feat(s3): attribute-based access control #36229
Open
+669
−377
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… buckets - Introduced `abacStatus` property to the S3 bucket construct to enable or disable ABAC. - Updated integration test to include `abacStatus` for both KMS-encrypted and S3-managed buckets. - Modified the snapshot to reflect changes in the bucket configuration. - Enhanced documentation to explain how to enable and disable ABAC for S3 buckets.
github-actions
bot
added
p2
distinguished-contributor
aws-cdk-automation
added
pr/needs-further-review
go-to-k
suggested changes
Nov 28, 2025
| }); | ||
| }); | ||
|
|
||
| test.each([true, false])('bucket with ABAC status %s', (abacStatus) => { |
Contributor
There was a problem hiding this comment.
Since the handling changes based on whether the value is undefined, it's a good idea to also check for undefined with Match.absent.
Contributor
Author
There was a problem hiding this comment.
I've added it!
Contributor
There was a problem hiding this comment.
Could you combine them into one? Because they are tests for a single concern, it will be easier to grasp the test cases than separating them into individual tests.
test.each([
[true, 'Enabled'],
[false, 'Disabled'],
[undefined, Match.absent()],
])('bucket with ABAC status %s', (abacStatus, expected) => {
const stack = new cdk.Stack();
new s3.Bucket(stack, 'MyBucket', {
abacStatus,
});
Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', {
AbacStatus: expected,
});
});
aws-cdk-automation
removed
the
pr/needs-community-review
Contributor
Author
|
@go-to-k Thank you for your review! I've addressed your comment. |
go-to-k
reviewed
Nov 28, 2025
Co-authored-by: Kenta Goto <24818752+go-to-k@users.noreply.github.com>
Contributor
Author
|
@go-to-k I've updated! |
Contributor
|
Did you forget to push your commit? :) |
Contributor
Author
|
@go-to-k I'm sorry for forgetting to push it. |
aws-cdk-automation
added
the
pr/needs-maintainer-review
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
None
Reason for this change
AWS S3 general purpose bucket now supports for Attribute-based access control (ABAC).
https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/userguide/buckets-tagging.html
Description of changes
abacStatustoBucketPropsDescribe any new or updated permissions being added
None
Description of how you validated changes
add both unit and integ tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license