An S3 bucket with associated policy objects.

This bucket does not yet have all features that exposed by the underlying
BucketResource.

Adds a cross-origin access configuration for objects in an Amazon S3 bucket.

addCorsRule

addInventory

addLifecycleRule

Adds a metrics configuration for the CloudWatch request metrics from the bucket.

addMetric

Bucket

Enables Amazon S3 to evaluate the ABAC policy in the request.

Set to true to enable ABAC, false to explicitly disable it.

abacStatus

Specifies a canned ACL that grants predefined permissions to the bucket.

accessControl

Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted.

Requires the `removalPolicy` to be set to `RemovalPolicy.DESTROY`.

**Warning** if you have deployed a bucket with `autoDeleteObjects: true`,
switching this to `false` in a CDK version *before* `1.126.0` will lead to
all objects in the bucket being deleted. Be sure to update your bucket resources
by deploying with CDK version `1.126.0` or later **before** switching this value to `false`.

Setting `autoDeleteObjects` to true on a bucket will add `s3:PutBucketPolicy` to the
bucket policy. This is because during bucket deletion, the custom resource provider
needs to update the bucket policy by adding a deny policy for `s3:PutObject` to
prevent race conditions with external bucket writers.

autoDeleteObjects

Encryption types that should be blocked for this bucket. Use `NONE` to allow all encryption types.

At least one `BlockedEncryptionType` must be given. If `NONE` is given, it must be
the only `BlockedEncryptionType` in the list.

blockedEncryptionTypes

The block public access configuration of this bucket.

blockPublicAccess

Whether Amazon S3 should use its own intermediary key to generate data keys.

Only relevant when using KMS for encryption.

- If not enabled, every object GET and PUT will cause an API call to KMS (with the
  attendant cost implications of that).
- If enabled, S3 will use its own time-limited key instead.

Only relevant, when Encryption is not set to `BucketEncryption.UNENCRYPTED`.

bucketKeyEnabled

bucketName

cors

The kind of server-side encryption to apply to this bucket.

If you choose KMS, you can specify a KMS key via `encryptionKey`. If
encryption key is not specified, a key will automatically be created.

encryption

External KMS key to use for bucket encryption.

The `encryption` property must be either not specified or set to `KMS` or `DSSE`.
An error will be emitted if `encryption` is set to `UNENCRYPTED` or `S3_MANAGED`.

encryptionKey

Enforces SSL for requests.

S3.5 of the AWS Foundational Security Best Practices Regarding S3.

enforceSSL

Whether this bucket should send notifications to Amazon EventBridge or not.

eventBridgeEnabled

intelligentTieringConfigurations

The inventory configuration of the bucket.

inventories

Rules that define how Amazon S3 manages objects during their lifetime.

lifecycleRules

The metrics configuration of this bucket.

metrics

Enforces minimum TLS version for requests.

Requires `enforceSSL` to be enabled.

minimumTLSVersion

The role to be used by the notifications handler.

notificationsHandlerRole

Skips notification validation of Amazon SQS, Amazon SNS, and Lambda destinations.

notificationsSkipDestinationValidation

The default retention mode and rules for S3 Object Lock.

Default retention can be configured after a bucket is created if the bucket already
has object lock enabled. Enabling object lock for existing buckets is not supported.

objectLockDefaultRetention

Enable object lock on the bucket.

Enabling object lock for existing buckets is not supported. Object lock must be
enabled when the bucket is created.

objectLockEnabled

objectOwnership

Grants public read access to all objects in the bucket.

Similar to calling `bucket.grantPublicAccess()`

publicReadAccess

Policy to apply when the bucket is removed from this stack.

removalPolicy

The role to be used by the replication.

When setting this property, you must also set `replicationRules`.

replicationRole

A container for one or more replication rules.

replicationRules

Destination bucket for the server access logs.

serverAccessLogsBucket

Optional log file prefix to use for the bucket's access logs.

If defined without "serverAccessLogsBucket", enables access logs to current bucket with this prefix.

serverAccessLogsPrefix

targetObjectKeyFormat

Whether this bucket should have transfer acceleration turned on or not.

transferAcceleration

Indicates which default minimum object size behavior is applied to the lifecycle configuration.

