aws-cdk.aws-s3tables-alpha 2.195.0a0__py3-none-any.whl → 2.196.1a0__py3-none-any.whl

aws_cdk/aws_s3tables_alpha/__init__.py

@@ -46,9 +46,11 @@ Learn more about table buckets maintenance operations and default behavior from
 # Grant the principal read permissions to the bucket and all tables within
 account_id = "123456789012"
 table_bucket.grant_read(iam.AccountPrincipal(account_id), "*")
+
 # Grant the role write permissions to the bucket and all tables within
 role = iam.Role(stack, "MyRole", assumed_by=iam.ServicePrincipal("sample"))
 table_bucket.grant_write(role, "*")
+
 # Grant the user read and write permissions to the bucket and all tables within
 table_bucket.grant_read_write(iam.User(stack, "MyUser"), "*")
 
@@ -67,6 +69,42 @@ permissions = iam.PolicyStatement(
 table_bucket.add_to_resource_policy(permissions)
 ```
 
+### Controlling Table Bucket Encryption Settings
+
+S3 TableBuckets have SSE (server-side encryption with AES-256) enabled by default with S3 managed keys.
+You can also bring your own KMS key for KMS-SSE or have S3 create a KMS key for you.
+
+If a bucket is encrypted with KMS, grant functions on the bucket will also grant access
+to the TableBucket's associated KMS key.
+
+```python
+# Provide a user defined KMS Key:
+key = kms.Key(scope, "UserKey")
+encrypted_bucket = TableBucket(scope, "EncryptedTableBucket",
+    table_bucket_name="table-bucket-1",
+    encryption=TableBucketEncryption.KMS,
+    encryption_key=key
+)
+# This account principal will also receive kms:Decrypt access to the KMS key
+encrypted_bucket.grant_read(iam.AccountPrincipal("123456789012"), "*")
+
+# Use S3 managed server side encryption (default)
+encrypted_bucket_default = TableBucket(scope, "EncryptedTableBucketDefault",
+    table_bucket_name="table-bucket-3",
+    encryption=TableBucketEncryption.S3_MANAGED
+)
+```
+
+When using KMS encryption (`TableBucketEncryption.KMS`), if no encryption key is provided, CDK will automatically create a new KMS key for the table bucket with necessary permissions.
+
+```python
+# If no key is provided, one will be created automatically
+encrypted_bucket_auto = TableBucket(scope, "EncryptedTableBucketAuto",
+    table_bucket_name="table-bucket-2",
+    encryption=TableBucketEncryption.KMS
+)
+```
+
 ## Coming Soon
 
 L2 Construct support for:
@@ -108,6 +146,7 @@ from ._jsii import *
 
 import aws_cdk as _aws_cdk_ceddda9d
 import aws_cdk.aws_iam as _aws_cdk_aws_iam_ceddda9d
+import aws_cdk.aws_kms as _aws_cdk_aws_kms_ceddda9d
 import constructs as _constructs_77d1e7e8
 
 
@@ -148,6 +187,15 @@ class ITableBucket(_aws_cdk_ceddda9d.IResource, typing_extensions.Protocol):
         '''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="encryptionKey")
+    def encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+        '''(experimental) Optional KMS encryption key associated with this table bucket.
+
+        :stability: experimental
+        '''
+        ...
+
     @builtins.property
     @jsii.member(jsii_name="region")
     def region(self) -> typing.Optional[builtins.str]:
@@ -163,7 +211,7 @@ class ITableBucket(_aws_cdk_ceddda9d.IResource, typing_extensions.Protocol):
         self,
         statement: _aws_cdk_aws_iam_ceddda9d.PolicyStatement,
     ) -> _aws_cdk_aws_iam_ceddda9d.AddToResourcePolicyResult:
-        '''(experimental) Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this table bucket and/or its contents. Use ``tableBucketArn`` and ``arnForObjects(keys)`` to obtain ARNs for this bucket or objects.
