Skip to content

API Reference

Constructs

CloudfrontWebAcl

This construct creates a WAFv2 Web ACL for cloudfront in the us-east-1 region (required for cloudfront) no matter the region of the parent cdk stack.

Initializers 

import software.aws.pdk.static_website.CloudfrontWebAcl;

CloudfrontWebAcl.Builder.create(Construct scope, java.lang.String id)
//  .cidrAllowList(CidrAllowList)
//  .disable(java.lang.Boolean)
//  .managedRules(java.util.List<ManagedRule>)
    .build();
Name Type Description
scope software.constructs.Construct No description.
id java.lang.String No description.
cidrAllowList CidrAllowList List of cidr ranges to allow.
disable java.lang.Boolean Set to true to prevent creation of a web acl for the static website.
managedRules java.util.List<ManagedRule> List of managed rules to apply to the web acl.
scopeRequired
  • Type: software.constructs.Construct
idRequired
  • Type: java.lang.String
cidrAllowListOptional

List of cidr ranges to allow.

disableOptional
  • Type: java.lang.Boolean
  • Default: false

Set to true to prevent creation of a web acl for the static website.

managedRulesOptional
  • Type: java.util.List<ManagedRule>
  • Default: [{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" }]

List of managed rules to apply to the web acl.

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public java.lang.String toString()

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import software.aws.pdk.static_website.CloudfrontWebAcl;

CloudfrontWebAcl.isConstruct(java.lang.Object x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: java.lang.Object

Any object.

Properties

Name Type Description
node software.constructs.Node The tree node.
webAclArn java.lang.String No description.
webAclId java.lang.String No description.
nodeRequired 
public Node getNode();
  • Type: software.constructs.Node

The tree node.

webAclArnRequired 
public java.lang.String getWebAclArn();
  • Type: java.lang.String
webAclIdRequired 
public java.lang.String getWebAclId();
  • Type: java.lang.String

StaticWebsite

Deploys a Static Website using by default a private S3 bucket as an origin and Cloudfront as the entrypoint.

This construct configures a webAcl containing rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10.

Initializers 

import software.aws.pdk.static_website.StaticWebsite;

StaticWebsite.Builder.create(Construct scope, java.lang.String id)
    .websiteContentPath(java.lang.String)
//  .bucketDeploymentProps(BucketDeploymentProps)
//  .defaultWebsiteBucketEncryption(BucketEncryption)
//  .defaultWebsiteBucketEncryptionKey(Key)
//  .distributionProps(DistributionProps)
//  .runtimeOptions(RuntimeOptions)
//  .webAclProps(CloudFrontWebAclProps)
//  .websiteBucket(IBucket)
    .build();
Name Type Description
scope software.constructs.Construct No description.
id java.lang.String No description.
websiteContentPath java.lang.String Path to the directory containing the static website files and assets.
bucketDeploymentProps BucketDeploymentProps Custom bucket deployment properties.
defaultWebsiteBucketEncryption software.amazon.awscdk.services.s3.BucketEncryption Bucket encryption to use for the default bucket.
defaultWebsiteBucketEncryptionKey software.amazon.awscdk.services.kms.Key A predefined KMS customer encryption key to use for the default bucket that gets created.
distributionProps DistributionProps Custom distribution properties.
runtimeOptions RuntimeOptions Dynamic configuration which gets resolved only during deployment.
webAclProps CloudFrontWebAclProps Limited configuration settings for the generated webAcl.
websiteBucket software.amazon.awscdk.services.s3.IBucket Predefined bucket to deploy the website into.
scopeRequired
  • Type: software.constructs.Construct
idRequired
  • Type: java.lang.String
websiteContentPathRequired
  • Type: java.lang.String

Path to the directory containing the static website files and assets.

This directory must contain an index.html file.

bucketDeploymentPropsOptional

Custom bucket deployment properties.
defaultWebsiteBucketEncryptionOptional
  • Type: software.amazon.awscdk.services.s3.BucketEncryption
  • Default: "S3MANAGED"

Bucket encryption to use for the default bucket.

Supported options are KMS or S3MANAGED.

Note: If planning to use KMS, ensure you associate a Lambda Edge function to sign requests to S3 as OAI does not currently support KMS encryption. Refer to {@link https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/}

defaultWebsiteBucketEncryptionKeyOptional
  • Type: software.amazon.awscdk.services.kms.Key

A predefined KMS customer encryption key to use for the default bucket that gets created.

Note: This is only used if the websiteBucket is left undefined, otherwise all settings from the provided websiteBucket will be used.

distributionPropsOptional

Custom distribution properties.

