFrontLogsBucket } from 'cdk-extensions/s3-buckets';
new CloudFrontLogsBucket(this, 'CloudFrontLogsBucket')
Python
from cdk_extensions.s3_buckets import (
CloudFrontLogsBucket
)
cloudfront_logs_bucket = CloudFrontLogsBucket(self, 'CloudFrontLogsBucket')
Glue
By default creates database and tables from CloudFront logs bucket, using cdk-extensions construct CloudFrontLogTable, from the glue-tables module. Glue crawler performs an ETL process to analyze and categorize data in Amazon S3 and store the associated metadata in the AWS Glue Data Catalog.
Athena Queries
Four Athena CfnNamedQueries are created by default:
- cloudfront-distribution-statistics: Gets statistics for CloudFront distributions for the last day.
- cloudfront-request-errors: Gets the 100 most recent requests that resulted in an error from CloudFront.
- cloudfront-top-ips: Gets the 100 most active IP addresses by request count.
- cloudfront-top-objects: Gets the 100 most requested CloudFront objects.
CloudTrailBucket
Creates an S3 Bucket and Glue jobs for storing and analyzing CloudTrail logs. By default generates a Glue Database and Table, and creates named Athena Queries useful in querying CloudTrail log data.
Usage
TypeScript
import { CloudTrailBucket } from 'cdk-extensions/s3-buckets';
new CloudTrailBucket(this, 'CloudTrailBucket')
Python
from cdk_extensions.s3_buckets import (
CloudTrailBucket
)
cloudtrail_logs_bucket = CloudTrailBucket(self, 'CloudTrailBucket')
Glue
By default creates database and tables from CloudTrail logs bucket, using cdk-extensions construct CloudTrailTable, from the glue-tables module. Glue crawler performs an ETL process to analyze and categorize data in Amazon S3 and store the associated metadata in the AWS Glue Data Catalog.
Athena Queries
Two Athena CfnNamedQueries are created by default:
- cloudtrail-unauthorized-errors: Gets the 100 most recent unauthorized AWS API calls.
- cloudtrail-user-logins: Gets the 100 most recent AWS user logins.
FlowLogsBucket
Creates an S3 Bucket and Glue jobs for storing and analyzing VPC FlowLogs. By default generates a Glue Database and Table, and creates named Athena Queries useful in querying FlowLog data.
Usage
TypeScript
import { FlowLogsBucket } from 'cdk-extensions/s3-buckets';
new FlowLogsBucket(this, 'FlowLogsBucket')
Python
from cdk_extensions.s3_buckets import (
FlowLogsBucket
)
flowlogs_bucket = FlowLogsBucket(self, 'FlowLogsBucket')
Glue
By default creates database and tables from FlowLogs bucket, using cdk-extensions construct FlowLogsTable, from the glue-tables module. Glue crawler performs an ETL process to analyze and categorize data in Amazon S3 and store the associated metadata in the AWS Glue Data Catalog.
Athena Queries
One AthenaNamedQuery is created by default:
- flow-logs-internal-rejected: Gets the 100 most recent rejected packets that stayed within the private network ranges.
S3AccessLogsBucket
Creates an S3 Bucket and Glue jobs for storing and analyzing VPC S3AccessLogs. By default generates a Glue Database and Table, and creates named Athena Queries useful in querying S3 access log data.
Usage
TypeScript
import { S3AccessLogsBucket } from 'cdk-extensions/s3-buckets';
new S3AccessLogsBucket(this, 'S3AccessLogsBucket')
Python
from cdk_extensions.s3_buckets import (
S3AccessLogsLogsBucket
)
s3_access_logs_bucket = S3AccessLogsBucket(self, 'S3AccessLogsBucket')
Glue
By default creates database and tables from S3 Access logs bucket, using cdk-extensions construct S3AccessLogsTable, from the glue-tables module. Glue crawler performs an ETL process to analyze and categorize data in Amazon S3 and store the associated metadata in the AWS Glue Data Catalog.
Athena Queries
One AthenaNamedQuery is created by default:
- s3-request-errors: Gets the 100 most recent failed S3 access requests.
SesLogsBucket
Creates an S3 Bucket and Glue jobs for storing and analyzing SES Logs. By default, generates a Glue Database and Table and creates named Athena Queries useful in querying SES log data.
Usage
TypeScript
import { SesLogsBucket } from 'cdk-extensions/s3-buckets';
new SesLogsBucket(this, 'SesLogsBucket')
Python
from cdk_extensions.s3_buckets import (
SesLogsLogsBucket
)
ses_logs_bucket = SesLogsBucket(self, 'SesLogsBucket')
Glue
By default creates database and tables from SES logs bucket, using cdk-extensions construct SesLogsTable, from the glue-tables module. Glue crawler performs an ETL process to analyze and categorize data in Amazon S3 and store the associated metadata in the AWS Glue Data Catalog.
