@composurecdk/s3 0.4.8 → 0.5.1

package/README.md

@@ -18,15 +18,15 @@ Every [BucketProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_
 
 `createBucketBuilder` applies the following defaults. Each can be overridden via the builder's fluent API.
 
-| Property            | Default      | Rationale                                                        |
-| ------------------- | ------------ | ---------------------------------------------------------------- |
-| `accessLogging`     | `true`       | Auto-creates a logging bucket for server access log audit trail. |
-| `accessLogsPrefix`  | `"logs/"`    | Default prefix for access log object keys.                       |
-| `blockPublicAccess` | `BLOCK_ALL`  | Prevents public access unless explicitly required.               |
-| `encryption`        | `S3_MANAGED` | Enables server-side encryption with S3-managed keys (SSE-S3).    |
-| `enforceSSL`        | `true`       | Requires SSL/TLS for all requests to the bucket.                 |
-| `versioned`         | `true`       | Protects against accidental deletions and supports rollback.     |
-| `removalPolicy`     | `RETAIN`     | Retains the bucket on stack deletion to prevent data loss.       |
+| Property            | Default                          | Rationale                                                                                             |
+| ------------------- | -------------------------------- | ----------------------------------------------------------------------------------------------------- |
+| `serverAccessLogs`  | `{ prefix: "logs/" }`            | Auto-creates a logging bucket for the server access log audit trail under the `logs/` prefix.         |
+| `blockPublicAccess` | `BLOCK_ALL`                      | Prevents public access unless explicitly required.                                                    |
+| `encryption`        | `S3_MANAGED`                     | Enables server-side encryption with S3-managed keys (SSE-S3).                                         |
+| `enforceSSL`        | `true`                           | Requires SSL/TLS for all requests to the bucket.                                                      |
+| `versioned`         | `true`                           | Protects against accidental deletions and supports rollback.                                          |
+| `removalPolicy`     | `RETAIN`                         | Retains the bucket on stack deletion to prevent data loss.                                            |
+| `lifecycleRules`    | `DEFAULT_BUCKET_LIFECYCLE_RULES` | Aborts incomplete multipart uploads after 7 days and expires noncurrent object versions after 1 year. |
 
 These defaults are guided by the [AWS Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protecting-data-at-rest.html).
 
@@ -53,7 +53,7 @@ When `removalPolicy` is set to `DESTROY`, the builder automatically enables `aut
 
 ### Access logging
 
-By default, the builder creates a dedicated logging bucket with secure defaults and configures it as the server access logs destination. The created bucket is returned in the build result:
+Server access logging is configured through a single `.serverAccessLogs(config)` setting. By default, the builder creates a dedicated logging bucket with secure defaults and writes logs under `logs/`. The created bucket is returned in the build result:
 
 ```ts
 const result = createBucketBuilder().build(stack, "MyBucket");
@@ -62,7 +62,30 @@ result.bucket; // Bucket
 result.accessLogsBucket; // Bucket | undefined
 ```
 
-To provide your own destination instead, set `serverAccessLogsBucket` — the auto-created logging bucket is skipped. To disable access logging entirely, set `.accessLogging(false)`.
+`.serverAccessLogs(config)` accepts either `false` to disable access logging, or an object describing how to handle logs:
+
+```ts
+import { Duration } from "aws-cdk-lib";
+
+// Disable access logging entirely
+createBucketBuilder().serverAccessLogs(false);
+
+// Auto-create a logging bucket with a custom prefix
+createBucketBuilder().serverAccessLogs({ prefix: "audit/" });
+
+// Auto-create and customize the logging sub-builder
+createBucketBuilder().serverAccessLogs({
+  configure: (sub) => sub.lifecycleRules([{ id: "ShortLogs", expiration: Duration.days(180) }]),
+});
+
+// Bring your own destination bucket
+createBucketBuilder().serverAccessLogs({ destination: myBucket });
+
+// Bring your own destination with a prefix
+createBucketBuilder().serverAccessLogs({ destination: myBucket, prefix: "x/" });
+```
+
+`destination` and `configure` cannot be combined — the destination bucket is user-managed and is not built by this builder.
 