Note: defaultBehaviour.origin is a required parameter, however it will not be used as this construct will wire it on your behalf. You will need to pass in an instance of StaticWebsiteOrigin (NoOp) to keep the compiler happy.

runtimeOptionsOptional

Dynamic configuration which gets resolved only during deployment.

webAclPropsOptional

Limited configuration settings for the generated webAcl.

For more advanced settings, create your own ACL and pass in the webAclId as a param to distributionProps.

Note: If pass in your own ACL, make sure the SCOPE is CLOUDFRONT and it is created in us-east-1.

websiteBucketOptional
  • Type: software.amazon.awscdk.services.s3.IBucket

Predefined bucket to deploy the website into.

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public java.lang.String toString()

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import software.aws.pdk.static_website.StaticWebsite;

StaticWebsite.isConstruct(java.lang.Object x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: java.lang.Object

Any object.

Properties

Name Type Description
node software.constructs.Node The tree node.
bucketDeployment software.amazon.awscdk.services.s3.deployment.BucketDeployment No description.
cloudFrontDistribution software.amazon.awscdk.services.cloudfront.Distribution No description.
websiteBucket software.amazon.awscdk.services.s3.IBucket No description.
nodeRequired 
public Node getNode();
  • Type: software.constructs.Node

The tree node.

bucketDeploymentRequired 
public BucketDeployment getBucketDeployment();
  • Type: software.amazon.awscdk.services.s3.deployment.BucketDeployment
cloudFrontDistributionRequired 
public Distribution getCloudFrontDistribution();
  • Type: software.amazon.awscdk.services.cloudfront.Distribution
websiteBucketRequired 
public IBucket getWebsiteBucket();
  • Type: software.amazon.awscdk.services.s3.IBucket

Structs

BucketDeploymentProps

BucketDeploymentProps.

Initializer 

import software.aws.pdk.static_website.BucketDeploymentProps;

BucketDeploymentProps.builder()
//  .accessControl(BucketAccessControl)
//  .cacheControl(java.util.List<CacheControl>)
//  .contentDisposition(java.lang.String)
//  .contentEncoding(java.lang.String)
//  .contentLanguage(java.lang.String)
//  .contentType(java.lang.String)
//  .destinationBucket(IBucket)
//  .destinationKeyPrefix(java.lang.String)
//  .distribution(IDistribution)
//  .distributionPaths(java.util.List<java.lang.String>)
//  .ephemeralStorageSize(Size)
//  .exclude(java.util.List<java.lang.String>)
//  .expires(Expiration)
//  .extract(java.lang.Boolean)
//  .include(java.util.List<java.lang.String>)
//  .logGroup(ILogGroup)
//  .logRetention(RetentionDays)
//  .memoryLimit(java.lang.Number)
//  .metadata(java.util.Map<java.lang.String, java.lang.String>)
//  .outputObjectKeys(java.lang.Boolean)
//  .prune(java.lang.Boolean)
//  .retainOnDelete(java.lang.Boolean)
//  .role(IRole)
//  .serverSideEncryption(ServerSideEncryption)
//  .serverSideEncryptionAwsKmsKeyId(java.lang.String)
//  .serverSideEncryptionCustomerAlgorithm(java.lang.String)
//  .signContent(java.lang.Boolean)
//  .sources(java.util.List<ISource>)
//  .storageClass(StorageClass)
//  .useEfs(java.lang.Boolean)
//  .vpc(IVpc)
//  .vpcSubnets(SubnetSelection)
//  .websiteRedirectLocation(java.lang.String)
    .build();

