AWS CDK: How to create a private S3 Bucket

In this post we create and configure a secure S3 Bucket with privacy options using the AWS CDK v2.

See an example L2 construct on GitHub

AWS Simple Storage Service (S3) buckets are a very popular choice for storing data as objects. Unfortunately, misconfigured AWS S3 buckets are often to blame for easily preventable security failures.

The problem is that by default AWS S3 buckets are open to the whole world. In almost all cases this is not what you want.

To initialize a private and secure AWS S3 Bucket with the AWS CDK v2 the bucket needs to be configured like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


import * as aws_s3 from "aws-cdk-lib/aws-s3";
import { Stack } from "aws-cdk-lib";

const scope = new Stack();

// initialize S3 Bucket with privacy options
new aws_s3.Bucket(scope, "Bucket", {
  encryption: aws_s3.BucketEncryption.S3_MANAGED,
  blockPublicAccess: aws_s3.BlockPublicAccess.BLOCK_ALL,
  enforceSSL: true,
  versioning: true,
  accessControl: aws_s3.BucketAccessControl.LOG_DELIVERY_WRITE,
  serverAccessLogsPrefix: "access_logs",
});

This configuration

encrypts the bucket and contents,
blocks public access,
connects to the bucket by using Secure Socket Layer/Transport Layer Security (SSL/TLS),
enables bucket versioning (optional, to avoid accidental deletion and overwrite),
and enables access logging (optional, for auditing).

Our data is now protected at rest (while it is stored on disks in Amazon S3 data centers) and in-transit (as it travels to and from Amazon S3).

Copying and pasting this code every time you create a new S3 bucket is tedious. We therefor provide the popular Private Bucket AWS CDK construct to create an S3 Bucket with the essential security pre-sets mentioned above. You can use this with the AWS CDK in TypeScript, Python, C#/.Net and Java.