 ## Recommended Alarms
 

package/dist/bucket-builder.d.ts

@@ -1,43 +1,34 @@
 import { type Alarm } from "aws-cdk-lib/aws-cloudwatch";
-import { Bucket, type BucketProps } from "aws-cdk-lib/aws-s3";
+import { Bucket, type BucketProps, type IBucket } from "aws-cdk-lib/aws-s3";
 import { type IConstruct } from "constructs";
 import { type IBuilder, type Lifecycle } from "@composurecdk/core";
 import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
 import type { BucketAlarmConfig } from "./alarm-config.js";
 /**
- * Configuration properties for the S3 bucket builder.
+ * Configures how server access logs are handled. Pass `false` to disable
+ * logging; pass an object to wire a destination, prefix, or customize the
+ * auto-created sub-builder.
  *
- * Extends the CDK {@link BucketProps} with additional builder-specific options.
+ * `configure` cannot be combined with `destination` — a user-managed
+ * destination is not built by this builder.
  */
-export interface BucketBuilderProps extends BucketProps {
+export type ServerAccessLogsConfig = false | {
+    destination?: IBucket;
+    prefix?: string;
     /**
-     * Whether to automatically create an S3 access logging bucket.
-     *
-     * When `true`, the builder creates a dedicated logging bucket using
-     * {@link createBucketBuilder} (with secure defaults appropriate for log
-     * storage) and configures it as the server access logs destination. The
-     * logging bucket inherits secure defaults (block public access, encryption,
-     * enforceSSL, versioning for log integrity) with `removalPolicy: RETAIN`
-     * and access logging disabled to avoid recursion. The created logging
-     * bucket is returned in the build result as `accessLogsBucket`.
-     *
-     * When `false`, no logging bucket is created. You can still provide your
-     * own destination via `serverAccessLogsBucket`.
-     *
-     * This setting is ignored when `serverAccessLogsBucket` is provided — the
-     * user-supplied destination takes precedence.
+     * Customize the auto-created logging sub-builder. Receives a builder
+     * pre-seeded with `versioned: false`, `removalPolicy: RETAIN`, and
+     * recursive access logging disabled.
      */
-    accessLogging?: boolean;
-    /**
-     * The prefix applied to server access log object keys when the builder
-     * auto-creates a logging bucket.
-     *
-     * This setting is only used when {@link accessLogging} is `true` and no
-     * user-provided `serverAccessLogsBucket` is set.
-     *
-     * @default "logs/"
-     */
-    accessLogsPrefix?: string;
+    configure?: (b: IBucketBuilder) => IBucketBuilder;
+};
+/**
+ * Configuration properties for the S3 bucket builder. Extends CDK
+ * {@link BucketProps} with builder-specific options.
+ */
+export interface BucketBuilderProps extends Omit<BucketProps, "serverAccessLogsBucket" | "serverAccessLogsPrefix"> {
+    /** See {@link ServerAccessLogsConfig}. Defaults to `{ prefix: "logs/" }`. */
+    serverAccessLogs?: ServerAccessLogsConfig;
     /**
      * Configuration for AWS-recommended CloudWatch alarms.
      *