Athena Queries
Two Athena CfnNamedQueries are created by default:
- ses-bounces: Gets the 100 most recent bounces from the last day.
- ses-complaints: Gets the 100 most recent complaints from the last day.
WafLogsBucket
Creates an S3 Bucket and Glue jobs for storing and analyzing Web Applications Firewall Logs. By default, generates a Glue Database and Table and creates named Athena Queries useful in querying WAF log data.
Usage
TypeScript
import { WafLogsBucket } from 'cdk-extensions/s3-buckets';
new WafLogsBucket(this, 'WafLogsBucket')
Python
from cdk_extensions.s3_buckets import (
WafLogsLogsBucket
)
waf_logs_bucket = WafLogsBucket(self, 'WafLogsBucket')
Glue
By default creates database and tables from WAF logs bucket, using cdk-extensions construct WafLogsTable, from the glue-tables module. Glue crawler performs an ETL process to analyze and categorize data in Amazon S3 and store the associated metadata in the AWS Glue Data Catalog.
Athena Queries
No default Named Athena Queries have been implemented for WAF logs at this time.
Documentation
¶
Index ¶
- func AlbLogsBucket_IsConstruct(x interface{}) *bool
- func AlbLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func AlbLogsBucket_IsResource(construct constructs.IConstruct) *bool
- func CloudfrontLogsBucket_IsConstruct(x interface{}) *bool
- func CloudfrontLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func CloudfrontLogsBucket_IsResource(construct constructs.IConstruct) *bool
- func CloudtrailBucket_IsConstruct(x interface{}) *bool
- func CloudtrailBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func CloudtrailBucket_IsResource(construct constructs.IConstruct) *bool
- func FlowLogsBucket_IsConstruct(x interface{}) *bool
- func FlowLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func FlowLogsBucket_IsResource(construct constructs.IConstruct) *bool
- func NewAlbLogsBucket_Override(a AlbLogsBucket, scope constructs.Construct, id *string, ...)
- func NewCloudfrontLogsBucket_Override(c CloudfrontLogsBucket, scope constructs.Construct, id *string, ...)
- func NewCloudtrailBucket_Override(c CloudtrailBucket, scope constructs.Construct, id *string, ...)
- func NewFlowLogsBucket_Override(f FlowLogsBucket, scope constructs.Construct, id *string, ...)
- func NewRawBucket_Override(r RawBucket, scope constructs.Construct, id *string, props *RawBucketProps)
- func NewS3AccessLogsBucket_Override(s S3AccessLogsBucket, scope constructs.Construct, id *string, ...)
- func NewSesLogsBucket_Override(s SesLogsBucket, scope constructs.Construct, id *string, ...)
- func NewWafLogsBucket_Override(w WafLogsBucket, scope constructs.Construct, id *string, ...)
- func RawBucket_IsConstruct(x interface{}) *bool
- func RawBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func RawBucket_IsResource(construct constructs.IConstruct) *bool
- func S3AccessLogsBucket_IsConstruct(x interface{}) *bool
- func S3AccessLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func S3AccessLogsBucket_IsResource(construct constructs.IConstruct) *bool
- func SesLogsBucket_IsConstruct(x interface{}) *bool
- func SesLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func SesLogsBucket_IsResource(construct constructs.IConstruct) *bool
- func WafLogsBucket_IsConstruct(x interface{}) *bool
- func WafLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
- func WafLogsBucket_IsResource(construct constructs.IConstruct) *bool
- type AlbLogsBucket
- type AlbLogsBucketProps
- type CloudfrontLogsBucket
- type CloudfrontLogsBucketProps
- type CloudtrailBucket
- type CloudtrailBucketProps
- type FlowLogsBucket
- type FlowLogsBucketProps
- type LoggingAspectOptions
- type RawBucket
- type RawBucketProps
- type S3AccessLogsBucket
- type S3AccessLogsBucketProps
- type SesLogsBucket
- type SesLogsBucketProps
- type WafLogsBucket
- type WafLogsBucketProps
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AlbLogsBucket_IsConstruct ¶
func AlbLogsBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func AlbLogsBucket_IsOwnedResource ¶
func AlbLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func AlbLogsBucket_IsResource ¶
func AlbLogsBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func CloudfrontLogsBucket_IsConstruct ¶
func CloudfrontLogsBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func CloudfrontLogsBucket_IsOwnedResource ¶
func CloudfrontLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func CloudfrontLogsBucket_IsResource ¶
func CloudfrontLogsBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func CloudtrailBucket_IsConstruct ¶
func CloudtrailBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func CloudtrailBucket_IsOwnedResource ¶
func CloudtrailBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func CloudtrailBucket_IsResource ¶
func CloudtrailBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func FlowLogsBucket_IsConstruct ¶
func FlowLogsBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func FlowLogsBucket_IsOwnedResource ¶
func FlowLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func FlowLogsBucket_IsResource ¶
func FlowLogsBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func NewAlbLogsBucket_Override ¶
func NewAlbLogsBucket_Override(a AlbLogsBucket, scope constructs.Construct, id *string, props *AlbLogsBucketProps)
Creates a new instance of the ElbLogsBucket class.