Properties

Name Type Description
accessControl software.amazon.awscdk.services.s3.BucketAccessControl System-defined x-amz-acl metadata to be set on all objects in the deployment.
cacheControl java.util.List System-defined cache-control metadata to be set on all objects in the deployment.
contentDisposition java.lang.String System-defined cache-disposition metadata to be set on all objects in the deployment.
contentEncoding java.lang.String System-defined content-encoding metadata to be set on all objects in the deployment.
contentLanguage java.lang.String System-defined content-language metadata to be set on all objects in the deployment.
contentType java.lang.String System-defined content-type metadata to be set on all objects in the deployment.
destinationBucket software.amazon.awscdk.services.s3.IBucket The S3 bucket to sync the contents of the zip file to.
destinationKeyPrefix java.lang.String Key prefix in the destination bucket.
distribution software.amazon.awscdk.services.cloudfront.IDistribution The CloudFront distribution using the destination bucket as an origin.
distributionPaths java.util.List The file paths to invalidate in the CloudFront distribution.
ephemeralStorageSize software.amazon.awscdk.Size The size of the AWS Lambda function’s /tmp directory in MiB.
exclude java.util.List If this is set, matching files or objects will be excluded from the deployment's sync command.
expires software.amazon.awscdk.Expiration System-defined expires metadata to be set on all objects in the deployment.
extract java.lang.Boolean If this is set, the zip file will be synced to the destination S3 bucket and extracted.
include java.util.List If this is set, matching files or objects will be included with the deployment's sync command.
logGroup software.amazon.awscdk.services.logs.ILogGroup The Log Group used for logging of events emitted by the custom resource's lambda function.
logRetention software.amazon.awscdk.services.logs.RetentionDays The number of days that the lambda function's log events are kept in CloudWatch Logs.
memoryLimit java.lang.Number The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket.
metadata java.util.Map User-defined object metadata to be set on all objects in the deployment.
outputObjectKeys java.lang.Boolean If set to false, the custom resource will not send back the SourceObjectKeys.
prune java.lang.Boolean If this is set to false, files in the destination bucket that do not exist in the asset, will NOT be deleted during deployment (create/update).
retainOnDelete java.lang.Boolean If this is set to "false", the destination files will be deleted when the resource is deleted or the destination is updated.
role software.amazon.awscdk.services.iam.IRole Execution role associated with this function.
serverSideEncryption software.amazon.awscdk.services.s3.deployment.ServerSideEncryption System-defined x-amz-server-side-encryption metadata to be set on all objects in the deployment.
serverSideEncryptionAwsKmsKeyId java.lang.String System-defined x-amz-server-side-encryption-aws-kms-key-id metadata to be set on all objects in the deployment.
serverSideEncryptionCustomerAlgorithm java.lang.String System-defined x-amz-server-side-encryption-customer-algorithm metadata to be set on all objects in the deployment.
signContent java.lang.Boolean If set to true, uploads will precompute the value of x-amz-content-sha256 and include it in the signed S3 request headers.
sources java.util.List The sources from which to deploy the contents of this bucket.
storageClass software.amazon.awscdk.services.s3.deployment.StorageClass System-defined x-amz-storage-class metadata to be set on all objects in the deployment.
useEfs java.lang.Boolean Mount an EFS file system.
vpc software.amazon.awscdk.services.ec2.IVpc The VPC network to place the deployment lambda handler in.
vpcSubnets software.amazon.awscdk.services.ec2.SubnetSelection Where in the VPC to place the deployment lambda handler.
websiteRedirectLocation java.lang.String System-defined x-amz-website-redirect-location metadata to be set on all objects in the deployment.
accessControlOptional 
public BucketAccessControl getAccessControl();
  • Type: software.amazon.awscdk.services.s3.BucketAccessControl
  • Default: Not set.

System-defined x-amz-acl metadata to be set on all objects in the deployment.

cacheControlOptional 
public java.util.List<CacheControl> getCacheControl();
  • Type: java.util.List
  • Default: Not set.

System-defined cache-control metadata to be set on all objects in the deployment.

contentDispositionOptional 
public java.lang.String getContentDisposition();
  • Type: java.lang.String
  • Default: Not set.

System-defined cache-disposition metadata to be set on all objects in the deployment.

contentEncodingOptional 
public java.lang.String getContentEncoding();
  • Type: java.lang.String
  • Default: Not set.

System-defined content-encoding metadata to be set on all objects in the deployment.

contentLanguageOptional 
public java.lang.String getContentLanguage();
  • Type: java.lang.String
  • Default: Not set.

System-defined content-language metadata to be set on all objects in the deployment.

contentTypeOptional 
public java.lang.String getContentType();
  • Type: java.lang.String
  • Default: Not set.

System-defined content-type metadata to be set on all objects in the deployment.

destinationBucketOptional 
public IBucket getDestinationBucket();
  • Type: software.amazon.awscdk.services.s3.IBucket

The S3 bucket to sync the contents of the zip file to.

destinationKeyPrefixOptional 
public java.lang.String getDestinationKeyPrefix();
  • Type: java.lang.String
  • Default: "/" (unzip to root of the destination bucket)

Key prefix in the destination bucket.

Must be <=104 characters

distributionOptional 
public IDistribution getDistribution();
  • Type: software.amazon.awscdk.services.cloudfront.IDistribution
  • Default: No invalidation occurs

The CloudFront distribution using the destination bucket as an origin.

Files in the distribution's edge caches will be invalidated after files are uploaded to the destination bucket.

distributionPathsOptional 
public java.util.List<java.lang.String> getDistributionPaths();
  • Type: java.util.List
  • Default: All files under the destination bucket key prefix will be invalidated.

The file paths to invalidate in the CloudFront distribution.

ephemeralStorageSizeOptional 
public Size getEphemeralStorageSize();
  • Type: software.amazon.awscdk.Size
  • Default: 512 MiB

The size of the AWS Lambda function’s /tmp directory in MiB.

excludeOptional 
public java.util.List<java.lang.String> getExclude();
  • Type: java.util.List
  • Default: No exclude filters are used

If this is set, matching files or objects will be excluded from the deployment's sync command.