package/dist/bucket-builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bucket-builder.d.ts","sourceRoot":"","sources":["../src/bucket-builder.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,KAAK,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAW,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAI3D;;;;GAIG;AACH,MAAM,WAAW,kBAAmB,SAAQ,WAAW;IACrD;;;;;;;;;;;;;;;;OAgBG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;;;;;;OAQG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;;;;;;;;;OAaG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;CAC/C;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;;;;;;;OAWG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,MAAM,cAAc,GAAG,QAAQ,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;AAEzE,cAAM,aAAc,YAAW,SAAS,CAAC,mBAAmB,CAAC;;IAC3D,KAAK,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAM;IAGxC,QAAQ,CACN,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,CAAC,KAAK,EAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,sBAAsB,CAAC,MAAM,CAAC,GACnF,IAAI;IAKP,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,mBAAmB;CA8D1D;AAqBD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,mBAAmB,IAAI,cAAc,CAEpD"}
+{"version":3,"file":"bucket-builder.d.ts","sourceRoot":"","sources":["../src/bucket-builder.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,KAAK,WAAW,EAAE,KAAK,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAW,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAI3D;;;;;;;GAOG;AACH,MAAM,MAAM,sBAAsB,GAC9B,KAAK,GACL;IACE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,cAAc,KAAK,cAAc,CAAC;CACnD,CAAC;AAEN;;;GAGG;AACH,MAAM,WAAW,kBAAmB,SAAQ,IAAI,CAC9C,WAAW,EACX,wBAAwB,GAAG,wBAAwB,CACpD;IACC,6EAA6E;IAC7E,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C;;;;;;;;;;;;;OAaG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;CAC/C;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;;;;;;;OAWG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,MAAM,cAAc,GAAG,QAAQ,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;AAEzE,cAAM,aAAc,YAAW,SAAS,CAAC,mBAAmB,CAAC;;IAC3D,KAAK,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAM;IAGxC,QAAQ,CACN,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,CAAC,KAAK,EAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,sBAAsB,CAAC,MAAM,CAAC,GACnF,IAAI;IAKP,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,mBAAmB;CA+B1D;AAgED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,mBAAmB,IAAI,cAAc,CAEpD"}

package/dist/bucket-builder.js

@@ -3,7 +3,7 @@ import { Bucket } from "aws-cdk-lib/aws-s3";
 import { Builder } from "@composurecdk/core";
 import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
 import { createBucketAlarms } from "./bucket-alarms.js";
-import { BUCKET_DEFAULTS } from "./defaults.js";
+import { DEFAULT_ACCESS_LOG_BUCKET_LIFECYCLE_RULES, BUCKET_DEFAULTS } from "./defaults.js";
 class BucketBuilder {
     props = {};
     #customAlarms = [];
@@ -12,27 +12,10 @@ class BucketBuilder {
         return this;
     }
     build(scope, id) {
-        const { accessLogging, accessLogsPrefix, recommendedAlarms: alarmConfig, ...bucketProps } = this.props;
-        const { accessLogging: defaultAccessLogging, accessLogsPrefix: defaultLogsPrefix, ...cdkDefaults } = BUCKET_DEFAULTS;
-        const autoAccessLog = (accessLogging ?? defaultAccessLogging) && !bucketProps.serverAccessLogsBucket;
-        if (accessLogsPrefix !== undefined && !autoAccessLog) {
-            throw new Error("Cannot set 'accessLogsPrefix' when access logging is disabled or " +
-                "'serverAccessLogsBucket' is provided. Set 'serverAccessLogsPrefix' " +
-                "directly when using your own logging bucket.");
-        }
-        let accessLogsBucket;
-        let accessLogProps = {};
-        if (autoAccessLog) {
-            accessLogsBucket = createBucketBuilder()
-                .accessLogging(false)
-                .versioned(false)
-                .removalPolicy(RemovalPolicy.RETAIN)
-                .build(scope, `${id}AccessLogs`).bucket;
-            accessLogProps = {
-                serverAccessLogsBucket: accessLogsBucket,
-                serverAccessLogsPrefix: accessLogsPrefix ?? defaultLogsPrefix,
-            };
-        }
+        const { serverAccessLogs, recommendedAlarms: alarmConfig, ...bucketProps } = this.props;
+        const { serverAccessLogs: defaultServerAccessLogs, ...cdkDefaults } = BUCKET_DEFAULTS;
+        const cfg = serverAccessLogs ?? defaultServerAccessLogs;
+        const { accessLogsBucket, accessLogProps } = resolveAccessLogs(scope, id, cfg);
         const mergedProps = {
             ...cdkDefaults,
             ...accessLogProps,
@@ -48,6 +31,39 @@ class BucketBuilder {
         };
     }
 }
+function resolveAccessLogs(scope, id, cfg) {
+    if (cfg === false || cfg === undefined) {
+        return { accessLogProps: {} };
+    }
+    if (cfg.destination !== undefined) {
+        if (cfg.configure !== undefined) {
+            throw new Error("serverAccessLogs: 'configure' cannot be combined with 'destination' — " +
+                "the destination bucket is user-managed and not built by this builder.");
+        }
+        return {
+            accessLogProps: {
+                serverAccessLogsBucket: cfg.destination,
+                ...(cfg.prefix !== undefined ? { serverAccessLogsPrefix: cfg.prefix } : {}),
+            },
+        };
+    }
+    let subBuilder = createBucketBuilder()
+        .serverAccessLogs(false)
+        .versioned(false)
+        .removalPolicy(RemovalPolicy.RETAIN)
+        .lifecycleRules(DEFAULT_ACCESS_LOG_BUCKET_LIFECYCLE_RULES);
+    if (cfg.configure) {
+        subBuilder = cfg.configure(subBuilder);
+    }
+    const accessLogsBucket = subBuilder.build(scope, `${id}AccessLogs`).bucket;
+    return {
+        accessLogsBucket,
+        accessLogProps: {
+            serverAccessLogsBucket: accessLogsBucket,
+            ...(cfg.prefix !== undefined ? { serverAccessLogsPrefix: cfg.prefix } : {}),
+        },
+    };
+}
 /**
  * Returns `{ autoDeleteObjects: true }` when the effective removal policy is
  * `DESTROY` and the user has not explicitly set `autoDeleteObjects`.