func NewCloudfrontLogsBucket_Override ¶
func NewCloudfrontLogsBucket_Override(c CloudfrontLogsBucket, scope constructs.Construct, id *string, props *CloudfrontLogsBucketProps)
Creates a new instance of the ElbLogsBucket class.
func NewCloudtrailBucket_Override ¶
func NewCloudtrailBucket_Override(c CloudtrailBucket, scope constructs.Construct, id *string, props *CloudtrailBucketProps)
Creates a new instance of the CloudtrailBucket class.
func NewFlowLogsBucket_Override ¶
func NewFlowLogsBucket_Override(f FlowLogsBucket, scope constructs.Construct, id *string, props *FlowLogsBucketProps)
Creates a new instance of the FlowLogsBucket class.
func NewRawBucket_Override ¶
func NewRawBucket_Override(r RawBucket, scope constructs.Construct, id *string, props *RawBucketProps)
Creates a new instance of the ReplicatedBucket class.
func NewS3AccessLogsBucket_Override ¶
func NewS3AccessLogsBucket_Override(s S3AccessLogsBucket, scope constructs.Construct, id *string, props *S3AccessLogsBucketProps)
Creates a new instance of the S3AccessLogsBucket class.
func NewSesLogsBucket_Override ¶
func NewSesLogsBucket_Override(s SesLogsBucket, scope constructs.Construct, id *string, props *SesLogsBucketProps)
Creates a new instance of the CloudtrailBucket class.
func NewWafLogsBucket_Override ¶
func NewWafLogsBucket_Override(w WafLogsBucket, scope constructs.Construct, id *string, props *WafLogsBucketProps)
Creates a new instance of the WafLogsBucket class.
func RawBucket_IsConstruct ¶
func RawBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func RawBucket_IsOwnedResource ¶
func RawBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func RawBucket_IsResource ¶
func RawBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func S3AccessLogsBucket_IsConstruct ¶
func S3AccessLogsBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func S3AccessLogsBucket_IsOwnedResource ¶
func S3AccessLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func S3AccessLogsBucket_IsResource ¶
func S3AccessLogsBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func SesLogsBucket_IsConstruct ¶
func SesLogsBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func SesLogsBucket_IsOwnedResource ¶
func SesLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func SesLogsBucket_IsResource ¶
func SesLogsBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func WafLogsBucket_IsConstruct ¶
func WafLogsBucket_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func WafLogsBucket_IsOwnedResource ¶
func WafLogsBucket_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func WafLogsBucket_IsResource ¶
func WafLogsBucket_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
Types ¶
type AlbLogsBucket ¶
type AlbLogsBucket interface {
RawBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
CreateQueries() *bool
Database() glue.Database
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
FriendlyQueryNames() *bool
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
Table() gluetables.AlbLogsTable
WorkGroup() athena.IWorkGroup
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
func NewAlbLogsBucket ¶
func NewAlbLogsBucket(scope constructs.Construct, id *string, props *AlbLogsBucketProps) AlbLogsBucket
Creates a new instance of the ElbLogsBucket class.
type AlbLogsBucketProps ¶
type AlbLogsBucketProps struct {
// The AWS account ID this resource belongs to.
// Default: - the resource is in the same account as the stack it belongs to.
//
Account *string `field:"optional" json:"account" yaml:"account"`
// ARN to deduce region and account from.
//
// The ARN is parsed and the account and region are taken from the ARN.
// This should be used for imported resources.
//
// Cannot be supplied together with either `account` or `region`.
// Default: - take environment from `account`, `region` parameters, or use Stack environment.
//
EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
// The value passed in by users to the physical name prop of the resource.
//
// - `undefined` implies that a physical name will be allocated by
// CloudFormation during deployment.
// - a concrete value implies a specific physical name
// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
// by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
// Default: - The physical name will be allocated by CloudFormation at deployment time.
//
PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
// The AWS region this resource belongs to.
// Default: - the resource is in the same region as the stack it belongs to.
//
Region *string `field:"optional" json:"region" yaml:"region"`
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
CreateQueries *bool `field:"optional" json:"createQueries" yaml:"createQueries"`
Database glue.Database `field:"optional" json:"database" yaml:"database"`
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
TableName *string `field:"optional" json:"tableName" yaml:"tableName"`
WorkGroup athena.IWorkGroup `field:"optional" json:"workGroup" yaml:"workGroup"`
}
Configuration for objects bucket.
type CloudfrontLogsBucket ¶
type CloudfrontLogsBucket interface {
RawBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
CreateQueries() *bool
Database() glue.Database
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
FriendlyQueryNames() *bool
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
Table() gluetables.CloudfrontLogsTable
WorkGroup() athena.IWorkGroup
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
func NewCloudfrontLogsBucket ¶
func NewCloudfrontLogsBucket(scope constructs.Construct, id *string, props *CloudfrontLogsBucketProps) CloudfrontLogsBucket
Creates a new instance of the ElbLogsBucket class.
type CloudfrontLogsBucketProps ¶
type CloudfrontLogsBucketProps struct {
// The AWS account ID this resource belongs to.