This can be used to exclude a file from being pruned in the destination bucket.

If you want to just exclude files from the deployment package (which excludes these files evaluated when invalidating the asset), you should leverage the exclude property of AssetOptions when defining your source.

expiresOptional 
public Expiration getExpires();
  • Type: software.amazon.awscdk.Expiration
  • Default: The objects in the distribution will not expire.

System-defined expires metadata to be set on all objects in the deployment.

extractOptional 
public java.lang.Boolean getExtract();
  • Type: java.lang.Boolean
  • Default: true

If this is set, the zip file will be synced to the destination S3 bucket and extracted.

If false, the file will remain zipped in the destination bucket.

includeOptional 
public java.util.List<java.lang.String> getInclude();
  • Type: java.util.List
  • Default: No include filters are used and all files are included with the sync command

If this is set, matching files or objects will be included with the deployment's sync command.

Since all files from the deployment package are included by default, this property is usually leveraged alongside an exclude filter.

logGroupOptional 
public ILogGroup getLogGroup();
  • Type: software.amazon.awscdk.services.logs.ILogGroup
  • Default: a default log group created by AWS Lambda

The Log Group used for logging of events emitted by the custom resource's lambda function.

Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first.

logRetentionOptional 
public RetentionDays getLogRetention();
  • Type: software.amazon.awscdk.services.logs.RetentionDays
  • Default: logs.RetentionDays.INFINITE

The number of days that the lambda function's log events are kept in CloudWatch Logs.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.

memoryLimitOptional 
public java.lang.Number getMemoryLimit();
  • Type: java.lang.Number
  • Default: 128

The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket.

If you are deploying large files, you will need to increase this number accordingly.

metadataOptional 
public java.util.Map<java.lang.String, java.lang.String> getMetadata();
  • Type: java.util.Map
  • Default: No user metadata is set

User-defined object metadata to be set on all objects in the deployment.

outputObjectKeysOptional 
public java.lang.Boolean getOutputObjectKeys();
  • Type: java.lang.Boolean
  • Default: true

If set to false, the custom resource will not send back the SourceObjectKeys.

This is useful when you are facing the error Response object is too long

See aws-cdk#28579

pruneOptional 
public java.lang.Boolean getPrune();
  • Type: java.lang.Boolean
  • Default: true

If this is set to false, files in the destination bucket that do not exist in the asset, will NOT be deleted during deployment (create/update).

retainOnDeleteOptional 
public java.lang.Boolean getRetainOnDelete();
  • Type: java.lang.Boolean
  • Default: true - when resource is deleted/updated, files are retained

If this is set to "false", the destination files will be deleted when the resource is deleted or the destination is updated.

NOTICE: Configuring this to "false" might have operational implications. Please visit to the package documentation referred below to make sure you fully understand those implications.

roleOptional 
public IRole getRole();
  • Type: software.amazon.awscdk.services.iam.IRole
  • Default: A role is automatically created

Execution role associated with this function.

serverSideEncryptionOptional 
public ServerSideEncryption getServerSideEncryption();
  • Type: software.amazon.awscdk.services.s3.deployment.ServerSideEncryption
  • Default: Server side encryption is not used.

System-defined x-amz-server-side-encryption metadata to be set on all objects in the deployment.

serverSideEncryptionAwsKmsKeyIdOptional 
public java.lang.String getServerSideEncryptionAwsKmsKeyId();
  • Type: java.lang.String
  • Default: Not set.

System-defined x-amz-server-side-encryption-aws-kms-key-id metadata to be set on all objects in the deployment.

serverSideEncryptionCustomerAlgorithmOptional 
public java.lang.String getServerSideEncryptionCustomerAlgorithm();
  • Type: java.lang.String
  • Default: Not set.

System-defined x-amz-server-side-encryption-customer-algorithm metadata to be set on all objects in the deployment.

Warning: This is not a useful parameter until this bug is fixed: aws-cdk#6080

signContentOptional 
public java.lang.Boolean getSignContent();
  • Type: java.lang.Boolean
  • Default: x-amz-content-sha256 will not be computed

If set to true, uploads will precompute the value of x-amz-content-sha256 and include it in the signed S3 request headers.

sourcesOptional 
public java.util.List<ISource> getSources();
  • Type: java.util.List

The sources from which to deploy the contents of this bucket.

storageClassOptional 
public StorageClass getStorageClass();
  • Type: software.amazon.awscdk.services.s3.deployment.StorageClass
  • Default: Default storage-class for the bucket is used.