package/dist/bucket-builder.js.map

@@ -1 +1 @@
-{"version":3,"file":"bucket-builder.js","sourceRoot":"","sources":["../src/bucket-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAE,MAAM,EAAoB,MAAM,oBAAoB,CAAC;AAE9D,OAAO,EAAE,OAAO,EAAiC,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAyGhD,MAAM,aAAa;IACjB,KAAK,GAAgC,EAAE,CAAC;IAC/B,aAAa,GAAqC,EAAE,CAAC;IAE9D,QAAQ,CACN,GAAW,EACX,SAAoF;QAEpF,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,sBAAsB,CAAS,GAAG,CAAC,CAAC,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,EACJ,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EAAE,WAAW,EAC9B,GAAG,WAAW,EACf,GAAG,IAAI,CAAC,KAAK,CAAC;QACf,MAAM,EACJ,aAAa,EAAE,oBAAoB,EACnC,gBAAgB,EAAE,iBAAiB,EACnC,GAAG,WAAW,EACf,GAAG,eAAe,CAAC;QACpB,MAAM,aAAa,GACjB,CAAC,aAAa,IAAI,oBAAoB,CAAC,IAAI,CAAC,WAAW,CAAC,sBAAsB,CAAC;QAEjF,IAAI,gBAAgB,KAAK,SAAS,IAAI,CAAC,aAAa,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CACb,mEAAmE;gBACjE,qEAAqE;gBACrE,8CAA8C,CACjD,CAAC;QACJ,CAAC;QAED,IAAI,gBAAoC,CAAC;QACzC,IAAI,cAAc,GAAG,EAAE,CAAC;QAExB,IAAI,aAAa,EAAE,CAAC;YAClB,gBAAgB,GAAG,mBAAmB,EAAE;iBACrC,aAAa,CAAC,KAAK,CAAC;iBACpB,SAAS,CAAC,KAAK,CAAC;iBAChB,aAAa,CAAC,aAAa,CAAC,MAAM,CAAC;iBACnC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC;YAC1C,cAAc,GAAG;gBACf,sBAAsB,EAAE,gBAAgB;gBACxC,sBAAsB,EAAE,gBAAgB,IAAI,iBAAiB;aAC9D,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,WAAW;YACd,GAAG,cAAc;YACjB,GAAG,WAAW;YACd,GAAG,eAAe,CAAC,WAAW,EAAE,eAAe,CAAC;SAClC,CAAC;QAEjB,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAElD,MAAM,MAAM,GAAG,kBAAkB,CAC/B,KAAK,EACL,EAAE,EACF,MAAM,EACN,WAAW,EACX,WAAW,CAAC,OAAO,IAAI,EAAE,EACzB,IAAI,CAAC,aAAa,CACnB,CAAC;QAEF,OAAO;YACL,MAAM;YACN,gBAAgB;YAChB,MAAM;SACP,CAAC;IACJ,CAAC;CACF;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CACtB,SAA+B,EAC/B,QAAqC;IAErC,MAAM,eAAe,GAAG,SAAS,CAAC,aAAa,IAAI,QAAQ,CAAC,aAAa,CAAC;IAC1E,IAAI,eAAe,KAAK,aAAa,CAAC,OAAO,IAAI,SAAS,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;QAC3F,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC;IACrC,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,OAAO,CAAoC,aAAa,CAAC,CAAC;AACnE,CAAC"}
