in Gems/AWSCore/cdk/example/example_resources_stack.py [0:0]
def __create_s3_bucket(self) -> s3.Bucket:
# Create a sample S3 bucket following S3 best practices
# # See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
# 1. Block all public access to the bucket
# 2. Use SSE-S3 encryption. Explore encryption at rest options via
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
# 3. Enable Amazon S3 server access logging
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
server_access_logs_bucket = None
if self.node.try_get_context('disable_access_log') != 'true':
server_access_logs_bucket = s3.Bucket.from_bucket_name(
self,
f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket',
Fn.import_value(f"{self._project_name}:ServerAccessLogsBucket")
)
# Auto cleanup bucket and data if requested
_remove_storage = self.node.try_get_context('remove_all_storage_on_destroy') == 'true'
_removal_policy = RemovalPolicy.DESTROY if _remove_storage else RemovalPolicy.RETAIN
example_bucket = s3.Bucket(
self,
f'{self._project_name}-{self._feature_name}-Example-S3bucket',
auto_delete_objects=_remove_storage,
block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
encryption=s3.BucketEncryption.S3_MANAGED,
removal_policy=_removal_policy,
server_access_logs_bucket=
server_access_logs_bucket if server_access_logs_bucket else None,
server_access_logs_prefix=
f'{self._project_name}-{self._feature_name}-{self.region}-AccessLogs' if server_access_logs_bucket else None
)
s3_deployment.BucketDeployment(
self,
f'{self._project_name}-{self._feature_name}-S3bucket-Deployment',
destination_bucket=example_bucket,
sources=[
s3_deployment.Source.asset('example/s3_content')
],
retain_on_delete=False
)
return example_bucket