diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts index 2f9c8a04ba6f9..ad09adace9bad 100644 --- a/packages/@aws-cdk/aws-s3/lib/bucket.ts +++ b/packages/@aws-cdk/aws-s3/lib/bucket.ts @@ -796,6 +796,13 @@ export interface BucketProps { */ readonly websiteRedirect?: RedirectTarget; + /** + * Specifies a canned ACL that grants predefined permissions to the bucket. + * + * @default BucketAccessControl.PRIVATE + */ + readonly accessControl?: BucketAccessControl; + /** * Grants public read access to all objects in the bucket. * Similar to calling `bucket.grantPublicAccess()` @@ -933,7 +940,8 @@ export class Bucket extends BucketBase { websiteConfiguration: this.renderWebsiteConfiguration(props), publicAccessBlockConfiguration: props.blockPublicAccess, metricsConfigurations: Lazy.anyValue({ produce: () => this.parseMetricConfiguration() }), - corsConfiguration: Lazy.anyValue({ produce: () => this.parseCorsConfiguration() }) + corsConfiguration: Lazy.anyValue({ produce: () => this.parseCorsConfiguration() }), + accessControl: props.accessControl, }); resource.applyRemovalPolicy(props.removalPolicy); @@ -1426,6 +1434,57 @@ export interface OnCloudTrailBucketEventOptions extends events.OnEventOptions { readonly paths?: string[]; } +/** + * Default bucket access control types. + * + * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html + */ +export enum BucketAccessControl { + /** + * Owner gets FULL_CONTROL. No one else has access rights. + */ + PRIVATE = 'Private', + + /** + * Owner gets FULL_CONTROL. The AllUsers group gets READ access. + */ + PUBLIC_READ = 'PublicRead', + + /** + * Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. + * Granting this on a bucket is generally not recommended. + */ + PUBLIC_READ_WRITE = 'PublicReadWrite', + + /** + * Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access. + */ + AUTHENTICATED_READ = 'AuthenticatedRead', + + /** + * The LogDelivery group gets WRITE and READ_ACP permissions on the bucket. + * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html + */ + LOG_DELIVERY_WRITE = 'LogDeliveryWrite', + + /** + * Object owner gets FULL_CONTROL. Bucket owner gets READ access. + * If you specify this canned ACL when creating a bucket, Amazon S3 ignores it. + */ + BUCKET_OWNER_READ = 'BucketOwnerRead', + + /** + * Both the object owner and the bucket owner get FULL_CONTROL over the object. + * If you specify this canned ACL when creating a bucket, Amazon S3 ignores it. + */ + BUCKET_OWNER_FULL_CONTROL = 'BucketOwnerFullControl', + + /** + * Owner gets FULL_CONTROL. Amazon EC2 gets READ access to GET an Amazon Machine Image (AMI) bundle from Amazon S3. + */ + AWS_EXEC_READ = 'AwsExecRead', +} + function mapOrUndefined(list: T[] | undefined, callback: (element: T) => U): U[] | undefined { if (!list || list.length === 0) { return undefined; diff --git a/packages/@aws-cdk/aws-s3/test/test.bucket.ts b/packages/@aws-cdk/aws-s3/test/test.bucket.ts index 6224fa57416ff..a1c23a77c9024 100644 --- a/packages/@aws-cdk/aws-s3/test/test.bucket.ts +++ b/packages/@aws-cdk/aws-s3/test/test.bucket.ts @@ -432,6 +432,27 @@ export = { test.done(); }, + 'bucket with custom canned access control'(test: Test) { + const stack = new cdk.Stack(); + new s3.Bucket(stack, 'MyBucket', { + accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE + }); + + expect(stack).toMatch({ + "Resources": { + "MyBucketF68F3FF0": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "LogDeliveryWrite" + }, + "DeletionPolicy": "Retain", + "UpdateReplacePolicy": "Retain", + } + } + }); + test.done(); + }, + 'permissions': { 'addPermission creates a bucket policy'(test: Test) {