GlobalConfig / LoggingConfig / AccessLogBucketConfig

Accelerator global S3 access logging configuration

Example

accessLogBucket:
enable: true
deploymentTargets:
organizationalUnits:
- Root
s3ResourcePolicyAttachments:
- policy: s3-policies/policy1.json
lifecycleRules:
- enabled: true
id: AccessLifecycle-01
abortIncompleteMultipartUpload: 14
expiration: 3563
expiredObjectDeleteMarker: false
noncurrentVersionExpiration: 3653
noncurrentVersionTransitions:
- storageClass: GLACIER
transitionAfter: 365
transitions:
- storageClass: GLACIER
transitionAfter: 365
prefix: PREFIX
- enabled: true
id: AccessLifecycle-02
abortIncompleteMultipartUpload: 14
expiredObjectDeleteMarker: true
noncurrentVersionExpiration: 3653
noncurrentVersionTransitions:
- storageClass: GLACIER
transitionAfter: 365
transitions:
- storageClass: GLACIER
transitionAfter: 365
prefix: PREFIX
importedBucket:
name: existing-access-log-bucket
applyAcceleratorManagedBucketPolicy: true

Hierarchy

  • AccessLogBucketConfig

Implements

Constructors

Properties

customPolicyOverrides: undefined | CustomS3ResourcePolicyOverridesConfig = undefined

Custom policy overrides configuration.

Remarks

Use this configuration to provide JSON string policy file for bucket resource policy. Bucket resource policy will be over written by content of this file, so when using these option policy files must contain complete policy document. When customPolicyOverrides.s3Policy defined importedBucket.applyAcceleratorManagedBucketPolicy can not be set to true also s3ResourcePolicyAttachments property can not be defined.

Use the following configuration to apply custom bucket resource policy overrides through policy JSON file.

customPolicyOverrides:
s3Policy: path/to/policy.json

Default

undefined

deploymentTargets: undefined | DeploymentTargets = undefined

To control target environments (AWS Account and Region) for the given accessLogBucket setting, you may optionally specify deployment targets. Leaving deploymentTargets undefined will apply useCMK setting to all accounts and enabled regions.

enable: undefined | boolean = undefined

Flag indicating S3 access logging bucket is enable by solution.

Remarks

When this property is undefined solution will create S3 access log bucket. You can use deploymentTargets to control target accounts and regions for the given accessLogBucket configuration. In the solution, this property will be ignored and S3 Access log buckets will be created for the installer bucket, pipeline bucket, solution deployed CentralLogs bucket, and solution deployed Assets bucket, since these buckets always have server access logging enabled.

importedBucket: undefined | ImportedS3ManagedEncryptionKeyBucketConfig = undefined

Imported bucket configuration.

Remarks

Use this configuration when accelerator will import existing AccessLogs bucket.

Use the following configuration to imported AccessLogs bucket, manage bucket resource policy through solution.

importedBucket:
name: existing-access-log-bucket
applyAcceleratorManagedBucketPolicy: true

Default

undefined

lifecycleRules: undefined | LifeCycleRule[] = undefined

Declaration of (S3 Bucket) Lifecycle rules.

s3ResourcePolicyAttachments: undefined | {
    policy: string;
}[] = undefined

JSON policy files.

Remarks

Policy statements from these files will be added to the bucket resource policy. This property can not be used when customPolicyOverrides.s3Policy property has value.

Note: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.

Generated using TypeDoc