To customize the minimum object size for any transition you can add a filter that specifies a custom
`objectSizeGreaterThan` or `objectSizeLessThan` for `lifecycleRules` property. Custom filters always
take precedence over the default transition behavior.

transitionDefaultMinimumObjectSize

Whether this bucket should have versioning turned on or not.

versioned

The name of the error document (e.g. "404.html") for the website. `websiteIndexDocument` must also be set if this is set.

websiteErrorDocument

The name of the index document (e.g. "index.html") for the website. Enables static website hosting for this bucket.

websiteIndexDocument

Specifies the redirect behavior of all requests to a website endpoint of a bucket.

If you specify this property, you can't specify "websiteIndexDocument", "websiteErrorDocument" nor , "websiteRoutingRules".

websiteRedirect

Rules that define when a redirect is applied and the redirect behavior.

websiteRoutingRules

The bucket policy for an Amazon S3 bucket.

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called
`addToResourcePolicy()`, which will automatically create a new resource
policy if one doesn't exist yet, otherwise it will add to the existing
policy.

The bucket policy method is implemented differently than `addToResourcePolicy()`
as `BucketPolicy()` creates a new policy without knowing one earlier existed.
e.g. if during Bucket creation, if `autoDeleteObject:true`, these policies are
added to the bucket policy:
   ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"],
and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on
this existing bucket, invoking `BucketPolicy()` will create a new Policy
without knowing one earlier exists already, so it creates a new one.
In this case, the custom resource handler will not have access to
`s3:GetBucketTagging` action which will cause failure during deletion of stack.

Hence its strongly recommended to use `addToResourcePolicy()` method to add
new permissions to existing policy.

Sets the removal policy for the BucketPolicy.

applyRemovalPolicy

BucketPolicy

The Amazon S3 bucket that the policy applies to.

bucket

document

Policy to apply when the policy is removed from this stack.

The `AWS::S3::AccessGrant` resource creates an access grant that gives a grantee access to your S3 data.

The grantee can be an IAM user or role or a directory user, or group. Before you can create a grant, you must have an S3 Access Grants instance in the same Region as the S3 data. You can create an S3 Access Grants instance using the [AWS::S3::AccessGrantsInstance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-accessgrantsinstance.html) . You must also have registered at least one S3 data location in your S3 Access Grants instance using [AWS::S3::AccessGrantsLocation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-accessgrantslocation.html) .

- **Permissions** - You must have the `s3:CreateAccessGrant` permission to use this resource.
- **Additional Permissions** - For any directory identity - `sso:DescribeInstance` and `sso:DescribeApplication`

For directory users - `identitystore:DescribeUser`

For directory groups - `identitystore:DescribeGroup`

CfnAccessGrant

The ID of the registered location to which you are granting access.

S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID `default` to the default location `s3://` and assigns an auto-generated ID to other locations that you register.

accessGrantsLocationId

The user, group, or role to which you are granting access.

You can grant access to an IAM user or role. If you have added your corporate directory to AWS IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.

grantee

The type of access that you are granting to your S3 data, which can be set to one of the following values:  - `READ` – Grant read-only access to the S3 data.

- `WRITE` – Grant write-only access to the S3 data.
- `READWRITE` – Grant both read and write access to the S3 data.

permission

The configuration options of the grant location.

The grant location is the S3 path to the data to which you are granting access. It contains the `S3SubPrefix` field. The grant scope is the result of appending the subprefix to the location scope of the registered location.

accessGrantsLocationConfiguration

The Amazon Resource Name (ARN) of an AWS IAM Identity Center application associated with your Identity Center instance.

If the grant includes an application ARN, the grantee can only access the S3 data through this application.

applicationArn

The type of `S3SubPrefix` .

The only possible value is `Object` . Pass this value if the access grant scope is an object. Do not pass this value if the access grant scope is a bucket or a bucket and a prefix.

s3PrefixType

The AWS resource tags that you are adding to the access grant.

Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.

CfnAccessGrantsInstance

If you would like to associate your S3 Access Grants instance with an AWS IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the AWS IAM Identity Center instance that you are associating with your S3 Access Grants instance.

An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center.

identityCenterArn

The AWS resource tags that you are adding to the S3 Access Grants instance.

Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.

The `AWS::S3::AccessGrantsLocation` resource creates the S3 data location that you would like to register in your S3 Access Grants instance.

