aws-cdk-lib 2.158.0__py3-none-any.whl → 2.159.1__py3-none-any.whl

aws_cdk/aws_s3/__init__.py

@@ -478,6 +478,110 @@ bucket = s3.Bucket(self, "MyBucket",
 )
 ```
 
+The above code will create a new bucket policy if none exists or update the
+existing bucket policy to allow access log delivery.
+
+However, there could be an edge case if the `accessLogsBucket` also defines a bucket
+policy resource using the L1 Construct. Although the mixing of L1 and L2 Constructs is not
+recommended, there are no mechanisms in place to prevent users from doing this at the moment.
+
+```python
+bucket_name = "my-favorite-bucket-name"
+access_logs_bucket = s3.Bucket(self, "AccessLogsBucket",
+    object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
+    bucket_name=bucket_name
+)
+
+# Creating a bucket policy using L1
+bucket_policy = s3.CfnBucketPolicy(self, "BucketPolicy",
+    bucket=bucket_name,
+    policy_document={
+        "Statement": [{
+            "Action": "s3:*",
+            "Effect": "Deny",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Resource": [access_logs_bucket.bucket_arn, f"{accessLogsBucket.bucketArn}/*"
+            ]
+        }
+        ],
+        "Version": "2012-10-17"
+    }
+)
+
+# 'serverAccessLogsBucket' will create a new L2 bucket policy
+# to allow log delivery and overwrite the L1 bucket policy.
+bucket = s3.Bucket(self, "MyBucket",
+    server_access_logs_bucket=access_logs_bucket,
+    server_access_logs_prefix="logs"
+)
+```
+
+The above example uses the L2 Bucket Construct with the L1 CfnBucketPolicy Construct. However,
+when `serverAccessLogsBucket` is set, a new L2 Bucket Policy resource will be created
+which overwrites the permissions defined in the L1 Bucket Policy causing unintended
+behaviours.
+
+As noted above, we highly discourage the mixed usage of L1 and L2 Constructs. The recommended
+approach would to define the bucket policy using `addToResourcePolicy` method.
+
+```python
+access_logs_bucket = s3.Bucket(self, "AccessLogsBucket",
+    object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
+)
+
+access_logs_bucket.add_to_resource_policy(
+    iam.PolicyStatement(
+        actions=["s3:*"],
+        resources=[access_logs_bucket.bucket_arn, access_logs_bucket.arn_for_objects("*")],
+        principals=[iam.AnyPrincipal()]
+    ))
+
+bucket = s3.Bucket(self, "MyBucket",
+    server_access_logs_bucket=access_logs_bucket,
+    server_access_logs_prefix="logs"
+)
+```
+
+Alternatively, users can use the L2 Bucket Policy Construct
+`BucketPolicy.fromCfnBucketPolicy` to wrap around `CfnBucketPolicy` Construct. This will allow the subsequent bucket policy generated by `serverAccessLogsBucket` usage to append to the existing bucket policy instead of overwriting.
+
+```python
+bucket_name = "my-favorite-bucket-name"
+access_logs_bucket = s3.Bucket(self, "AccessLogsBucket",
+    object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
+    bucket_name=bucket_name
+)
+
+bucket_policy = s3.CfnBucketPolicy(self, "BucketPolicy",
+    bucket=bucket_name,
+    policy_document={
+        "Statement": [{
+            "Action": "s3:*",
+            "Effect": "Deny",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Resource": [access_logs_bucket.bucket_arn, f"{accessLogsBucket.bucketArn}/*"
+            ]
+        }
+        ],
+        "Version": "2012-10-17"
+    }
+)
+
+# Wrap L1 Construct with L2 Bucket Policy Construct. Subsequent
+# generated bucket policy to allow access log delivery would append
+# to the current policy.
+s3.BucketPolicy.from_cfn_bucket_policy(bucket_policy)
+
+bucket = s3.Bucket(self, "MyBucket",
+    server_access_logs_bucket=access_logs_bucket,
+    server_access_logs_prefix="logs"
+)
+```
+
 ## S3 Inventory
 
 An [inventory](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html) contains a list of the objects in the source bucket and metadata for each object. The inventory lists are stored in the destination bucket as a CSV file compressed with GZIP, as an Apache optimized row columnar (ORC) file compressed with ZLIB, or as an Apache Parquet (Parquet) file compressed with Snappy.
@@ -1575,24 +1679,55 @@ class BucketPolicy(
     policy if one doesn't exist yet, otherwise it will add to the existing
     policy.
 
-    Prefer to use ``addToResourcePolicy()`` instead.
+    The bucket policy method is implemented differently than ``addToResourcePolicy()``
+    as ``BucketPolicy()`` creates a new policy without knowing one earlier existed.