+{"version":3,"file":"bucket-builder.js","sourceRoot":"","sources":["../src/bucket-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAE,MAAM,EAAkC,MAAM,oBAAoB,CAAC;AAE5E,OAAO,EAAE,OAAO,EAAiC,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,yCAAyC,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAqG3F,MAAM,aAAa;IACjB,KAAK,GAAgC,EAAE,CAAC;IAC/B,aAAa,GAAqC,EAAE,CAAC;IAE9D,QAAQ,CACN,GAAW,EACX,SAAoF;QAEpF,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,sBAAsB,CAAS,GAAG,CAAC,CAAC,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,WAAW,EAAE,GAAG,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QACxF,MAAM,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,GAAG,WAAW,EAAE,GAAG,eAAe,CAAC;QACtF,MAAM,GAAG,GAAG,gBAAgB,IAAI,uBAAuB,CAAC;QAExD,MAAM,EAAE,gBAAgB,EAAE,cAAc,EAAE,GAAG,iBAAiB,CAAC,KAAK,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;QAE/E,MAAM,WAAW,GAAG;YAClB,GAAG,WAAW;YACd,GAAG,cAAc;YACjB,GAAG,WAAW;YACd,GAAG,eAAe,CAAC,WAAW,EAAE,eAAe,CAAC;SAClC,CAAC;QAEjB,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAElD,MAAM,MAAM,GAAG,kBAAkB,CAC/B,KAAK,EACL,EAAE,EACF,MAAM,EACN,WAAW,EACX,WAAW,CAAC,OAAO,IAAI,EAAE,EACzB,IAAI,CAAC,aAAa,CACnB,CAAC;QAEF,OAAO;YACL,MAAM;YACN,gBAAgB;YAChB,MAAM;SACP,CAAC;IACJ,CAAC;CACF;AAED,SAAS,iBAAiB,CACxB,KAAiB,EACjB,EAAU,EACV,GAAuC;IAEvC,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACvC,OAAO,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC;IAChC,CAAC;IAED,IAAI,GAAG,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CACb,wEAAwE;gBACtE,uEAAuE,CAC1E,CAAC;QACJ,CAAC;QACD,OAAO;YACL,cAAc,EAAE;gBACd,sBAAsB,EAAE,GAAG,CAAC,WAAW;gBACvC,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,sBAAsB,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC5E;SACF,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,GAAG,mBAAmB,EAAE;SACnC,gBAAgB,CAAC,KAAK,CAAC;SACvB,SAAS,CAAC,KAAK,CAAC;SAChB,aAAa,CAAC,aAAa,CAAC,MAAM,CAAC;SACnC,cAAc,CAAC,yCAAyC,CAAC,CAAC;IAC7D,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QAClB,UAAU,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,gBAAgB,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC;IAE3E,OAAO;QACL,gBAAgB;QAChB,cAAc,EAAE;YACd,sBAAsB,EAAE,gBAAgB;YACxC,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,sBAAsB,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5E;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CACtB,SAA+B,EAC/B,QAAqC;IAErC,MAAM,eAAe,GAAG,SAAS,CAAC,aAAa,IAAI,QAAQ,CAAC,aAAa,CAAC;IAC1E,IAAI,eAAe,KAAK,aAAa,CAAC,OAAO,IAAI,SAAS,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;QAC3F,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC;IACrC,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,OAAO,CAAoC,aAAa,CAAC,CAAC;AACnE,CAAC"}