// Default: - the resource is in the same account as the stack it belongs to.
//
Account *string `field:"optional" json:"account" yaml:"account"`
// ARN to deduce region and account from.
//
// The ARN is parsed and the account and region are taken from the ARN.
// This should be used for imported resources.
//
// Cannot be supplied together with either `account` or `region`.
// Default: - take environment from `account`, `region` parameters, or use Stack environment.
//
EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
// The value passed in by users to the physical name prop of the resource.
//
// - `undefined` implies that a physical name will be allocated by
// CloudFormation during deployment.
// - a concrete value implies a specific physical name
// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
// by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
// Default: - The physical name will be allocated by CloudFormation at deployment time.
//
PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
// The AWS region this resource belongs to.
// Default: - the resource is in the same region as the stack it belongs to.
//
Region *string `field:"optional" json:"region" yaml:"region"`
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
CreateQueries *bool `field:"optional" json:"createQueries" yaml:"createQueries"`
Database glue.Database `field:"optional" json:"database" yaml:"database"`
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
TableName *string `field:"optional" json:"tableName" yaml:"tableName"`
WorkGroup athena.IWorkGroup `field:"optional" json:"workGroup" yaml:"workGroup"`
}
Configuration for objects bucket.
type CloudtrailBucket ¶
type CloudtrailBucket interface {
RawBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
CreateQueries() *bool
Database() glue.Database
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
FriendlyQueryNames() *bool
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
Table() gluetables.CloudtrailTable
WorkGroup() athena.IWorkGroup
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
func NewCloudtrailBucket ¶
func NewCloudtrailBucket(scope constructs.Construct, id *string, props *CloudtrailBucketProps) CloudtrailBucket
Creates a new instance of the CloudtrailBucket class.
type CloudtrailBucketProps ¶
type CloudtrailBucketProps struct {
// The AWS account ID this resource belongs to.
// Default: - the resource is in the same account as the stack it belongs to.
//
Account *string `field:"optional" json:"account" yaml:"account"`
// ARN to deduce region and account from.
//
// The ARN is parsed and the account and region are taken from the ARN.
// This should be used for imported resources.
//
// Cannot be supplied together with either `account` or `region`.
// Default: - take environment from `account`, `region` parameters, or use Stack environment.
//
EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
// The value passed in by users to the physical name prop of the resource.
//
// - `undefined` implies that a physical name will be allocated by
// CloudFormation during deployment.
// - a concrete value implies a specific physical name
// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
// by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
// Default: - The physical name will be allocated by CloudFormation at deployment time.
//
PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
// The AWS region this resource belongs to.
// Default: - the resource is in the same region as the stack it belongs to.
//
Region *string `field:"optional" json:"region" yaml:"region"`
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
CreateQueries *bool `field:"optional" json:"createQueries" yaml:"createQueries"`
Database glue.Database `field:"optional" json:"database" yaml:"database"`
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
TableName *string `field:"optional" json:"tableName" yaml:"tableName"`
WorkGroup athena.IWorkGroup `field:"optional" json:"workGroup" yaml:"workGroup"`
}
Configuration for objects bucket.
type FlowLogsBucket ¶
type FlowLogsBucket interface {
RawBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
Crawler() glue.Crawler
CrawlerSchedule() awsevents.Schedule
CreateQueries() *bool
Database() glue.Database
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
Format() ec2.FlowLogFormat
FriendlyQueryNames() *bool
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
Table() gluetables.FlowLogsTable
WorkGroup() athena.IWorkGroup
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
func NewFlowLogsBucket ¶
func NewFlowLogsBucket(scope constructs.Construct, id *string, props *FlowLogsBucketProps) FlowLogsBucket
Creates a new instance of the FlowLogsBucket class.
type FlowLogsBucketProps ¶
type FlowLogsBucketProps struct {
// The AWS account ID this resource belongs to.
// Default: - the resource is in the same account as the stack it belongs to.
//
Account *string `field:"optional" json:"account" yaml:"account"`
// ARN to deduce region and account from.
//
// The ARN is parsed and the account and region are taken from the ARN.
// This should be used for imported resources.
//
// Cannot be supplied together with either `account` or `region`.
// Default: - take environment from `account`, `region` parameters, or use Stack environment.
//
EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
// The value passed in by users to the physical name prop of the resource.
//
// - `undefined` implies that a physical name will be allocated by
// CloudFormation during deployment.
// - a concrete value implies a specific physical name
// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
// by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
// Default: - The physical name will be allocated by CloudFormation at deployment time.