+    e.g. if during Bucket creation, if ``autoDeleteObject:true``, these policies are
+    added to the bucket policy:
+    ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"],
+    and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on
+    this existing bucket, invoking ``BucketPolicy()`` will create a new Policy
+    without knowing one earlier exists already, so it creates a new one.
+    In this case, the custom resource handler will not have access to
+    ``s3:GetBucketTagging`` action which will cause failure during deletion of stack.
 
-    :exampleMetadata: fixture=_generated
+    Hence its strongly recommended to use ``addToResourcePolicy()`` method to add
+    new permissions to existing policy.
+
+    :exampleMetadata: infused
 
     Example::
 
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        import aws_cdk as cdk
-        from aws_cdk import aws_s3 as s3
+        bucket_name = "my-favorite-bucket-name"
+        access_logs_bucket = s3.Bucket(self, "AccessLogsBucket",
+            object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
+            bucket_name=bucket_name
+        )
         
-        # bucket: s3.Bucket
+        bucket_policy = s3.CfnBucketPolicy(self, "BucketPolicy",
+            bucket=bucket_name,
+            policy_document={
+                "Statement": [{
+                    "Action": "s3:*",
+                    "Effect": "Deny",
+                    "Principal": {
+                        "AWS": "*"
+                    },
+                    "Resource": [access_logs_bucket.bucket_arn, f"{accessLogsBucket.bucketArn}/*"
+                    ]
+                }
+                ],
+                "Version": "2012-10-17"
+            }
+        )
         
-        bucket_policy = s3.BucketPolicy(self, "MyBucketPolicy",
-            bucket=bucket,
+        # Wrap L1 Construct with L2 Bucket Policy Construct. Subsequent
+        # generated bucket policy to allow access log delivery would append
+        # to the current policy.
+        s3.BucketPolicy.from_cfn_bucket_policy(bucket_policy)
         
-            # the properties below are optional
-            removal_policy=cdk.RemovalPolicy.DESTROY
+        bucket = s3.Bucket(self, "MyBucket",
+            server_access_logs_bucket=access_logs_bucket,
+            server_access_logs_prefix="logs"
         )
     '''
 
@@ -3661,7 +3796,7 @@ class CfnAccessPoint(
             :param block_public_acls: Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes the following behavior: - PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. - PUT Object calls fail if the request includes a public ACL. - PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs.
             :param block_public_policy: Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to ``TRUE`` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn't affect existing bucket policies.
             :param ignore_public_acls: Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
-            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
+            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accesspoint-publicaccessblockconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -3750,7 +3885,7 @@ class CfnAccessPoint(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''Specifies whether Amazon S3 should restrict public bucket policies for this bucket.
 
-            Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy.
+            Setting this element to ``TRUE`` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.
 
             Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
 
@@ -7265,7 +7400,7 @@ class CfnBucket(
             :param block_public_acls: Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes the following behavior: - PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. - PUT Object calls fail if the request includes a public ACL. - PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs.
             :param block_public_policy: Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to ``TRUE`` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn't affect existing bucket policies.
             :param ignore_public_acls: Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
-            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
+            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -7354,7 +7489,7 @@ class CfnBucket(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''Specifies whether Amazon S3 should restrict public bucket policies for this bucket.
 
-            Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy.
+            Setting this element to ``TRUE`` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.
 
             Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
 
@@ -10300,19 +10435,39 @@ class CfnBucketPolicy(
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucketpolicy.html
     :cloudformationResource: AWS::S3::BucketPolicy
-    :exampleMetadata: fixture=_generated
+    :exampleMetadata: infused
 
     Example::
 
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        from aws_cdk import aws_s3 as s3
+        bucket_name = "my-favorite-bucket-name"
+        access_logs_bucket = s3.Bucket(self, "AccessLogsBucket",
+            object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
+            bucket_name=bucket_name
+        )
         
-        # policy_document: Any
+        # Creating a bucket policy using L1
+        bucket_policy = s3.CfnBucketPolicy(self, "BucketPolicy",
+            bucket=bucket_name,
+            policy_document={
+                "Statement": [{
+                    "Action": "s3:*",
+                    "Effect": "Deny",
+                    "Principal": {
+                        "AWS": "*"
+                    },
+                    "Resource": [access_logs_bucket.bucket_arn, f"{accessLogsBucket.bucketArn}/*"
+                    ]
+                }
+                ],
+                "Version": "2012-10-17"
+            }
+        )
         
-        cfn_bucket_policy = s3.CfnBucketPolicy(self, "MyCfnBucketPolicy",
-            bucket="bucket",
-            policy_document=policy_document
+        # 'serverAccessLogsBucket' will create a new L2 bucket policy
+        # to allow log delivery and overwrite the L1 bucket policy.
