feat(s3): attribute-based access control#36229
Conversation
… buckets - Introduced `abacStatus` property to the S3 bucket construct to enable or disable ABAC. - Updated integration test to include `abacStatus` for both KMS-encrypted and S3-managed buckets. - Modified the snapshot to reflect changes in the bucket configuration. - Enhanced documentation to explain how to enable and disable ABAC for S3 buckets.
github-actions
bot
added
p2
distinguished-contributor
aws-cdk-automation
added
pr/needs-further-review
| }); | ||
| }); | ||
|
|
||
| test.each([true, false])('bucket with ABAC status %s', (abacStatus) => { |
There was a problem hiding this comment.
Since the handling changes based on whether the value is undefined, it's a good idea to also check for undefined with Match.absent.
There was a problem hiding this comment.
I've added it!
There was a problem hiding this comment.
Could you combine them into one? Because they are tests for a single concern, it will be easier to grasp the test cases than separating them into individual tests.
test.each([
[true, 'Enabled'],
[false, 'Disabled'],
[undefined, Match.absent()],
])('bucket with ABAC status %s', (abacStatus, expected) => {
const stack = new cdk.Stack();
new s3.Bucket(stack, 'MyBucket', {
abacStatus,
});
Template.fromStack(stack).hasResourceProperties('AWS::S3::Bucket', {
AbacStatus: expected,
});
});
aws-cdk-automation
removed
the
pr/needs-community-review
|
@go-to-k Thank you for your review! I've addressed your comment. |
Co-authored-by: Kenta Goto <24818752+go-to-k@users.noreply.github.com>
|
@go-to-k I've updated! |
|
Did you forget to push your commit? :) |
|
@go-to-k I'm sorry for forgetting to push it. |
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
|
||||||||||||||
|
|
||||||||||||||
kumsmrit
left a comment
kumsmrit
left a comment
There was a problem hiding this comment.
Thank you for your contribution; I have added few minor comments.
| ## Attribute-Based Access Control (ABAC) | ||
|
|
||
| You can enable ABAC (Attribute-Based Access Control) for an S3 general purpose bucket. | ||
| When ABAC is enabled for the general purpose bucket, you can use tags to manage access to the general purpose buckets as well as for cost tracking purposes. |
There was a problem hiding this comment.
Can we also describe the disabled case for completeness?
"When ABAC is disabled for the general purpose buckets, you can only use tags for cost tracking purposes."
Co-authored-by: kumsmrit <154323786+kumsmrit@users.noreply.github.com>
mergify
bot
dismissed
kumsmrit’s stale review
Pull request has been modified.
Co-authored-by: kumsmrit <154323786+kumsmrit@users.noreply.github.com>
aws-cdk-automation
removed
the
pr/needs-further-review
|
@kumsmrit Thank you for your review!! I've addressed all of your comments. |
kumsmrit
left a comment
kumsmrit
left a comment
There was a problem hiding this comment.
Thank you for addressing the comments.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Merge Queue StatusRule:
This pull request spent 30 minutes 21 seconds in the queue, including 30 minutes 10 seconds running CI. Required conditions to merge
|
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
4 participants
Issue # (if applicable)
None
Reason for this change
AWS S3 general purpose bucket now supports for Attribute-based access control (ABAC).
https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/userguide/buckets-tagging.html
Description of changes
abacStatustoBucketPropsDescribe any new or updated permissions being added
None
Description of how you validated changes
add both unit and integ tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license