System-defined x-amz-storage-class metadata to be set on all objects in the deployment.

useEfsOptional 
public java.lang.Boolean getUseEfs();
  • Type: java.lang.Boolean
  • Default: No EFS. Lambda has access only to 512MB of disk space.

Mount an EFS file system.

Enable this if your assets are large and you encounter disk space errors. Enabling this option will require a VPC to be specified.

vpcOptional 
public IVpc getVpc();
  • Type: software.amazon.awscdk.services.ec2.IVpc
  • Default: None

The VPC network to place the deployment lambda handler in.

This is required if useEfs is set.

vpcSubnetsOptional 
public SubnetSelection getVpcSubnets();
  • Type: software.amazon.awscdk.services.ec2.SubnetSelection
  • Default: the Vpc default strategy if not specified

Where in the VPC to place the deployment lambda handler.

Only used if 'vpc' is supplied.

websiteRedirectLocationOptional 
public java.lang.String getWebsiteRedirectLocation();
  • Type: java.lang.String
  • Default: No website redirection.

System-defined x-amz-website-redirect-location metadata to be set on all objects in the deployment.

CidrAllowList

Representation of a CIDR range.

Initializer 

import software.aws.pdk.static_website.CidrAllowList;

CidrAllowList.builder()
    .cidrRanges(java.util.List<java.lang.String>)
    .cidrType(java.lang.String)
    .build();

Properties

Name Type Description
cidrRanges java.util.List Specify an IPv4 address by using CIDR notation.
cidrType java.lang.String Type of CIDR range.
cidrRangesRequired 
public java.util.List<java.lang.String> getCidrRanges();
  • Type: java.util.List

Specify an IPv4 address by using CIDR notation.

For example: To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify 192.0.2.44/32 . To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24 .

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing .

Specify an IPv6 address by using CIDR notation. For example: To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128 . To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64 .

cidrTypeRequired 
public java.lang.String getCidrType();
  • Type: java.lang.String

Type of CIDR range.

CloudFrontWebAclProps

Properties to configure the web acl.

Initializer 

import software.aws.pdk.static_website.CloudFrontWebAclProps;

CloudFrontWebAclProps.builder()
//  .cidrAllowList(CidrAllowList)
//  .disable(java.lang.Boolean)
//  .managedRules(java.util.List<ManagedRule>)
    .build();

Properties

Name Type Description
cidrAllowList CidrAllowList List of cidr ranges to allow.
disable java.lang.Boolean Set to true to prevent creation of a web acl for the static website.
managedRules java.util.List<ManagedRule> List of managed rules to apply to the web acl.
cidrAllowListOptional 
public CidrAllowList getCidrAllowList();

List of cidr ranges to allow.

disableOptional 
public java.lang.Boolean getDisable();
  • Type: java.lang.Boolean
  • Default: false

Set to true to prevent creation of a web acl for the static website.

managedRulesOptional 
public java.util.List<ManagedRule> getManagedRules();
  • Type: java.util.List<ManagedRule>
  • Default: [{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" }]

List of managed rules to apply to the web acl.

DistributionProps

DistributionProps.

Initializer 

import software.aws.pdk.static_website.DistributionProps;

DistributionProps.builder()
//  .additionalBehaviors(java.util.Map<java.lang.String, BehaviorOptions>)
//  .certificate(ICertificate)
//  .comment(java.lang.String)
//  .defaultBehavior(BehaviorOptions)
//  .defaultRootObject(java.lang.String)
//  .domainNames(java.util.List<java.lang.String>)
//  .enabled(java.lang.Boolean)
//  .enableIpv6(java.lang.Boolean)
//  .enableLogging(java.lang.Boolean)
//  .errorResponses(java.util.List<ErrorResponse>)
//  .geoRestriction(GeoRestriction)
//  .httpVersion(HttpVersion)
//  .logBucket(IBucket)
//  .logFilePrefix(java.lang.String)
//  .logIncludesCookies(java.lang.Boolean)
//  .minimumProtocolVersion(SecurityPolicyProtocol)
//  .priceClass(PriceClass)
//  .publishAdditionalMetrics(java.lang.Boolean)
//  .sslSupportMethod(SSLMethod)
//  .webAclId(java.lang.String)
    .build();