+        bucket = s3.Bucket(self, "MyBucket",
+            server_access_logs_bucket=access_logs_bucket,
+            server_access_logs_prefix="logs"
         )
     '''
 
@@ -10413,19 +10568,39 @@ class CfnBucketPolicyProps:
         :param policy_document: A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy `PolicyDocument <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument>`_ resource description in this guide and `Access Policy Language Overview <https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html>`_ in the *Amazon S3 User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucketpolicy.html
-        :exampleMetadata: fixture=_generated
+        :exampleMetadata: infused
 
         Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_s3 as s3
+            bucket_name = "my-favorite-bucket-name"
+            access_logs_bucket = s3.Bucket(self, "AccessLogsBucket",
+                object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
+                bucket_name=bucket_name
+            )
             
-            # policy_document: Any
+            # Creating a bucket policy using L1
+            bucket_policy = s3.CfnBucketPolicy(self, "BucketPolicy",
+                bucket=bucket_name,
+                policy_document={
+                    "Statement": [{
+                        "Action": "s3:*",
+                        "Effect": "Deny",
+                        "Principal": {
+                            "AWS": "*"
+                        },
+                        "Resource": [access_logs_bucket.bucket_arn, f"{accessLogsBucket.bucketArn}/*"
+                        ]
+                    }
+                    ],
+                    "Version": "2012-10-17"
+                }
+            )
             
-            cfn_bucket_policy_props = s3.CfnBucketPolicyProps(
-                bucket="bucket",
-                policy_document=policy_document
+            # 'serverAccessLogsBucket' will create a new L2 bucket policy
+            # to allow log delivery and overwrite the L1 bucket policy.
+            bucket = s3.Bucket(self, "MyBucket",
+                server_access_logs_bucket=access_logs_bucket,
+                server_access_logs_prefix="logs"
             )
         '''
         if __debug__:
@@ -11096,7 +11271,7 @@ class CfnMultiRegionAccessPoint(
             :param block_public_acls: Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes the following behavior: - PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. - PUT Object calls fail if the request includes a public ACL. - PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs.
             :param block_public_policy: Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to ``TRUE`` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn't affect existing bucket policies.
             :param ignore_public_acls: Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
-            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
+            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-multiregionaccesspoint-publicaccessblockconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -11185,7 +11360,7 @@ class CfnMultiRegionAccessPoint(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''Specifies whether Amazon S3 should restrict public bucket policies for this bucket.
 
-            Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy.
+            Setting this element to ``TRUE`` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.
 
             Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
 
@@ -17462,6 +17637,13 @@ class ObjectOwnership(enum.Enum):
             object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
         )
         
+        access_logs_bucket.add_to_resource_policy(
+            iam.PolicyStatement(
+                actions=["s3:*"],
+                resources=[access_logs_bucket.bucket_arn, access_logs_bucket.arn_for_objects("*")],
+                principals=[iam.AnyPrincipal()]
+            ))
+        
         bucket = s3.Bucket(self, "MyBucket",
             server_access_logs_bucket=access_logs_bucket,
             server_access_logs_prefix="logs"

aws_cdk/aws_s3objectlambda/__init__.py

@@ -733,7 +733,7 @@ class CfnAccessPoint(
             :param block_public_acls: Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to ``TRUE`` causes the following behavior: - ``PutBucketAcl`` and ``PutObjectAcl`` calls fail if the specified ACL is public. - PUT Object calls fail if the request includes a public ACL. - PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs. This property is not supported for Amazon S3 on Outposts.
             :param block_public_policy: Specifies whether Amazon S3 should block public bucket policies for buckets in this account. Setting this element to ``TRUE`` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn't affect existing bucket policies. This property is not supported for Amazon S3 on Outposts.
             :param ignore_public_acls: Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. Setting this element to ``TRUE`` causes Amazon S3 to ignore all public ACLs on buckets in this account and any objects that they contain. Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. This property is not supported for Amazon S3 on Outposts.
-            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. Setting this element to ``TRUE`` restricts access to buckets with public policies to only AWS-service principals and authorized users within this account. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. This property is not supported for Amazon S3 on Outposts.
+            :param restrict_public_buckets: Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. Setting this element to ``TRUE`` restricts access to buckets with public policies to only AWS service principals and authorized users within this account. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. This property is not supported for Amazon S3 on Outposts.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3objectlambda-accesspoint-publicaccessblockconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -828,7 +828,7 @@ class CfnAccessPoint(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account.
 
-            Setting this element to ``TRUE`` restricts access to buckets with public policies to only AWS-service principals and authorized users within this account.
+            Setting this element to ``TRUE`` restricts access to buckets with public policies to only AWS service principals and authorized users within this account.
 
             Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.