//
PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
// The AWS region this resource belongs to.
// Default: - the resource is in the same region as the stack it belongs to.
//
Region *string `field:"optional" json:"region" yaml:"region"`
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
CrawlerSchedule awsevents.Schedule `field:"optional" json:"crawlerSchedule" yaml:"crawlerSchedule"`
CreateQueries *bool `field:"optional" json:"createQueries" yaml:"createQueries"`
Database glue.Database `field:"optional" json:"database" yaml:"database"`
Format ec2.FlowLogFormat `field:"optional" json:"format" yaml:"format"`
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
TableName *string `field:"optional" json:"tableName" yaml:"tableName"`
WorkGroup athena.IWorkGroup `field:"optional" json:"workGroup" yaml:"workGroup"`
}
Configuration for objects bucket.
type LoggingAspectOptions ¶
type RawBucket ¶
type RawBucket interface {
awscdk.Resource
awss3.IBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
Do not use directly.
Will be removed once a better replacemnt is written.
func NewRawBucket ¶
func NewRawBucket(scope constructs.Construct, id *string, props *RawBucketProps) RawBucket
Creates a new instance of the ReplicatedBucket class.
type RawBucketProps ¶
type RawBucketProps struct {
// Configures the transfer acceleration state for an Amazon S3 bucket.
//
// For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide* .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-accelerateconfiguration
//
AccelerateConfiguration interface{} `field:"optional" json:"accelerateConfiguration" yaml:"accelerateConfiguration"`
// > This is a legacy property, and it is not recommended for most use cases.
//
// A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* .
//
// A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .
//
// S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.
//
// The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-accesscontrol
//
AccessControl *string `field:"optional" json:"accessControl" yaml:"accessControl"`
// Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-analyticsconfigurations
//
AnalyticsConfigurations interface{} `field:"optional" json:"analyticsConfigurations" yaml:"analyticsConfigurations"`
// Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS).
//
// For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide* .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-bucketencryption
//
BucketEncryption interface{} `field:"optional" json:"bucketEncryption" yaml:"bucketEncryption"`
// A name for the bucket.
//
// If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html) . For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon S3 User Guide* .
//
// > If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-bucketname
//
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
// Describes the cross-origin access configuration for objects in an Amazon S3 bucket.
//
// For more information, see [Enabling Cross-Origin Resource Sharing](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the *Amazon S3 User Guide* .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-corsconfiguration
//
CorsConfiguration interface{} `field:"optional" json:"corsConfiguration" yaml:"corsConfiguration"`
// Defines how Amazon S3 handles Intelligent-Tiering storage.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-intelligenttieringconfigurations
//
IntelligentTieringConfigurations interface{} `field:"optional" json:"intelligentTieringConfigurations" yaml:"intelligentTieringConfigurations"`
// Specifies the inventory configuration for an Amazon S3 bucket.
//
// For more information, see [GET Bucket inventory](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html) in the *Amazon S3 API Reference* .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-inventoryconfigurations
//
InventoryConfigurations interface{} `field:"optional" json:"inventoryConfigurations" yaml:"inventoryConfigurations"`
// Specifies the lifecycle configuration for objects in an Amazon S3 bucket.
//
// For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide* .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-lifecycleconfiguration
//
LifecycleConfiguration interface{} `field:"optional" json:"lifecycleConfiguration" yaml:"lifecycleConfiguration"`
// Settings that define where logs are stored.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-loggingconfiguration
//
LoggingConfiguration interface{} `field:"optional" json:"loggingConfiguration" yaml:"loggingConfiguration"`
// Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket.
//
// If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html) .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-metricsconfigurations
//
MetricsConfigurations interface{} `field:"optional" json:"metricsConfigurations" yaml:"metricsConfigurations"`
// Configuration that defines how Amazon S3 handles bucket notifications.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-notificationconfiguration
//
NotificationConfiguration interface{} `field:"optional" json:"notificationConfiguration" yaml:"notificationConfiguration"`
// Places an Object Lock configuration on the specified bucket.
//
// The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .
//
// > - The `DefaultRetention` settings require both a mode and a period.
// > - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.
// > - You can only enable Object Lock for new buckets. If you want to turn on Object Lock for an existing bucket, contact AWS Support.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-objectlockconfiguration
//
ObjectLockConfiguration interface{} `field:"optional" json:"objectLockConfiguration" yaml:"objectLockConfiguration"`
// Indicates whether this bucket has an Object Lock configuration enabled.
//
// Enable `ObjectLockEnabled` when you apply `ObjectLockConfiguration` to a bucket.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-objectlockenabled
//
ObjectLockEnabled interface{} `field:"optional" json:"objectLockEnabled" yaml:"objectLockEnabled"`
// Configuration that defines how Amazon S3 handles Object Ownership rules.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-ownershipcontrols
//
OwnershipControls interface{} `field:"optional" json:"ownershipControls" yaml:"ownershipControls"`
// Configuration that defines how Amazon S3 handles public access.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-publicaccessblockconfiguration
//
PublicAccessBlockConfiguration interface{} `field:"optional" json:"publicAccessBlockConfiguration" yaml:"publicAccessBlockConfiguration"`
// Configuration for replicating objects in an S3 bucket.