Properties

Name Type Description
additionalBehaviors java.util.Map Additional behaviors for the distribution, mapped by the pathPattern that specifies which requests to apply the behavior to.
certificate software.amazon.awscdk.services.certificatemanager.ICertificate A certificate to associate with the distribution.
comment java.lang.String Any comments you want to include about the distribution.
defaultBehavior software.amazon.awscdk.services.cloudfront.BehaviorOptions The default behavior for the distribution.
defaultRootObject java.lang.String The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution. If no default object is set, the request goes to the origin's root (e.g., example.com/).
domainNames java.util.List Alternative domain names for this distribution.
enabled java.lang.Boolean Enable or disable the distribution.
enableIpv6 java.lang.Boolean Whether CloudFront will respond to IPv6 DNS requests with an IPv6 address.
enableLogging java.lang.Boolean Enable access logging for the distribution.
errorResponses java.util.List How CloudFront should handle requests that are not successful (e.g., PageNotFound).
geoRestriction software.amazon.awscdk.services.cloudfront.GeoRestriction Controls the countries in which your content is distributed.
httpVersion software.amazon.awscdk.services.cloudfront.HttpVersion Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront.
logBucket software.amazon.awscdk.services.s3.IBucket The Amazon S3 bucket to store the access logs in.
logFilePrefix java.lang.String An optional string that you want CloudFront to prefix to the access log filenames for this distribution.
logIncludesCookies java.lang.Boolean Specifies whether you want CloudFront to include cookies in access logs.
minimumProtocolVersion software.amazon.awscdk.services.cloudfront.SecurityPolicyProtocol The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
priceClass software.amazon.awscdk.services.cloudfront.PriceClass The price class that corresponds with the maximum price that you want to pay for CloudFront service.
publishAdditionalMetrics java.lang.Boolean Whether to enable additional CloudWatch metrics.
sslSupportMethod software.amazon.awscdk.services.cloudfront.SSLMethod The SSL method CloudFront will use for your distribution.
webAclId java.lang.String Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.
additionalBehaviorsOptional 
public java.util.Map<java.lang.String, BehaviorOptions> getAdditionalBehaviors();
  • Type: java.util.Map
  • Default: no additional behaviors are added.

Additional behaviors for the distribution, mapped by the pathPattern that specifies which requests to apply the behavior to.

certificateOptional 
public ICertificate getCertificate();
  • Type: software.amazon.awscdk.services.certificatemanager.ICertificate
  • Default: the CloudFront wildcard certificate (*.cloudfront.net) will be used.

A certificate to associate with the distribution.

The certificate must be located in N. Virginia (us-east-1).

commentOptional 
public java.lang.String getComment();
  • Type: java.lang.String
  • Default: no comment

Any comments you want to include about the distribution.

defaultBehaviorOptional 
public BehaviorOptions getDefaultBehavior();
  • Type: software.amazon.awscdk.services.cloudfront.BehaviorOptions

The default behavior for the distribution.

defaultRootObjectOptional 
public java.lang.String getDefaultRootObject();
  • Type: java.lang.String
  • Default: no default root object

The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution. If no default object is set, the request goes to the origin's root (e.g., example.com/).

domainNamesOptional 
public java.util.List<java.lang.String> getDomainNames();
  • Type: java.util.List
  • Default: The distribution will only support the default generated name (e.g., d111111abcdef8.cloudfront.net)

Alternative domain names for this distribution.

If you want to use your own domain name, such as www.example.com, instead of the cloudfront.net domain name, you can add an alternate domain name to your distribution. If you attach a certificate to the distribution, you should add (at least one of) the domain names of the certificate to this list.

When you want to move a domain name between distributions, you can associate a certificate without specifying any domain names. For more information, see the Moving an alternate domain name to a different distribution section in the README.

enabledOptional 
public java.lang.Boolean getEnabled();
  • Type: java.lang.Boolean
  • Default: true

Enable or disable the distribution.

enableIpv6Optional 
public java.lang.Boolean getEnableIpv6();
  • Type: java.lang.Boolean
  • Default: true

Whether CloudFront will respond to IPv6 DNS requests with an IPv6 address.

If you specify false, CloudFront responds to IPv6 DNS requests with the DNS response code NOERROR and with no IP addresses. This allows viewers to submit a second request, for an IPv4 address for your distribution.

enableLoggingOptional 
public java.lang.Boolean getEnableLogging();
  • Type: java.lang.Boolean
  • Default: false, unless logBucket is specified.

Enable access logging for the distribution.

errorResponsesOptional 
public java.util.List<ErrorResponse> getErrorResponses();
  • Type: java.util.List
  • Default: No custom error responses.

How CloudFront should handle requests that are not successful (e.g., PageNotFound).

geoRestrictionOptional 
public GeoRestriction getGeoRestriction();
  • Type: software.amazon.awscdk.services.cloudfront.GeoRestriction
  • Default: No geographic restrictions

Controls the countries in which your content is distributed.

httpVersionOptional 
public HttpVersion getHttpVersion();
  • Type: software.amazon.awscdk.services.cloudfront.HttpVersion
  • Default: HttpVersion.HTTP2

Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront.