package/dist/defaults.d.ts

@@ -1,4 +1,24 @@
+import { type LifecycleRule } from "aws-cdk-lib/aws-s3";
 import type { BucketBuilderProps } from "./bucket-builder.js";
+/**
+ * Lifecycle rules applied to general-purpose buckets built with
+ * {@link createBucketBuilder}. Bounds storage cost from orphaned multipart
+ * parts and from accumulated noncurrent versions of objects in versioned
+ * buckets, while preserving a generous recovery window.
+ *
+ * Users who need different rules can override the entire set via the
+ * `.lifecycleRules([...])` builder method.
+ */
+export declare const DEFAULT_BUCKET_LIFECYCLE_RULES: LifecycleRule[];
+/**
+ * Lifecycle rules applied to auto-created S3 server access log buckets and
+ * CloudFront access log buckets. Mirrors the 2-year retention used by
+ * {@link LOG_GROUP_DEFAULTS} so the audit window is consistent across log
+ * destinations in the library.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html
+ */
+export declare const DEFAULT_ACCESS_LOG_BUCKET_LIFECYCLE_RULES: LifecycleRule[];
 /**
  * Secure, AWS-recommended defaults applied to every S3 bucket built
  * with {@link createBucketBuilder}. Each property can be individually

package/dist/defaults.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../src/defaults.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAE9D;;;;GAIG;AACH,eAAO,MAAM,eAAe,EAAE,OAAO,CAAC,kBAAkB,CAqDvD,CAAC"}
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../src/defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuC,KAAK,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAE7F,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAe9D;;;;;;;;GAQG;AACH,eAAO,MAAM,8BAA8B,EAAE,aAAa,EAczD,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,yCAAyC,EAAE,aAAa,EAMpE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,eAAe,EAAE,OAAO,CAAC,kBAAkB,CA6DvD,CAAC"}