+        '''(experimental) Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this table bucket and/or its tables.
 
         Note that the policy statement may or may not be added to the policy.
         For example, when an ``ITableBucket`` is created from an existing table bucket,
@@ -193,6 +241,9 @@ class ITableBucket(_aws_cdk_ceddda9d.IResource, typing_extensions.Protocol):
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant read permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to decrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: The principal to allow read permissions to.
         :param table_id: Allow the permissions to all tables using '*' or to single table by its unique ID.
 
@@ -208,6 +259,9 @@ class ITableBucket(_aws_cdk_ceddda9d.IResource, typing_extensions.Protocol):
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant read and write permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to encrypt/decrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: The principal to allow read and write permissions to.
         :param table_id: Allow the permissions to all tables using '*' or to single table by its unique ID.
 
@@ -223,6 +277,9 @@ class ITableBucket(_aws_cdk_ceddda9d.IResource, typing_extensions.Protocol):
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant write permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to encrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: The principal to allow write permissions to.
         :param table_id: Allow the permissions to all tables using '*' or to single table by its unique ID.
 
@@ -271,6 +328,15 @@ class _ITableBucketProxy(
         '''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "account"))
 
+    @builtins.property
+    @jsii.member(jsii_name="encryptionKey")
+    def encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+        '''(experimental) Optional KMS encryption key associated with this table bucket.
+
+        :stability: experimental
+        '''
+        return typing.cast(typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey], jsii.get(self, "encryptionKey"))
+
     @builtins.property
     @jsii.member(jsii_name="region")
     def region(self) -> typing.Optional[builtins.str]:
@@ -286,7 +352,7 @@ class _ITableBucketProxy(
         self,
         statement: _aws_cdk_aws_iam_ceddda9d.PolicyStatement,
     ) -> _aws_cdk_aws_iam_ceddda9d.AddToResourcePolicyResult:
-        '''(experimental) Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this table bucket and/or its contents. Use ``tableBucketArn`` and ``arnForObjects(keys)`` to obtain ARNs for this bucket or objects.
+        '''(experimental) Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this table bucket and/or its tables.
 
         Note that the policy statement may or may not be added to the policy.
         For example, when an ``ITableBucket`` is created from an existing table bucket,
@@ -319,6 +385,9 @@ class _ITableBucketProxy(
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant read permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to decrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: The principal to allow read permissions to.
         :param table_id: Allow the permissions to all tables using '*' or to single table by its unique ID.
 
@@ -338,6 +407,9 @@ class _ITableBucketProxy(
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant read and write permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to encrypt/decrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: The principal to allow read and write permissions to.
         :param table_id: Allow the permissions to all tables using '*' or to single table by its unique ID.
 
@@ -357,6 +429,9 @@ class _ITableBucketProxy(
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant write permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to encrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: The principal to allow write permissions to.
         :param table_id: Allow the permissions to all tables using '*' or to single table by its unique ID.
 
@@ -405,6 +480,8 @@ class TableBucket(
         *,
         table_bucket_name: builtins.str,
         account: typing.Optional[builtins.str] = None,
+        encryption: typing.Optional["TableBucketEncryption"] = None,
+        encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
         region: typing.Optional[builtins.str] = None,
         removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         unreferenced_file_removal: typing.Optional[typing.Union["UnreferencedFileRemoval", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -414,6 +491,8 @@ class TableBucket(
         :param id: -
         :param table_bucket_name: (experimental) Name of the S3 TableBucket.
         :param account: (experimental) AWS Account ID of the table bucket owner. Default: - it's assumed the bucket belongs to the same account as the scope it's being imported into
+        :param encryption: (experimental) The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via ``encryptionKey``. If encryption key is not specified, a key will automatically be created. Default: - ``KMS`` if ``encryptionKey`` is specified, or ``S3_MANAGED`` otherwise.