Your S3 data must be in the same Region as your S3 Access Grants instance. The location can be one of the following:

- The default S3 location `s3://`
- A bucket - `S3://<bucket-name>`
- A bucket and prefix - `S3://<bucket-name>/<prefix>`

When you register a location, you must include the IAM role that has permission to manage the S3 location that you are registering. Give S3 Access Grants permission to assume this role [using a policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-location.html) . S3 Access Grants assumes this role to manage access to the location and to vend temporary credentials to grantees or client applications.

- **Permissions** - You must have the `s3:CreateAccessGrantsLocation` permission to use this resource.
- **Additional Permissions** - You must also have the following permission for the specified IAM role: `iam:PassRole`

CfnAccessGrantsLocation

The Amazon Resource Name (ARN) of the IAM role for the registered location.

S3 Access Grants assumes this role to manage access to the registered location.

iamRoleArn

The S3 URI path to the location that you are registering.

The location scope can be the default S3 location `s3://` , the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the `engineering/` prefix or object key names that start with the `marketing/campaigns/` prefix.

locationScope

The AWS resource tags that you are adding to the S3 Access Grants location.

Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.

The AWS::S3::AccessPoint resource is an Amazon S3 resource type that you can use to access buckets.

CfnAccessPoint

The name of the bucket associated with this access point.

The AWS account ID associated with the S3 bucket associated with this access point.

bucketAccountId

The name of this access point.

If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.

name

The access point policy associated with this access point.

policy

The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket.

You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of "Public"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .

publicAccessBlockConfiguration

An array of tags that you can apply to access points.

Tags are key-value pairs of metadata used to categorize your access points and control access. For more information, see [Using tags for attribute-based access control (ABAC)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac) .

The Virtual Private Cloud (VPC) configuration for this access point, if one exists.

vpcConfiguration

The `AWS::S3::Bucket` resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack.

To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to *retain* the bucket or to *delete* the bucket. For more information, see [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .

> You can only delete empty buckets. Deletion fails for buckets that have contents.

CfnBucket

The ABAC status of the general purpose bucket.

When ABAC is enabled for the general purpose bucket, you can use tags to manage access to the general purpose buckets as well as for cost tracking purposes. When ABAC is disabled for the general purpose buckets, you can only use tags for cost tracking purposes. For more information, see [Using tags with S3 general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/buckets-tagging.html) .

Configures the transfer acceleration state for an Amazon S3 bucket.

For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide* .

accelerateConfiguration

> This is a legacy property, and it is not recommended for most use cases.

A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* .

A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .

S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.

The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .

Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.

analyticsConfigurations

Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS).

For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide* .

bucketEncryption

A name for the bucket.

If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html) . For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) in the *Amazon S3 User Guide* .

> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.

bucketNamePrefix

bucketNamespace

Describes the cross-origin access configuration for objects in an Amazon S3 bucket.

For more information, see [Enabling Cross-Origin Resource Sharing](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the *Amazon S3 User Guide* .

corsConfiguration

Defines how Amazon S3 handles Intelligent-Tiering storage.

Specifies the S3 Inventory configuration for an Amazon S3 bucket.

For more information, see [GET Bucket inventory](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html) in the *Amazon S3 API Reference* .

inventoryConfigurations

Specifies the lifecycle configuration for objects in an Amazon S3 bucket.

For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide* .

lifecycleConfiguration

Settings that define where logs are stored.

loggingConfiguration

The S3 Metadata configuration for a general purpose bucket.

metadataConfiguration

The metadata table configuration of an Amazon S3 general purpose bucket.

metadataTableConfiguration

Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket.

If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html) .

metricsConfigurations

Configuration that defines how Amazon S3 handles bucket notifications.

notificationConfiguration

> This operation is not supported for directory buckets.

Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .

> - The `DefaultRetention` settings require both a mode and a period.
> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.
> - You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html) . > You must URL encode any signed header values that contain spaces. For example, if your header value is `my file.txt` , containing two spaces after `my` , you must URL encode this value to `my%20%20file.txt` .

objectLockConfiguration

Indicates whether this bucket has an Object Lock configuration enabled.

Enable `ObjectLockEnabled` when you apply `ObjectLockConfiguration` to a bucket.