package/dist/defaults.js

@@ -1,5 +1,56 @@
 import { BlockPublicAccess, BucketEncryption } from "aws-cdk-lib/aws-s3";
-import { RemovalPolicy } from "aws-cdk-lib";
+import { Duration, RemovalPolicy } from "aws-cdk-lib";
+/**
+ * Aborts multipart uploads that have not completed within 7 days. AWS recommends
+ * this rule on every bucket — orphaned upload parts are billed as storage but
+ * never become objects, so the rule is pure cost hygiene with no functional
+ * downside.
+ *
+ * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpu-abort-incomplete-mpu-lifecycle-config.html
+ */
+const ABORT_INCOMPLETE_MULTIPART_UPLOADS = {
+    id: "AbortIncompleteMultipartUploadAfter7Days",
+    abortIncompleteMultipartUploadAfter: Duration.days(7),
+};
+/**
+ * Lifecycle rules applied to general-purpose buckets built with
+ * {@link createBucketBuilder}. Bounds storage cost from orphaned multipart
+ * parts and from accumulated noncurrent versions of objects in versioned
+ * buckets, while preserving a generous recovery window.
+ *
+ * Users who need different rules can override the entire set via the
+ * `.lifecycleRules([...])` builder method.
+ */
+export const DEFAULT_BUCKET_LIFECYCLE_RULES = [
+    ABORT_INCOMPLETE_MULTIPART_UPLOADS,
+    {
+        /**
+         * Buckets default to `versioned: true`, so replaced and deleted objects
+         * accumulate as noncurrent versions indefinitely. Expiring them after a
+         * year preserves a long recovery window for "oops" deletions while
+         * preventing unbounded storage growth.
+         *
+         * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html
+         */
+        id: "ExpireNoncurrentVersionsAfter365Days",
+        noncurrentVersionExpiration: Duration.days(365),
+    },
+];
+/**
+ * Lifecycle rules applied to auto-created S3 server access log buckets and
+ * CloudFront access log buckets. Mirrors the 2-year retention used by
+ * {@link LOG_GROUP_DEFAULTS} so the audit window is consistent across log
+ * destinations in the library.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html
+ */
+export const DEFAULT_ACCESS_LOG_BUCKET_LIFECYCLE_RULES = [
+    ABORT_INCOMPLETE_MULTIPART_UPLOADS,
+    {
+        id: "ExpireAccessLogsAfter2Years",
+        expiration: Duration.days(731),
+    },
+];
 /**
  * Secure, AWS-recommended defaults applied to every S3 bucket built
  * with {@link createBucketBuilder}. Each property can be individually
@@ -7,17 +58,14 @@ import { RemovalPolicy } from "aws-cdk-lib";
  */
 export const BUCKET_DEFAULTS = {
     /**
-     * Automatically create an access logging bucket for S3 server access logs.
-     * Access logging provides an audit trail of all object-level operations for
-     * security monitoring and troubleshooting.
+     * Auto-create a dedicated logging bucket and write S3 server access logs
+     * to it under the `logs/` prefix. Access logging provides an audit trail
+     * of all object-level operations for security monitoring and
+     * troubleshooting.
+     *
      * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html
      */
-    accessLogging: true,
-    /**
-     * Default prefix for server access log object keys in the auto-created
-     * logging bucket.
-     */
-    accessLogsPrefix: "logs/",
+    serverAccessLogs: { prefix: "logs/" },
     /**
      * Block all public access to the bucket. S3 buckets should not be
      * publicly accessible unless explicitly required (e.g. static website
@@ -42,6 +90,17 @@ export const BUCKET_DEFAULTS = {
      * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
      */
     versioned: true,
+    /**
+     * Bound storage cost on every bucket: abort orphaned multipart uploads
+     * after 7 days and expire noncurrent object versions after 365 days.
+     *
+     * Override with `.lifecycleRules([...])` to supply your own rule set —
+     * the array is replaced wholesale, consistent with how every other
+     * builder default is overridden.
+     *
+     * @see {@link DEFAULT_BUCKET_LIFECYCLE_RULES}
+     */
+    lifecycleRules: DEFAULT_BUCKET_LIFECYCLE_RULES,
     /**
      * Retain the bucket on stack deletion to prevent data loss.
      *

package/dist/defaults.js.map

@@ -1 +1 @@
-{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../src/defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C;;;;GAIG;AACH,MAAM,CAAC,MAAM,eAAe,GAAgC;IAC1D;;;;;OAKG;IACH,aAAa,EAAE,IAAI;IAEnB;;;OAGG;IACH,gBAAgB,EAAE,OAAO;IAEzB;;;;;OAKG;IACH,iBAAiB,EAAE,iBAAiB,CAAC,SAAS;IAE9C;;;;OAIG;IACH,UAAU,EAAE,gBAAgB,CAAC,UAAU;IAEvC;;;OAGG;IACH,UAAU,EAAE,IAAI;IAEhB;;;;OAIG;IACH,SAAS,EAAE,IAAI;IAEf;;;;;;;;OAQG;IACH,aAAa,EAAE,aAAa,CAAC,MAAM;CACpC,CAAC"}
+{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../src/defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAsB,MAAM,oBAAoB,CAAC;AAC7F,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGtD;;;;;;;GAOG;AACH,MAAM,kCAAkC,GAAkB;IACxD,EAAE,EAAE,0CAA0C;IAC9C,mCAAmC,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;CACtD,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAoB;IAC7D,kCAAkC;IAClC;QACE;;;;;;;WAOG;QACH,EAAE,EAAE,sCAAsC;QAC1C,2BAA2B,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;KAChD;CACF,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAoB;IACxE,kCAAkC;IAClC;QACE,EAAE,EAAE,6BAA6B;QACjC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;KAC/B;CACF,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,eAAe,GAAgC;IAC1D;;;;;;;OAOG;IACH,gBAAgB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE;IAErC;;;;;OAKG;IACH,iBAAiB,EAAE,iBAAiB,CAAC,SAAS;IAE9C;;;;OAIG;IACH,UAAU,EAAE,gBAAgB,CAAC,UAAU;IAEvC;;;OAGG;IACH,UAAU,EAAE,IAAI;IAEhB;;;;OAIG;IACH,SAAS,EAAE,IAAI;IAEf;;;;;;;;;OASG;IACH,cAAc,EAAE,8BAA8B;IAE9C;;;;;;;;OAQG;IACH,aAAa,EAAE,aAAa,CAAC,MAAM;CACpC,CAAC"}