+        :param encryption_key: (experimental) External KMS key to use for bucket encryption. The ``encryption`` property must be either not specified or set to ``KMS``. An error will be emitted if ``encryption`` is set to ``S3_MANAGED``. Default: - If ``encryption`` is set to ``KMS`` and this property is undefined, a new KMS key will be created and associated with this bucket.
         :param region: (experimental) AWS region that the table bucket exists in. Default: - it's assumed the bucket is in the same region as the scope it's being imported into
         :param removal_policy: (experimental) Controls what happens to this table bucket it it stoped being managed by cloudformation. Default: RETAIN
         :param unreferenced_file_removal: (experimental) Unreferenced file removal settings for the S3 TableBucket. Default: Enabled with default values
@@ -427,6 +506,8 @@ class TableBucket(
         props = TableBucketProps(
             table_bucket_name=table_bucket_name,
             account=account,
+            encryption=encryption,
+            encryption_key=encryption_key,
             region=region,
             removal_policy=removal_policy,
             unreferenced_file_removal=unreferenced_file_removal,
@@ -465,6 +546,7 @@ class TableBucket(
         id: builtins.str,
         *,
         account: typing.Optional[builtins.str] = None,
+        encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
         region: typing.Optional[builtins.str] = None,
         table_bucket_arn: typing.Optional[builtins.str] = None,
         table_bucket_name: typing.Optional[builtins.str] = None,
@@ -474,6 +556,7 @@ class TableBucket(
         :param scope: The parent creating construct (usually ``this``).
         :param id: The construct's name.
         :param account: (experimental) The accountId containing this table bucket. Default: account inferred from scope
+        :param encryption_key: (experimental) Optional KMS encryption key associated with this bucket. Default: - undefined
         :param region: (experimental) AWS region this table bucket exists in. Default: region inferred from scope
         :param table_bucket_arn: (experimental) The table bucket's ARN. Default: tableBucketArn constructed from region, account and tableBucketName are provided
         :param table_bucket_name: (experimental) The table bucket name, unique per region. Default: tableBucketName inferred from arn
@@ -486,6 +569,7 @@ class TableBucket(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         attrs = TableBucketAttributes(
             account=account,
+            encryption_key=encryption_key,
             region=region,
             table_bucket_arn=table_bucket_arn,
             table_bucket_name=table_bucket_name,
@@ -573,6 +657,9 @@ class TableBucket(
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant read permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to decrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: -
         :param table_id: -
 
@@ -592,6 +679,9 @@ class TableBucket(
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant read and write permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to encrypt/decrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: -
         :param table_id: -
 
@@ -611,6 +701,9 @@ class TableBucket(
     ) -> _aws_cdk_aws_iam_ceddda9d.Grant:
         '''(experimental) Grant write permissions for this table bucket and its tables to an IAM principal (Role/Group/User).
 
+        If encryption is used, permission to use the key to encrypt the contents
+        of the bucket will also be granted to the same principal.
+
         :param identity: -
         :param table_id: -
 
@@ -622,6 +715,15 @@ class TableBucket(
             check_type(argname="argument table_id", value=table_id, expected_type=type_hints["table_id"])
         return typing.cast(_aws_cdk_aws_iam_ceddda9d.Grant, jsii.invoke(self, "grantWrite", [identity, table_id]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''(experimental) Uniquely identifies this class.
+
+        :stability: experimental
+        '''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="tableBucketArn")
     def table_bucket_arn(self) -> builtins.str:
@@ -640,6 +742,15 @@ class TableBucket(
         '''
         return typing.cast(builtins.str, jsii.get(self, "tableBucketName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="encryptionKey")
+    def encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+        '''(experimental) Optional KMS encryption key associated with this table bucket.