For viewers and CloudFront to use HTTP/2, viewers must support TLS 1.2 or later, and must support server name identification (SNI).

logBucketOptional 
public IBucket getLogBucket();
  • Type: software.amazon.awscdk.services.s3.IBucket
  • Default: A bucket is created if enableLogging is true

The Amazon S3 bucket to store the access logs in.

Make sure to set objectOwnership to s3.ObjectOwnership.OBJECT_WRITER in your custom bucket.

logFilePrefixOptional 
public java.lang.String getLogFilePrefix();
  • Type: java.lang.String
  • Default: no prefix

An optional string that you want CloudFront to prefix to the access log filenames for this distribution.

logIncludesCookiesOptional 
public java.lang.Boolean getLogIncludesCookies();
  • Type: java.lang.Boolean
  • Default: false

Specifies whether you want CloudFront to include cookies in access logs.

minimumProtocolVersionOptional 
public SecurityPolicyProtocol getMinimumProtocolVersion();
  • Type: software.amazon.awscdk.services.cloudfront.SecurityPolicyProtocol
  • Default: SecurityPolicyProtocol.TLS_V1_2_2021 if the 'aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019.

The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.

CloudFront serves your objects only to browsers or devices that support at least the SSL version that you specify.

priceClassOptional 
public PriceClass getPriceClass();
  • Type: software.amazon.awscdk.services.cloudfront.PriceClass
  • Default: PriceClass.PRICE_CLASS_ALL

The price class that corresponds with the maximum price that you want to pay for CloudFront service.

If you specify PriceClass_All, CloudFront responds to requests for your objects from all CloudFront edge locations. If you specify a price class other than PriceClass_All, CloudFront serves your objects from the CloudFront edge location that has the lowest latency among the edge locations in your price class.

publishAdditionalMetricsOptional 
public java.lang.Boolean getPublishAdditionalMetrics();
  • Type: java.lang.Boolean
  • Default: false

Whether to enable additional CloudWatch metrics.

sslSupportMethodOptional 
public SSLMethod getSslSupportMethod();
  • Type: software.amazon.awscdk.services.cloudfront.SSLMethod
  • Default: SSLMethod.SNI

The SSL method CloudFront will use for your distribution.

Server Name Indication (SNI) - is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.

CloudFront can use SNI to host multiple distributions on the same IP - which a large majority of clients will support.

If your clients cannot support SNI however - CloudFront can use dedicated IPs for your distribution - but there is a prorated monthly charge for using this feature. By default, we use SNI - but you can optionally enable dedicated IPs (VIP).

See the CloudFront SSL for more details about pricing : https://aws.amazon.com/cloudfront/custom-ssl-domains/

webAclIdOptional 
public java.lang.String getWebAclId();
  • Type: java.lang.String
  • Default: No AWS Web Application Firewall web access control list (web ACL).

Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.

To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.

ManagedRule

Represents a WAF V2 managed rule.

Initializer 

import software.aws.pdk.static_website.ManagedRule;

ManagedRule.builder()
    .name(java.lang.String)
    .vendor(java.lang.String)
    .build();

Properties

Name Type Description
name java.lang.String The name of the managed rule group.
vendor java.lang.String The name of the managed rule group vendor.
nameRequired 
public java.lang.String getName();
  • Type: java.lang.String

The name of the managed rule group.

You use this, along with the vendor name, to identify the rule group.

vendorRequired 
public java.lang.String getVendor();
  • Type: java.lang.String

The name of the managed rule group vendor.

You use this, along with the rule group name, to identify the rule group.

RuntimeOptions

Dynamic configuration which gets resolved only during deployment.

Example

// Example automatically generated from non-compiling source. May contain errors.
// Will store a JSON file called runtime-config.json in the root of the StaticWebsite S3 bucket containing any
// and all resolved values.
Map<String, Map<String, Object>> runtimeConfig = Map.of("jsonPayload", Map.of("bucketArn", s3Bucket.getBucketArn()));
StaticWebsite.Builder.create(scope, "StaticWebsite").websiteContentPath("path/to/website").runtimeConfig(runtimeConfig).build();

Initializer 

import software.aws.pdk.static_website.RuntimeOptions;

RuntimeOptions.builder()
    .jsonPayload(java.lang.Object)
//  .jsonFileName(java.lang.String)
    .build();

Properties

Name Type Description
jsonPayload java.lang.Object Arbitrary JSON payload containing runtime values to deploy.
jsonFileName java.lang.String File name to store runtime configuration (jsonPayload).
jsonPayloadRequired 
public java.lang.Object getJsonPayload();
  • Type: java.lang.Object

Arbitrary JSON payload containing runtime values to deploy.

Typically this contains resourceArns, etc which are only known at deploy time.

