Skip to main content

Aws/s3

@swamp/aws/s3v2026.06.18.1· 18d agoMODELS
01README

AWS S3 infrastructure models

02Release Notes
  • Updated: bucket
03Models10
access_grant.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
AccessGrantsLocationIdstringThe custom S3 location to be accessed by the grantee
Tags?array
PermissionenumThe level of access to be afforded to the grantee
ApplicationArn?stringThe ARN of the application grantees will use to access the location
S3PrefixType?enumThe type of S3SubPrefix.
GranteeobjectConfigures the transfer acceleration state for an Amazon S3 bucket.
AccessGrantsLocationConfiguration?objectThe S3 sub prefix of a registered location in your S3 Access Grants instance
fn create()
Create a S3 AccessGrant
fn get(identifier: string)
Get a S3 AccessGrant
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessGrant
fn update()
Update a S3 AccessGrant
fn delete(identifier: string)
Delete a S3 AccessGrant
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessGrant
fn sync()
Sync S3 AccessGrant state from AWS
access_grants_instance.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
IdentityCenterArn?stringThe Amazon Resource Name (ARN) of the specified AWS Identity Center.
Tags?array
fn create()
Create a S3 AccessGrantsInstance
fn get(identifier: string)
Get a S3 AccessGrantsInstance
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessGrantsInstance
fn update()
Update a S3 AccessGrantsInstance
fn delete(identifier: string)
Delete a S3 AccessGrantsInstance
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessGrantsInstance
fn sync()
Sync S3 AccessGrantsInstance state from AWS
access_grants_location.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
IamRoleArnstringThe Amazon Resource Name (ARN) of the access grant location's associated IAM role.
LocationScopestringDescriptor for where the location actually points
Tags?array
fn create()
Create a S3 AccessGrantsLocation
fn get(identifier: string)
Get a S3 AccessGrantsLocation
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessGrantsLocation
fn update()
Update a S3 AccessGrantsLocation
fn delete(identifier: string)
Delete a S3 AccessGrantsLocation
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessGrantsLocation
fn sync()
Sync S3 AccessGrantsLocation state from AWS
access_point.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
Name?stringThe name you want to assign to this Access Point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.
BucketstringThe name of the bucket that you want to associate this Access Point with.
BucketAccountId?stringThe AWS account ID associated with the S3 bucket associated with this access point.
VpcConfiguration?objectIf this field is specified, this access point will only allow connections from the specified VPC ID.
PublicAccessBlockConfiguration?objectSpecifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to TRUE causes the following behavior: - PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public. - PUT Object calls fail if the request includes a public ACL.. - PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs.
Policy?recordThe Access Point Policy you want to apply to this access point.
Tags?arrayAn arbitrary set of tags (key-value pairs) for this S3 Access Point.
fn create()
Create a S3 AccessPoint
fn get(identifier: string)
Get a S3 AccessPoint
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessPoint
fn update()
Update a S3 AccessPoint
fn delete(identifier: string)
Delete a S3 AccessPoint
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 AccessPoint
fn sync()
Sync S3 AccessPoint state from AWS
bucket.tsv2026.06.18.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
AccelerateConfiguration?objectSpecifies the transfer acceleration status of the bucket.
AccessControl?enumThis is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*. A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide*. S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html). For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide*.
AnalyticsConfigurations?arraySpecifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.
BucketEncryption?objectSpecifies the default server-side-encryption configuration.
BucketName?stringA name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html). For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) in the *Amazon S3 User Guide*. If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
BucketNamePrefix?string
BucketNamespace?enum
CorsConfiguration?objectA set of origins and methods (cross-origin access that you want to allow). You can add up to 100 rules to the configuration.
IntelligentTieringConfigurations?arrayDefines how Amazon S3 handles Intelligent-Tiering storage.
InventoryConfigurations?arraySpecifies the S3 Inventory configuration for an Amazon S3 bucket. For more information, see [GET Bucket inventory](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html) in the *Amazon S3 API Reference*.
LifecycleConfiguration?objectA lifecycle rule for individual objects in an Amazon S3 bucket.
LoggingConfiguration?objectThe name of the bucket where Amazon S3 should store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the LoggingConfiguration property is defined.
MetricsConfigurations?arraySpecifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html).
MetadataTableConfiguration?objectThe destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS-account as the general purpose bucket. The specified metadata table name must be unique within the aws_s3_metadata namespace in the destination table bucket.
MetadataConfiguration?objectThe destination information for the S3 Metadata configuration.
NotificationConfiguration?objectEnables delivery of events to Amazon EventBridge.
ObjectLockConfiguration?objectIndicates whether this bucket has an Object Lock configuration enabled. Enable ObjectLockEnabled when you apply ObjectLockConfiguration to a bucket.
ObjectLockEnabled?booleanIndicates whether this bucket has an Object Lock configuration enabled. Enable ObjectLockEnabled when you apply ObjectLockConfiguration to a bucket.
OwnershipControls?objectSpecifies the container element for Object Ownership rules.
PublicAccessBlockConfiguration?objectSpecifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior: PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. PUT Object calls fail if the request includes a public ACL. PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs.
ReplicationConfiguration?objectThe Amazon Resource Name (ARN) of the IAMlong (IAM) role that Amazon S3 assumes when replicating objects. For more information, see [How to Set Up Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-how-setup.html) in the *Amazon S3 User Guide*.