+
+        :stability: experimental
+        '''
+        return typing.cast(typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey], jsii.get(self, "encryptionKey"))
+
     @builtins.property
     @jsii.member(jsii_name="tableBucketPolicy")
     def table_bucket_policy(self) -> typing.Optional["TableBucketPolicy"]:
@@ -671,6 +782,7 @@ class TableBucket(
     jsii_struct_bases=[],
     name_mapping={
         "account": "account",
+        "encryption_key": "encryptionKey",
         "region": "region",
         "table_bucket_arn": "tableBucketArn",
         "table_bucket_name": "tableBucketName",
@@ -681,16 +793,18 @@ class TableBucketAttributes:
         self,
         *,
         account: typing.Optional[builtins.str] = None,
+        encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
         region: typing.Optional[builtins.str] = None,
         table_bucket_arn: typing.Optional[builtins.str] = None,
         table_bucket_name: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''(experimental) Everything needed to reference a specific table bucket.
+        '''(experimental) A reference to a table bucket outside this stack.
 
         The tableBucketName, region, and account can be provided explicitly
         or will be inferred from the tableBucketArn
 
         :param account: (experimental) The accountId containing this table bucket. Default: account inferred from scope
+        :param encryption_key: (experimental) Optional KMS encryption key associated with this bucket. Default: - undefined
         :param region: (experimental) AWS region this table bucket exists in. Default: region inferred from scope
         :param table_bucket_arn: (experimental) The table bucket's ARN. Default: tableBucketArn constructed from region, account and tableBucketName are provided
         :param table_bucket_name: (experimental) The table bucket name, unique per region. Default: tableBucketName inferred from arn
@@ -703,9 +817,13 @@ class TableBucketAttributes:
             # The code below shows an example of how to instantiate this type.
             # The values are placeholders you should change.
             import aws_cdk.aws_s3tables_alpha as s3tables_alpha
+            from aws_cdk import aws_kms as kms
+            
+            # key: kms.Key
             
             table_bucket_attributes = s3tables_alpha.TableBucketAttributes(
                 account="account",
+                encryption_key=key,
                 region="region",
                 table_bucket_arn="tableBucketArn",
                 table_bucket_name="tableBucketName"
@@ -714,12 +832,15 @@ class TableBucketAttributes:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f628073bbee2e81e2162c5225d2230a24b470a8915e2ee4cef917951de644d61)
             check_type(argname="argument account", value=account, expected_type=type_hints["account"])
+            check_type(argname="argument encryption_key", value=encryption_key, expected_type=type_hints["encryption_key"])
             check_type(argname="argument region", value=region, expected_type=type_hints["region"])
             check_type(argname="argument table_bucket_arn", value=table_bucket_arn, expected_type=type_hints["table_bucket_arn"])
             check_type(argname="argument table_bucket_name", value=table_bucket_name, expected_type=type_hints["table_bucket_name"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if account is not None:
             self._values["account"] = account
+        if encryption_key is not None:
+            self._values["encryption_key"] = encryption_key
         if region is not None:
             self._values["region"] = region
         if table_bucket_arn is not None:
@@ -738,6 +859,17 @@ class TableBucketAttributes:
         result = self._values.get("account")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+        '''(experimental) Optional KMS encryption key associated with this bucket.
+
+        :default: - undefined
+
+        :stability: experimental
+        '''
+        result = self._values.get("encryption_key")
+        return typing.cast(typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey], result)
+
     @builtins.property
     def region(self) -> typing.Optional[builtins.str]:
         '''(experimental) AWS region this table bucket exists in.
@@ -783,6 +915,44 @@ class TableBucketAttributes:
         )
 
 
+@jsii.enum(jsii_type="@aws-cdk/aws-s3tables-alpha.TableBucketEncryption")
+class TableBucketEncryption(enum.Enum):
+    '''(experimental) Controls Server Side Encryption (SSE) for this TableBucket.