//
// To enable replication, you must also enable versioning by using the `VersioningConfiguration` property.
//
// Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-replicationconfiguration
//
ReplicationConfiguration interface{} `field:"optional" json:"replicationConfiguration" yaml:"replicationConfiguration"`
// An arbitrary set of tags (key-value pairs) for this S3 bucket.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-tags
//
Tags *[]*awscdk.CfnTag `field:"optional" json:"tags" yaml:"tags"`
// Enables multiple versions of all objects in this bucket.
//
// You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-versioningconfiguration
//
VersioningConfiguration interface{} `field:"optional" json:"versioningConfiguration" yaml:"versioningConfiguration"`
// Information used to configure the bucket as a static website.
//
// For more information, see [Hosting Websites on Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-websiteconfiguration
//
WebsiteConfiguration interface{} `field:"optional" json:"websiteConfiguration" yaml:"websiteConfiguration"`
}
Configuration for objects bucket.
type S3AccessLogsBucket ¶
type S3AccessLogsBucket interface {
RawBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
CreateQueries() *bool
Database() glue.Database
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
FriendlyQueryNames() *bool
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
Table() gluetables.S3AccessLogsTable
WorkGroup() athena.IWorkGroup
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
AddLoggingAspect(scope constructs.IConstruct, options *LoggingAspectOptions)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
func NewS3AccessLogsBucket ¶
func NewS3AccessLogsBucket(scope constructs.Construct, id *string, props *S3AccessLogsBucketProps) S3AccessLogsBucket
Creates a new instance of the S3AccessLogsBucket class.
type S3AccessLogsBucketProps ¶
type S3AccessLogsBucketProps struct {
// The AWS account ID this resource belongs to.
// Default: - the resource is in the same account as the stack it belongs to.
//
Account *string `field:"optional" json:"account" yaml:"account"`
// ARN to deduce region and account from.
//
// The ARN is parsed and the account and region are taken from the ARN.
// This should be used for imported resources.
//
// Cannot be supplied together with either `account` or `region`.
// Default: - take environment from `account`, `region` parameters, or use Stack environment.
//
EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
// The value passed in by users to the physical name prop of the resource.
//
// - `undefined` implies that a physical name will be allocated by
// CloudFormation during deployment.
// - a concrete value implies a specific physical name
// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
// by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
// Default: - The physical name will be allocated by CloudFormation at deployment time.
//
PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
// The AWS region this resource belongs to.
// Default: - the resource is in the same region as the stack it belongs to.
//
Region *string `field:"optional" json:"region" yaml:"region"`
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
CreateQueries *bool `field:"optional" json:"createQueries" yaml:"createQueries"`
Database glue.Database `field:"optional" json:"database" yaml:"database"`
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
TableName *string `field:"optional" json:"tableName" yaml:"tableName"`
WorkGroup athena.IWorkGroup `field:"optional" json:"workGroup" yaml:"workGroup"`
}
Configuration for objects bucket.
type SesLogsBucket ¶
type SesLogsBucket interface {
RawBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
CreateQueries() *bool
Database() glue.Database
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
FriendlyQueryNames() *bool
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
Table() gluetables.SesLogsTable
WorkGroup() athena.IWorkGroup
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
func NewSesLogsBucket ¶
func NewSesLogsBucket(scope constructs.Construct, id *string, props *SesLogsBucketProps) SesLogsBucket
Creates a new instance of the CloudtrailBucket class.
type SesLogsBucketProps ¶
type SesLogsBucketProps struct {
// The AWS account ID this resource belongs to.
// Default: - the resource is in the same account as the stack it belongs to.
//
Account *string `field:"optional" json:"account" yaml:"account"`
// ARN to deduce region and account from.
//
// The ARN is parsed and the account and region are taken from the ARN.
// This should be used for imported resources.
//
// Cannot be supplied together with either `account` or `region`.
// Default: - take environment from `account`, `region` parameters, or use Stack environment.
//
EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
// The value passed in by users to the physical name prop of the resource.
//
// - `undefined` implies that a physical name will be allocated by
// CloudFormation during deployment.
// - a concrete value implies a specific physical name
// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
// by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
// Default: - The physical name will be allocated by CloudFormation at deployment time.
//
PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
// The AWS region this resource belongs to.
// Default: - the resource is in the same region as the stack it belongs to.