Configuration that defines how Amazon S3 handles Object Ownership rules.

ownershipControls

Configuration that defines how Amazon S3 handles public access.

Configuration for replicating objects in an S3 bucket.

To enable replication, you must also enable versioning by using the `VersioningConfiguration` property.

Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist.

replicationConfiguration

An arbitrary set of tags (key-value pairs) for this S3 bucket.

Enables multiple versions of all objects in this bucket.

You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them.

> When you enable versioning on a bucket for the first time, it might take a short amount of time for the change to be fully propagated. We recommend that you wait for 15 minutes after enabling versioning before issuing write operations ( `PUT` or `DELETE` ) on objects in the bucket.

versioningConfiguration

Information used to configure the bucket as a static website.

For more information, see [Hosting Websites on Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) .

websiteConfiguration

Applies an Amazon S3 bucket policy to an Amazon S3 bucket.

If you are using an identity other than the root user of the AWS account that owns the bucket, the calling identity must have the `PutBucketPolicy` permissions on the specified bucket and belong to the bucket owner's account in order to use this operation.

If you don't have `PutBucketPolicy` permissions, Amazon S3 returns a `403 Access Denied` error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a `405 Method Not Allowed` error.

> As a security precaution, the root user of the AWS account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action.

When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in Regions that are different from the stack's Region. However, the CloudFormation stacks should be deployed in the US East (N. Virginia) or `us-east-1` Region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.

> If the [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) is not specified or set to `Delete` , the bucket policy will be removed when the stack is deleted. If set to `Retain` , the bucket policy will be preserved even after the stack is deleted.

For example, a CloudFormation stack in `us-east-1` can use the `AWS::S3::BucketPolicy` resource to manage the bucket policy for an S3 bucket in `us-west-2` . The retention or removal of the bucket policy during the stack deletion is determined by the `DeletionPolicy` attribute specified in the stack template.

For more information, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) .

The following operations are related to `PutBucketPolicy` :

- [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html)
- [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html)

CfnBucketPolicy

The name of the Amazon S3 bucket to which the policy applies.

A policy document containing permissions to add to the specified bucket.

In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Access Policy Language Overview](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html) in the *Amazon S3 User Guide* .

policyDocument

The `AWS::S3::MultiRegionAccessPoint` resource creates an Amazon S3 Multi-Region Access Point.

To learn more about Multi-Region Access Points, see [Multi-Region Access Points in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPoints.html) in the in the *Amazon S3 User Guide* .

CfnMultiRegionAccessPoint

A collection of the Regions and buckets associated with the Multi-Region Access Point.

regions

The name of the Multi-Region Access Point.

The PublicAccessBlock configuration that you want to apply to this Multi-Region Access Point.

You can enable the configuration options in any combination. For more information about when Amazon S3 considers an object public, see [The Meaning of "Public"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .

Applies an Amazon S3 access policy to an Amazon S3 Multi-Region Access Point.

It is not possible to delete an access policy for a Multi-Region Access Point from the CloudFormation template. When you attempt to delete the policy, CloudFormation updates the policy using `DeletionPolicy:Retain` and `UpdateReplacePolicy:Retain` . CloudFormation updates the policy to only allow access to the account that created the bucket.

CfnMultiRegionAccessPointPolicy

mrapName

The access policy associated with the Multi-Region Access Point.

The AWS::S3::StorageLens resource creates an Amazon S3 Storage Lens configuration.

CfnStorageLens

This resource contains the details Amazon S3 Storage Lens configuration.

storageLensConfiguration

A set of tags (key–value pairs) to associate with the Storage Lens configuration.

The `AWS::S3::StorageLensGroup` resource creates an S3 Storage Lens group.

A Storage Lens group is a custom grouping of objects that include filters for prefixes, suffixes, object tags, object size, or object age. You can create an S3 Storage Lens group that includes a single filter or multiple filter conditions. To specify multiple filter conditions, you use `AND` or `OR` logical operators. For more information about S3 Storage Lens groups, see [Working with S3 Storage Lens groups](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups-overview.html) .

CfnStorageLensGroup

This property contains the criteria for the Storage Lens group data that is displayed.

filter

This property contains the Storage Lens group name.

This property contains the AWS resource tags that you're adding to your Storage Lens group.

This parameter is optional.

Amazon S3

L2 Constructs2