+
+    :stability: experimental
+    :exampleMetadata: infused
+
+    Example::
+
+        # Provide a user defined KMS Key:
+        key = kms.Key(scope, "UserKey")
+        encrypted_bucket = TableBucket(scope, "EncryptedTableBucket",
+            table_bucket_name="table-bucket-1",
+            encryption=TableBucketEncryption.KMS,
+            encryption_key=key
+        )
+        # This account principal will also receive kms:Decrypt access to the KMS key
+        encrypted_bucket.grant_read(iam.AccountPrincipal("123456789012"), "*")
+        
+        # Use S3 managed server side encryption (default)
+        encrypted_bucket_default = TableBucket(scope, "EncryptedTableBucketDefault",
+            table_bucket_name="table-bucket-3",
+            encryption=TableBucketEncryption.S3_MANAGED
+        )
+    '''
+
+    KMS = "KMS"
+    '''(experimental) Use a customer defined KMS key for encryption If ``encryptionKey`` is specified, this key will be used, otherwise, one will be defined.
+
+    :stability: experimental
+    '''
+    S3_MANAGED = "S3_MANAGED"
+    '''(experimental) Use S3 managed encryption keys with AES256 encryption.
+
+    :stability: experimental
+    '''
+
+
 class TableBucketPolicy(
     _aws_cdk_ceddda9d.Resource,
     metaclass=jsii.JSIIMeta,
@@ -846,6 +1016,15 @@ class TableBucketPolicy(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''(experimental) Uniquely identifies this class.
+
+        :stability: experimental
+        '''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="document")
     def document(self) -> _aws_cdk_aws_iam_ceddda9d.PolicyDocument:
@@ -966,6 +1145,8 @@ class TableBucketPolicyProps:
     name_mapping={
         "table_bucket_name": "tableBucketName",
         "account": "account",
+        "encryption": "encryption",
+        "encryption_key": "encryptionKey",
         "region": "region",
         "removal_policy": "removalPolicy",
         "unreferenced_file_removal": "unreferencedFileRemoval",
@@ -977,6 +1158,8 @@ class TableBucketProps:
         *,
         table_bucket_name: builtins.str,
         account: typing.Optional[builtins.str] = None,
+        encryption: typing.Optional[TableBucketEncryption] = None,
+        encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
         region: typing.Optional[builtins.str] = None,
         removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         unreferenced_file_removal: typing.Optional[typing.Union["UnreferencedFileRemoval", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -985,6 +1168,8 @@ class TableBucketProps:
 
         :param table_bucket_name: (experimental) Name of the S3 TableBucket.
         :param account: (experimental) AWS Account ID of the table bucket owner. Default: - it's assumed the bucket belongs to the same account as the scope it's being imported into
+        :param encryption: (experimental) The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via ``encryptionKey``. If encryption key is not specified, a key will automatically be created. Default: - ``KMS`` if ``encryptionKey`` is specified, or ``S3_MANAGED`` otherwise.
+        :param encryption_key: (experimental) External KMS key to use for bucket encryption. The ``encryption`` property must be either not specified or set to ``KMS``. An error will be emitted if ``encryption`` is set to ``S3_MANAGED``. Default: - If ``encryption`` is set to ``KMS`` and this property is undefined, a new KMS key will be created and associated with this bucket.