//
Region *string `field:"optional" json:"region" yaml:"region"`
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
CreateQueries *bool `field:"optional" json:"createQueries" yaml:"createQueries"`
Database glue.Database `field:"optional" json:"database" yaml:"database"`
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
TableName *string `field:"optional" json:"tableName" yaml:"tableName"`
WorkGroup athena.IWorkGroup `field:"optional" json:"workGroup" yaml:"workGroup"`
}
Configuration for objects bucket.
type WafLogsBucket ¶
type WafLogsBucket interface {
RawBucket
// The ARN of the bucket.
BucketArn() *string
// The IPv4 DNS name of the specified bucket.
BucketDomainName() *string
// The IPv6 DNS name of the specified bucket.
BucketDualStackDomainName() *string
// The name of the bucket.
BucketName() *string
// The regional domain name of the specified bucket.
BucketRegionalDomainName() *string
// The Domain name of the static website.
BucketWebsiteDomainName() *string
// The URL of the static website.
BucketWebsiteUrl() *string
CreateQueries() *bool
Database() glue.Database
// Optional KMS encryption key associated with this bucket.
EncryptionKey() awskms.IKey
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
Env() *awscdk.ResourceEnvironment
FriendlyQueryNames() *bool
// If this bucket has been configured for static website hosting.
IsWebsite() *bool
// The tree node.
Node() constructs.Node
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
PhysicalName() *string
// The resource policy associated with this bucket.
//
// If `autoCreatePolicy` is true, a `BucketPolicy` will be created upon the
// first call to addToResourcePolicy(s).
Policy() awss3.BucketPolicy
SetPolicy(val awss3.BucketPolicy)
Resource() awss3.CfnBucket
// The stack in which this resource is defined.
Stack() awscdk.Stack
Table() gluetables.WafLogsTable
WorkGroup() athena.IWorkGroup
// Adds a bucket notification event destination.
AddEventNotification(_event awss3.EventType, _dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is created in the bucket.
//
// This is identical to calling
// `onEvent(s3.EventType.OBJECT_CREATED)`.
AddObjectCreatedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Subscribes a destination to receive notifications when an object is removed from the bucket.
//
// This is identical to calling
// `onEvent(EventType.OBJECT_REMOVED)`.
AddObjectRemovedNotification(_dest awss3.IBucketNotificationDestination, _filters ...*awss3.NotificationKeyFilter)
// Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or its contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for this bucket or objects.
//
// Note that the policy statement may or may not be added to the policy.
// For example, when an `IBucket` is created from an existing bucket,
// it's not possible to tell whether the bucket already has a policy
// attached, let alone to re-use that policy to add more statements to it.
// So it's safest to do nothing in these cases.
AddToResourcePolicy(permission awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Returns an ARN that represents all objects within the bucket that match the key pattern specified.
//
// To represent all keys, specify “"*"“.
ArnForObjects(_keyPattern *string) *string
// Enables event bridge notification, causing all events below to be sent to EventBridge:.
//
// - Object Deleted (DeleteObject)
// - Object Deleted (Lifecycle expiration)
// - Object Restore Initiated
// - Object Restore Completed
// - Object Restore Expired
// - Object Storage Class Changed
// - Object Access Tier Changed
// - Object ACL Updated
// - Object Tags Added
// - Object Tags Deleted.
EnableEventBridgeNotification()
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
GetResourceNameAttribute(nameAttr *string) *string
// Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
GrantDelete(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Allows unrestricted access to objects from this bucket.
//
// IMPORTANT: This permission allows anyone to perform actions on S3 objects
// in this bucket, which is useful for when you configure your bucket as a
// website and want everyone to be able to read objects in the bucket without
// needing to authenticate.
//
// Without arguments, this method will grant read ("s3:GetObject") access to
// all objects ("*") in the bucket.
//
// The method returns the `iam.Grant` object, which can then be modified
// as needed. For example, you can add a condition that will restrict access only
// to an IPv4 range like this:
//
// const grant = bucket.grantPublicAccess();
// grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
GrantPublicAccess(_keyPrefix *string, _allowedActions ...*string) awsiam.Grant
// Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
GrantPut(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
//
// If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
// calling `grantWrite` or `grantReadWrite` no longer grants permissions to modify the ACLs of the objects;
// in this case, if you need to modify object ACLs, call this method explicitly.
GrantPutAcl(_identity awsiam.IGrantable, _objectsKeyPattern *string) awsiam.Grant
// Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If encryption is used, permission to use the key to decrypt the contents
// of the bucket will also be granted to the same principal.
GrantRead(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
//
// If an encryption key is used, permission to use the key for
// encrypt/decrypt will also be granted.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantReadWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}) awsiam.Grant
// Grant write permissions to this bucket to an IAM principal.
//
// If encryption is used, permission to use the key to encrypt the contents
// of written files will also be granted to the same principal.
//
// Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
// which could be used to grant read/write object access to IAM principals in other accounts.
// If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
// and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
// in the `context` key of your cdk.json file.
// If you've already updated, but still need the principal to have permissions to modify the ACLs,
// use the `grantPutAcl` method.
