in lib/s3_bucket_zones_stack.py [0:0]
def create_access_logs_bucket(self, logical_id, bucket_name, s3_kms_key) -> s3.Bucket:
"""
Creates an Amazon S3 bucket to store S3 server access logs. It attaches bucket policy with necessary guardrails.
It enables server-side encryption using provided KMS key and leverage S3 bucket key feature.
@param logical_id str: The logical id to apply to the bucket
@param bucket_name str: The name for the bucket resource
@param s3_kms_key kms.Key: The KMS Key to use for encryption of data at rest
@return: The bucket that was created
"""
return s3.Bucket(
self,
id=logical_id,
access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE,
block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
bucket_key_enabled=True,
bucket_name=bucket_name,
encryption=s3.BucketEncryption.KMS,
encryption_key=s3_kms_key,
public_read_access=False,
removal_policy=cdk.RemovalPolicy.RETAIN,
versioned=True,
object_ownership=s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
)