         :param region: (experimental) AWS region that the table bucket exists in. Default: - it's assumed the bucket is in the same region as the scope it's being imported into
         :param removal_policy: (experimental) Controls what happens to this table bucket it it stoped being managed by cloudformation. Default: RETAIN
         :param unreferenced_file_removal: (experimental) Unreferenced file removal settings for the S3 TableBucket. Default: Enabled with default values
@@ -1011,6 +1196,8 @@ class TableBucketProps:
             type_hints = typing.get_type_hints(_typecheckingstub__aa14ccf904c2576c446af7122d6335d3a92b012274a231120ab28c942832368b)
             check_type(argname="argument table_bucket_name", value=table_bucket_name, expected_type=type_hints["table_bucket_name"])
             check_type(argname="argument account", value=account, expected_type=type_hints["account"])
+            check_type(argname="argument encryption", value=encryption, expected_type=type_hints["encryption"])
+            check_type(argname="argument encryption_key", value=encryption_key, expected_type=type_hints["encryption_key"])
             check_type(argname="argument region", value=region, expected_type=type_hints["region"])
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
             check_type(argname="argument unreferenced_file_removal", value=unreferenced_file_removal, expected_type=type_hints["unreferenced_file_removal"])
@@ -1019,6 +1206,10 @@ class TableBucketProps:
         }
         if account is not None:
             self._values["account"] = account
+        if encryption is not None:
+            self._values["encryption"] = encryption
+        if encryption_key is not None:
+            self._values["encryption_key"] = encryption_key
         if region is not None:
             self._values["region"] = region
         if removal_policy is not None:
@@ -1048,6 +1239,37 @@ class TableBucketProps:
         result = self._values.get("account")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def encryption(self) -> typing.Optional[TableBucketEncryption]:
+        '''(experimental) The kind of server-side encryption to apply to this bucket.
+
+        If you choose KMS, you can specify a KMS key via ``encryptionKey``. If
+        encryption key is not specified, a key will automatically be created.
+
+        :default: - ``KMS`` if ``encryptionKey`` is specified, or ``S3_MANAGED`` otherwise.
+
+        :stability: experimental
+        '''
+        result = self._values.get("encryption")
+        return typing.cast(typing.Optional[TableBucketEncryption], result)
+
+    @builtins.property
+    def encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+        '''(experimental) External KMS key to use for bucket encryption.
+
+        The ``encryption`` property must be either not specified or set to ``KMS``.
+        An error will be emitted if ``encryption`` is set to ``S3_MANAGED``.
+
+        :default:
+
+        - If ``encryption`` is set to ``KMS`` and this property is undefined,
+        a new KMS key will be created and associated with this bucket.
+
+        :stability: experimental
+        '''
+        result = self._values.get("encryption_key")
+        return typing.cast(typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey], result)
+
     @builtins.property
     def region(self) -> typing.Optional[builtins.str]:
         '''(experimental) AWS region that the table bucket exists in.
@@ -1238,6 +1460,7 @@ __all__ = [
     "ITableBucket",
     "TableBucket",
     "TableBucketAttributes",
+    "TableBucketEncryption",
     "TableBucketPolicy",
     "TableBucketPolicyProps",
     "TableBucketProps",
@@ -1280,6 +1503,8 @@ def _typecheckingstub__c8d9c0bf5c954c2a6797301b7dc6cb8abd812336f3507addc92f72b80
     *,
     table_bucket_name: builtins.str,
     account: typing.Optional[builtins.str] = None,
+    encryption: typing.Optional[TableBucketEncryption] = None,
+    encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
     region: typing.Optional[builtins.str] = None,
     removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     unreferenced_file_removal: typing.Optional[typing.Union[UnreferencedFileRemoval, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1300,6 +1525,7 @@ def _typecheckingstub__6fd93d11fc9c336a7e785b6aaa945ba1d55d75eb3748b03a2030b08e3