Example

// Example automatically generated from non-compiling source. May contain errors.
{userPoolId: some.userPool.userPoolId, someResourceArnsome.getResource().getArn();
}
jsonFileNameOptional 
public java.lang.String getJsonFileName();
  • Type: java.lang.String
  • Default: "runtime-config.json"

File name to store runtime configuration (jsonPayload).

Must follow pattern: '*.json'

StaticWebsiteProps

Properties for configuring the StaticWebsite.

Initializer 

import software.aws.pdk.static_website.StaticWebsiteProps;

StaticWebsiteProps.builder()
    .websiteContentPath(java.lang.String)
//  .bucketDeploymentProps(BucketDeploymentProps)
//  .defaultWebsiteBucketEncryption(BucketEncryption)
//  .defaultWebsiteBucketEncryptionKey(Key)
//  .distributionProps(DistributionProps)
//  .runtimeOptions(RuntimeOptions)
//  .webAclProps(CloudFrontWebAclProps)
//  .websiteBucket(IBucket)
    .build();

Properties

Name Type Description
websiteContentPath java.lang.String Path to the directory containing the static website files and assets.
bucketDeploymentProps BucketDeploymentProps Custom bucket deployment properties.
defaultWebsiteBucketEncryption software.amazon.awscdk.services.s3.BucketEncryption Bucket encryption to use for the default bucket.
defaultWebsiteBucketEncryptionKey software.amazon.awscdk.services.kms.Key A predefined KMS customer encryption key to use for the default bucket that gets created.
distributionProps DistributionProps Custom distribution properties.
runtimeOptions RuntimeOptions Dynamic configuration which gets resolved only during deployment.
webAclProps CloudFrontWebAclProps Limited configuration settings for the generated webAcl.
websiteBucket software.amazon.awscdk.services.s3.IBucket Predefined bucket to deploy the website into.
websiteContentPathRequired 
public java.lang.String getWebsiteContentPath();
  • Type: java.lang.String

Path to the directory containing the static website files and assets.

This directory must contain an index.html file.

bucketDeploymentPropsOptional 
public BucketDeploymentProps getBucketDeploymentProps();

Custom bucket deployment properties.
defaultWebsiteBucketEncryptionOptional 
public BucketEncryption getDefaultWebsiteBucketEncryption();
  • Type: software.amazon.awscdk.services.s3.BucketEncryption
  • Default: "S3MANAGED"

Bucket encryption to use for the default bucket.

Supported options are KMS or S3MANAGED.

Note: If planning to use KMS, ensure you associate a Lambda Edge function to sign requests to S3 as OAI does not currently support KMS encryption. Refer to {@link https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/}

defaultWebsiteBucketEncryptionKeyOptional 
public Key getDefaultWebsiteBucketEncryptionKey();
  • Type: software.amazon.awscdk.services.kms.Key

A predefined KMS customer encryption key to use for the default bucket that gets created.

Note: This is only used if the websiteBucket is left undefined, otherwise all settings from the provided websiteBucket will be used.

distributionPropsOptional 
public DistributionProps getDistributionProps();

Custom distribution properties.

Note: defaultBehaviour.origin is a required parameter, however it will not be used as this construct will wire it on your behalf. You will need to pass in an instance of StaticWebsiteOrigin (NoOp) to keep the compiler happy.

runtimeOptionsOptional 
public RuntimeOptions getRuntimeOptions();

Dynamic configuration which gets resolved only during deployment.

webAclPropsOptional 
public CloudFrontWebAclProps getWebAclProps();

Limited configuration settings for the generated webAcl.

For more advanced settings, create your own ACL and pass in the webAclId as a param to distributionProps.

Note: If pass in your own ACL, make sure the SCOPE is CLOUDFRONT and it is created in us-east-1.

websiteBucketOptional 
public IBucket getWebsiteBucket();
  • Type: software.amazon.awscdk.services.s3.IBucket

Predefined bucket to deploy the website into.

Classes

StaticWebsiteOrigin

  • Implements: software.amazon.awscdk.services.cloudfront.IOrigin

If passing in distributionProps, the default behaviour.origin is a required parameter. An instance of this class can be passed in to make the compiler happy.

Initializers 

import software.aws.pdk.static_website.StaticWebsiteOrigin;

new StaticWebsiteOrigin();
Name Type Description

Methods

Name Description
bind The method called when a given Origin is added (for the first time) to a Distribution.
bind 
public OriginBindConfig bind(Construct _scope, OriginBindOptions _options)

The method called when a given Origin is added (for the first time) to a Distribution.

_scopeRequired
  • Type: software.constructs.Construct
_optionsRequired
  • Type: software.amazon.awscdk.services.cloudfront.OriginBindOptions
Last update: 2025-07-17