Tags?arrayAn arbitrary set of tags (key-value pairs) for this S3 bucket.
AbacStatus?enumThe ABAC status of the general purpose bucket. When ABAC is enabled for the general purpose bucket, you can use tags to manage access to the general purpose buckets as well as for cost tracking purposes. When ABAC is disabled for the general purpose buckets, you can only use tags for cost tracking purposes. For more information, see [Using tags with S3 general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/buckets-tagging.html).
VersioningConfiguration?objectThe versioning state of the bucket.
WebsiteConfiguration?objectThe name of the error document for the website.
fn create()
Create a S3 Bucket
fn get(identifier: string)
Get a S3 Bucket
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 Bucket
fn update()
Update a S3 Bucket
fn delete(identifier: string)
Delete a S3 Bucket
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 Bucket
fn sync()
Sync S3 Bucket state from AWS
bucket_policy.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
BucketstringThe name of the Amazon S3 bucket to which the policy applies.
PolicyDocumentrecordA policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Access Policy Language Overview](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html) in the *Amazon S3 User Guide*.
fn create()
Create a S3 BucketPolicy
fn get(identifier: string)
Get a S3 BucketPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 BucketPolicy
fn update()
Update a S3 BucketPolicy
fn delete(identifier: string)
Delete a S3 BucketPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 BucketPolicy
fn sync()
Sync S3 BucketPolicy state from AWS
multi_region_access_point.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
PublicAccessBlockConfiguration?objectSpecifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS services and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
RegionsarrayThe list of buckets that you want to associate this Multi Region Access Point with.
Name?stringThe name you want to assign to this Multi Region Access Point.
fn create()
Create a S3 MultiRegionAccessPoint
fn get(identifier: string)
Get a S3 MultiRegionAccessPoint
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 MultiRegionAccessPoint
fn delete(identifier: string)
Delete a S3 MultiRegionAccessPoint
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 MultiRegionAccessPoint
fn sync()
Sync S3 MultiRegionAccessPoint state from AWS
multi_region_access_point_policy.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
MrapNamestringThe name of the Multi Region Access Point to apply policy
PolicyrecordPolicy document to apply to a Multi Region Access Point
fn create()
Create a S3 MultiRegionAccessPointPolicy
fn get(identifier: string)
Get a S3 MultiRegionAccessPointPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 MultiRegionAccessPointPolicy
fn update()
Update a S3 MultiRegionAccessPointPolicy
fn delete(identifier: string)
Delete a S3 MultiRegionAccessPointPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 MultiRegionAccessPointPolicy
fn sync()
Sync S3 MultiRegionAccessPointPolicy state from AWS
storage_lens.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
StorageLensConfiguration?objectAccount-level metrics configurations.
Tags?arrayA set of tags (key-value pairs) for this Amazon S3 Storage Lens configuration.
fn create()
Create a S3 StorageLens
fn get(identifier: string)
Get a S3 StorageLens
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 StorageLens
fn update()
Update a S3 StorageLens
fn delete(identifier: string)
Delete a S3 StorageLens
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 StorageLens
fn sync()
Sync S3 StorageLens state from AWS
storage_lens_group.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
NamestringThe name that identifies the Amazon S3 Storage Lens Group.
Filter?objectFilter to match any of the specified prefixes.
Tags?arrayA set of tags (key-value pairs) for this Amazon S3 Storage Lens Group.
fn create()
Create a S3 StorageLensGroup
fn get(identifier: string)
Get a S3 StorageLensGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 StorageLensGroup
fn update()
Update a S3 StorageLensGroup
fn delete(identifier: string)
Delete a S3 StorageLensGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the S3 StorageLensGroup
fn sync()
Sync S3 StorageLensGroup state from AWS
04Previous Versions12
2026.06.15.1Jun 15, 2026
  • Updated: access_grant, access_grants_instance, access_grants_location, access_point, bucket, bucket_policy, multi_region_access_point, multi_region_access_point_policy, storage_lens, storage_lens_group
2026.06.08.2Jun 8, 2026
  • Updated: access_grant, access_grants_instance, access_grants_location, access_point, bucket, bucket_policy, multi_region_access_point, multi_region_access_point_policy, storage_lens, storage_lens_group
2026.06.06.1Jun 6, 2026
  • Updated: access_grant, access_grants_instance, access_grants_location, access_point, bucket, bucket_policy, multi_region_access_point, multi_region_access_point_policy, storage_lens, storage_lens_group
2026.05.27.1May 27, 2026
  • Updated: access_point, bucket, bucket_policy, multi_region_access_point_policy, storage_lens
2026.05.19.1May 18, 2026
2026.04.23.3Apr 23, 2026
2026.04.23.2Apr 23, 2026
  • Updated: access_grant, access_grants_instance, access_grants_location, access_point, bucket, bucket_policy, multi_region_access_point, multi_region_access_point_policy, storage_lens, storage_lens_group
2026.04.03.2Apr 3, 2026
  • Updated: access_grant, access_grants_instance, access_grants_location, access_point, bucket, bucket_policy, multi_region_access_point, multi_region_access_point_policy, storage_lens, storage_lens_group
2026.03.19.1Mar 19, 2026
  • Updated: access_grant, access_grants_instance, access_grants_location, access_point, bucket, bucket_policy, multi_region_access_point, multi_region_access_point_policy, storage_lens, storage_lens_group
2026.03.16.2Mar 16, 2026
  • Updated: bucket
2026.03.16.1Mar 16, 2026
  • Updated: access_grant, access_grants_instance, access_grants_location, access_point, bucket, bucket_policy, multi_region_access_point, multi_region_access_point_policy, storage_lens, storage_lens_group
2026.03.10.5Mar 10, 2026
05Stats
B
85 / 100
Downloads
492
Archive size
2.3 MB
Verified by Swamp
  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types (deprecated)1/1earned
  • Dependencies pass trust audit0/2missing
  • Has description1/1earned
  • Platform support declared (or universal)2/2earned
  • License declared1/1earned
  • Verified public repository2/2earned
06Platforms
07Labels