     id: builtins.str,
     *,
     account: typing.Optional[builtins.str] = None,
+    encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
     region: typing.Optional[builtins.str] = None,
     table_bucket_arn: typing.Optional[builtins.str] = None,
     table_bucket_name: typing.Optional[builtins.str] = None,
@@ -1349,6 +1575,7 @@ def _typecheckingstub__ddda0c30ebb465614a7378f709964b48c9f175013aa1ed12f0ea7c121
 def _typecheckingstub__f628073bbee2e81e2162c5225d2230a24b470a8915e2ee4cef917951de644d61(
     *,
     account: typing.Optional[builtins.str] = None,
+    encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
     region: typing.Optional[builtins.str] = None,
     table_bucket_arn: typing.Optional[builtins.str] = None,
     table_bucket_name: typing.Optional[builtins.str] = None,
@@ -1380,6 +1607,8 @@ def _typecheckingstub__aa14ccf904c2576c446af7122d6335d3a92b012274a231120ab28c942
     *,
     table_bucket_name: builtins.str,
     account: typing.Optional[builtins.str] = None,
+    encryption: typing.Optional[TableBucketEncryption] = None,
+    encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
     region: typing.Optional[builtins.str] = None,
     removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     unreferenced_file_removal: typing.Optional[typing.Union[UnreferencedFileRemoval, typing.Dict[builtins.str, typing.Any]]] = None,

aws_cdk/aws_s3tables_alpha/_jsii/__init__.py

@@ -33,9 +33,9 @@ import constructs._jsii
 
 __jsii_assembly__ = jsii.JSIIAssembly.load(
     "@aws-cdk/aws-s3tables-alpha",
-    "2.195.0-alpha.0",
+    "2.196.1-alpha.0",
     __name__[0:-6],
-    "aws-s3tables-alpha@2.195.0-alpha.0.jsii.tgz",
+    "aws-s3tables-alpha@2.196.1-alpha.0.jsii.tgz",
 )
 
 __all__ = [

{aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info → aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: aws-cdk.aws-s3tables-alpha
-Version: 2.195.0a0
+Version: 2.196.1a0
 Summary: CDK Constructs for S3 Tables
 Home-page: https://github.com/aws/aws-cdk
 Author: Amazon Web Services
@@ -22,9 +22,9 @@ Requires-Python: ~=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
 License-File: NOTICE
-Requires-Dist: aws-cdk-lib<3.0.0,>=2.195.0
+Requires-Dist: aws-cdk-lib<3.0.0,>=2.196.1
 Requires-Dist: constructs<11.0.0,>=10.0.0
-Requires-Dist: jsii<2.0.0,>=1.110.0
+Requires-Dist: jsii<2.0.0,>=1.112.0
 Requires-Dist: publication>=0.0.3
 Requires-Dist: typeguard<4.3.0,>=2.13.3
 
@@ -75,9 +75,11 @@ Learn more about table buckets maintenance operations and default behavior from
 # Grant the principal read permissions to the bucket and all tables within
 account_id = "123456789012"
 table_bucket.grant_read(iam.AccountPrincipal(account_id), "*")
+
 # Grant the role write permissions to the bucket and all tables within
 role = iam.Role(stack, "MyRole", assumed_by=iam.ServicePrincipal("sample"))
 table_bucket.grant_write(role, "*")
+
 # Grant the user read and write permissions to the bucket and all tables within
 table_bucket.grant_read_write(iam.User(stack, "MyUser"), "*")
 
@@ -96,6 +98,42 @@ permissions = iam.PolicyStatement(
 table_bucket.add_to_resource_policy(permissions)
 ```
 
+### Controlling Table Bucket Encryption Settings
+
+S3 TableBuckets have SSE (server-side encryption with AES-256) enabled by default with S3 managed keys.
+You can also bring your own KMS key for KMS-SSE or have S3 create a KMS key for you.
+
+If a bucket is encrypted with KMS, grant functions on the bucket will also grant access
+to the TableBucket's associated KMS key.
+
+```python
+# Provide a user defined KMS Key:
+key = kms.Key(scope, "UserKey")
+encrypted_bucket = TableBucket(scope, "EncryptedTableBucket",
+    table_bucket_name="table-bucket-1",
+    encryption=TableBucketEncryption.KMS,
+    encryption_key=key
+)
+# This account principal will also receive kms:Decrypt access to the KMS key
+encrypted_bucket.grant_read(iam.AccountPrincipal("123456789012"), "*")
+
+# Use S3 managed server side encryption (default)
+encrypted_bucket_default = TableBucket(scope, "EncryptedTableBucketDefault",
+    table_bucket_name="table-bucket-3",
+    encryption=TableBucketEncryption.S3_MANAGED
+)
+```
+
+When using KMS encryption (`TableBucketEncryption.KMS`), if no encryption key is provided, CDK will automatically create a new KMS key for the table bucket with necessary permissions.