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-export { createBucketBuilder, type BucketBuilderProps, type BucketBuilderResult, type IBucketBuilder, } from "./bucket-builder.js";
-export { BUCKET_DEFAULTS } from "./defaults.js";
+export { createBucketBuilder, type BucketBuilderProps, type BucketBuilderResult, type IBucketBuilder, type ServerAccessLogsConfig, } from "./bucket-builder.js";
+export { BUCKET_DEFAULTS, DEFAULT_ACCESS_LOG_BUCKET_LIFECYCLE_RULES, DEFAULT_BUCKET_LIFECYCLE_RULES, } from "./defaults.js";
 export { type BucketAlarmConfig } from "./alarm-config.js";
 export { BUCKET_ALARM_DEFAULTS } from "./alarm-defaults.js";
 export { createBucketDeploymentBuilder, type BucketDeploymentBuilderResult, type IBucketDeploymentBuilder, } from "./bucket-deployment-builder.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,cAAc,GACpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EACL,6BAA6B,EAC7B,KAAK,6BAA6B,EAClC,KAAK,wBAAwB,GAC9B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,KAAK,4BAA4B,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,eAAe,EACf,yCAAyC,EACzC,8BAA8B,GAC/B,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EACL,6BAA6B,EAC7B,KAAK,6BAA6B,EAClC,KAAK,wBAAwB,GAC9B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,KAAK,4BAA4B,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC"}

package/dist/index.js

@@ -1,5 +1,5 @@
 export { createBucketBuilder, } from "./bucket-builder.js";
-export { BUCKET_DEFAULTS } from "./defaults.js";
+export { BUCKET_DEFAULTS, DEFAULT_ACCESS_LOG_BUCKET_LIFECYCLE_RULES, DEFAULT_BUCKET_LIFECYCLE_RULES, } from "./defaults.js";
 export { BUCKET_ALARM_DEFAULTS } from "./alarm-defaults.js";
 export { createBucketDeploymentBuilder, } from "./bucket-deployment-builder.js";
 export { BUCKET_DEPLOYMENT_DEFAULTS } from "./bucket-deployment-defaults.js";

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,GAIpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EACL,6BAA6B,GAG9B,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,GAKpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,eAAe,EACf,yCAAyC,EACzC,8BAA8B,GAC/B,MAAM,eAAe,CAAC;AAEvB,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EACL,6BAA6B,GAG9B,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@composurecdk/s3",
-  "version": "0.4.8",
+  "version": "0.5.1",
   "description": "Composable S3 bucket builder with well-architected defaults",
   "repository": {
     "type": "git",
@@ -35,9 +35,9 @@
   },
   "type": "module",
   "peerDependencies": {
-    "@composurecdk/cloudwatch": "^0.4.0",
-    "@composurecdk/core": "^0.4.0",
-    "@composurecdk/logs": "^0.4.0",
+    "@composurecdk/cloudwatch": "^0.5.0",
+    "@composurecdk/core": "^0.5.0",
+    "@composurecdk/logs": "^0.5.0",
     "aws-cdk-lib": "^2.0.0",
     "constructs": "^10.0.0"
   },