GrantWrite(_identity awsiam.IGrantable, _objectsKeyPattern interface{}, _allowedActionPatterns *[]*string) awsiam.Grant
// Defines a CloudWatch event that triggers when something happens to this bucket.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailEvent(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using `onCloudTrailWriteObject` may be preferable.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailPutObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
//
// This includes
// the events PutObject, CopyObject, and CompleteMultipartUpload.
//
// Note that some tools like `aws s3 cp` will automatically use either
// PutObject or the multipart upload API depending on the file size,
// so using this method may be preferable to `onCloudTrailPutObject`.
//
// Requires that there exists at least one CloudTrail Trail in your account
// that captures the event. This method will not create the Trail.
OnCloudTrailWriteObject(_id *string, _options *awss3.OnCloudTrailBucketEventOptions) awsevents.Rule
// The S3 URL of an S3 object.
//
// For example:
// - `s3://onlybucket`
// - `s3://bucket/key`.
S3UrlForObject(_key *string) *string
// Returns a string representation of this construct.
ToString() *string
// The https Transfer Acceleration URL of an S3 object.
//
// Specify `dualStack: true` at the options
// for dual-stack endpoint (connect to the bucket over IPv6). For example:
//
// - `https://bucket.s3-accelerate.amazonaws.com`
// - `https://bucket.s3-accelerate.amazonaws.com/key`
TransferAccelerationUrlForObject(_key *string, _options *awss3.TransferAccelerationUrlOptions) *string
// The https URL of an S3 object. For example:.
//
// - `https://s3.us-west-1.amazonaws.com/onlybucket`
// - `https://s3.us-west-1.amazonaws.com/bucket/key`
// - `https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey`
UrlForObject(_key *string) *string
// The virtual hosted-style URL of an S3 object. Specify `regional: false` at the options for non-regional URL. For example:.
//
// - `https://only-bucket.s3.us-west-1.amazonaws.com`
// - `https://bucket.s3.us-west-1.amazonaws.com/key`
// - `https://bucket.s3.amazonaws.com/key`
// - `https://china-bucket.s3.cn-north-1.amazonaws.com.cn/mykey`
VirtualHostedUrlForObject(_key *string, _options *awss3.VirtualHostedStyleUrlOptions) *string
}
func NewWafLogsBucket ¶
func NewWafLogsBucket(scope constructs.Construct, id *string, props *WafLogsBucketProps) WafLogsBucket
Creates a new instance of the WafLogsBucket class.
type WafLogsBucketProps ¶
type WafLogsBucketProps struct {
// The AWS account ID this resource belongs to.
// Default: - the resource is in the same account as the stack it belongs to.
//
Account *string `field:"optional" json:"account" yaml:"account"`
// ARN to deduce region and account from.
//
// The ARN is parsed and the account and region are taken from the ARN.
// This should be used for imported resources.
//
// Cannot be supplied together with either `account` or `region`.
// Default: - take environment from `account`, `region` parameters, or use Stack environment.
//
EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
// The value passed in by users to the physical name prop of the resource.
//
// - `undefined` implies that a physical name will be allocated by
// CloudFormation during deployment.
// - a concrete value implies a specific physical name
// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
// by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
// Default: - The physical name will be allocated by CloudFormation at deployment time.
//
PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
// The AWS region this resource belongs to.
// Default: - the resource is in the same region as the stack it belongs to.
//
Region *string `field:"optional" json:"region" yaml:"region"`
BucketName *string `field:"optional" json:"bucketName" yaml:"bucketName"`
CreateQueries *bool `field:"optional" json:"createQueries" yaml:"createQueries"`
Database glue.Database `field:"optional" json:"database" yaml:"database"`
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
TableName *string `field:"optional" json:"tableName" yaml:"tableName"`
WorkGroup athena.IWorkGroup `field:"optional" json:"workGroup" yaml:"workGroup"`
}
Configuration for objects bucket.
Source Files
¶
- AlbLogsBucket.go
- AlbLogsBucketProps.go
- AlbLogsBucket__checks.go
- CloudfrontLogsBucket.go
- CloudfrontLogsBucketProps.go
- CloudfrontLogsBucket__checks.go
- CloudtrailBucket.go
- CloudtrailBucketProps.go
- CloudtrailBucket__checks.go
- FlowLogsBucket.go
- FlowLogsBucketProps.go
- FlowLogsBucket__checks.go
- LoggingAspectOptions.go
- RawBucket.go
- RawBucketProps.go
- RawBucket__checks.go
- S3AccessLogsBucket.go
- S3AccessLogsBucketProps.go
- S3AccessLogsBucket__checks.go
- SesLogsBucket.go
- SesLogsBucketProps.go
- SesLogsBucket__checks.go
- WafLogsBucket.go
- WafLogsBucketProps.go
- WafLogsBucket__checks.go
- main.go
Directories
Click to show internal directories.
Click to hide internal directories.