+
+```python
+# If no key is provided, one will be created automatically
+encrypted_bucket_auto = TableBucket(scope, "EncryptedTableBucketAuto",
+    table_bucket_name="table-bucket-2",
+    encryption=TableBucketEncryption.KMS
+)
+```
+
 ## Coming Soon
 
 L2 Construct support for:

aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info/RECORD

@@ -0,0 +1,10 @@
+aws_cdk/aws_s3tables_alpha/__init__.py,sha256=vwIKJGF7Et8gRl1mS7SmWoVieAyIAzQyLhXMhLbi3Pk,69799
+aws_cdk/aws_s3tables_alpha/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+aws_cdk/aws_s3tables_alpha/_jsii/__init__.py,sha256=lbWi1wQesDsYF6RBOb8V0gNDX8CBpkXl7z7vOYFEsrU,1489
+aws_cdk/aws_s3tables_alpha/_jsii/aws-s3tables-alpha@2.196.1-alpha.0.jsii.tgz,sha256=r_t1e_99S1JrUZqXzE_XwpggRS5_73zCqNxZijLSKJA,57144
+aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info/LICENSE,sha256=y47tc38H0C4DpGljYUZDl8XxidQjNxxGLq-K4jwv6Xc,11391
+aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info/METADATA,sha256=SM3ASunjrbFhLixlBjiHxm-n-tZMH7cISfh9WWzKJuQ,5137
+aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info/NOTICE,sha256=ZDV6_xBfMvhFtjjBh_f6lJjhZ2AEWWAGGkx2kLKHiuc,113
+aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info/WHEEL,sha256=iAkIy5fosb7FzIOwONchHf19Qu7_1wCWyFNR5gu9nU0,91
+aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info/top_level.txt,sha256=1TALAKbuUGsMSrfKWEf268lySCmcqSEO6cDYe_XlLHM,8
+aws_cdk_aws_s3tables_alpha-2.196.1a0.dist-info/RECORD,,

aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info/RECORD

@@ -1,10 +0,0 @@
-aws_cdk/aws_s3tables_alpha/__init__.py,sha256=A-ai-uyFjsTBdeU1TKRi5wFQiJTDyRcP6Dk7Xslr4lY,58825
-aws_cdk/aws_s3tables_alpha/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
-aws_cdk/aws_s3tables_alpha/_jsii/__init__.py,sha256=sMtJf_JXFlKRczYIYqJpo8Y-uJbwXQnE4cozWhSR8dU,1489
-aws_cdk/aws_s3tables_alpha/_jsii/aws-s3tables-alpha@2.195.0-alpha.0.jsii.tgz,sha256=1vm-5U1l8PtUml4oRpKoXGGKulGeIFaYwlHrp6GnlPw,46903
-aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info/LICENSE,sha256=y47tc38H0C4DpGljYUZDl8XxidQjNxxGLq-K4jwv6Xc,11391
-aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info/METADATA,sha256=wGrSLvjwz0rR5GYh5t76UnxuPQ168NmT0weQdaQngsY,3736
-aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info/NOTICE,sha256=ZDV6_xBfMvhFtjjBh_f6lJjhZ2AEWWAGGkx2kLKHiuc,113
-aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info/WHEEL,sha256=iAkIy5fosb7FzIOwONchHf19Qu7_1wCWyFNR5gu9nU0,91
-aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info/top_level.txt,sha256=1TALAKbuUGsMSrfKWEf268lySCmcqSEO6cDYe_XlLHM,8
-aws_cdk_aws_s3tables_alpha-2.195.0a0.dist-info/RECORD,,