Skip to content

API Reference

Constructs

CloudfrontWebAcl

This construct creates a WAFv2 Web ACL for cloudfront in the us-east-1 region (required for cloudfront) no matter the region of the parent cdk stack.

Initializers 

import aws.pdk.static_website

aws.pdk.static_website.CloudfrontWebAcl(
  scope: Construct,
  id: str,
  cidr_allow_list: CidrAllowList = None,
  disable: bool = None,
  managed_rules: typing.List[ManagedRule] = None
)
Name Type Description
scope constructs.Construct No description.
id str No description.
cidr_allow_list CidrAllowList List of cidr ranges to allow.
disable bool Set to true to prevent creation of a web acl for the static website.
managed_rules typing.List[ManagedRule] List of managed rules to apply to the web acl.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: str
cidr_allow_listOptional

List of cidr ranges to allow.

disableOptional
  • Type: bool
  • Default: false

Set to true to prevent creation of a web acl for the static website.

managed_rulesOptional
  • Type: typing.List[ManagedRule]
  • Default: [{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" }]

List of managed rules to apply to the web acl.

Methods

Name Description
to_string Returns a string representation of this construct.
to_string 
def to_string() -> str

Returns a string representation of this construct.

Static Functions

Name Description
is_construct Checks if x is a construct.
is_construct 
import aws.pdk.static_website

aws.pdk.static_website.CloudfrontWebAcl.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
web_acl_arn str No description.
web_acl_id str No description.
nodeRequired 
node: Node
  • Type: constructs.Node

The tree node.

web_acl_arnRequired 
web_acl_arn: str
  • Type: str
web_acl_idRequired 
web_acl_id: str
  • Type: str

StaticWebsite

Deploys a Static Website using by default a private S3 bucket as an origin and Cloudfront as the entrypoint.

This construct configures a webAcl containing rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10.

Initializers 

import aws.pdk.static_website

aws.pdk.static_website.StaticWebsite(
  scope: Construct,
  id: str,
  website_content_path: str,
  bucket_deployment_props: BucketDeploymentProps = None,
  default_website_bucket_encryption: BucketEncryption = None,
  default_website_bucket_encryption_key: Key = None,
  distribution_props: DistributionProps = None,
  runtime_options: RuntimeOptions = None,
  web_acl_props: CloudFrontWebAclProps = None,
  website_bucket: IBucket = None
)
Name Type Description
scope constructs.Construct No description.
id str No description.
website_content_path str Path to the directory containing the static website files and assets.
bucket_deployment_props BucketDeploymentProps Custom bucket deployment properties.
default_website_bucket_encryption aws_cdk.aws_s3.BucketEncryption Bucket encryption to use for the default bucket.
default_website_bucket_encryption_key aws_cdk.aws_kms.Key A predefined KMS customer encryption key to use for the default bucket that gets created.
distribution_props DistributionProps Custom distribution properties.
runtime_options RuntimeOptions Dynamic configuration which gets resolved only during deployment.
web_acl_props CloudFrontWebAclProps Limited configuration settings for the generated webAcl.
website_bucket aws_cdk.aws_s3.IBucket Predefined bucket to deploy the website into.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: str
website_content_pathRequired
  • Type: str

Path to the directory containing the static website files and assets.

This directory must contain an index.html file.

bucket_deployment_propsOptional

Custom bucket deployment properties.
default_website_bucket_encryptionOptional
  • Type: aws_cdk.aws_s3.BucketEncryption
  • Default: "S3MANAGED"

Bucket encryption to use for the default bucket.

Supported options are KMS or S3MANAGED.

Note: If planning to use KMS, ensure you associate a Lambda Edge function to sign requests to S3 as OAI does not currently support KMS encryption. Refer to {@link https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/}

default_website_bucket_encryption_keyOptional
  • Type: aws_cdk.aws_kms.Key

A predefined KMS customer encryption key to use for the default bucket that gets created.

Note: This is only used if the websiteBucket is left undefined, otherwise all settings from the provided websiteBucket will be used.

distribution_propsOptional

Custom distribution properties.

Note: defaultBehaviour.origin is a required parameter, however it will not be used as this construct will wire it on your behalf. You will need to pass in an instance of StaticWebsiteOrigin (NoOp) to keep the compiler happy.

runtime_optionsOptional

Dynamic configuration which gets resolved only during deployment.

web_acl_propsOptional

Limited configuration settings for the generated webAcl.

For more advanced settings, create your own ACL and pass in the webAclId as a param to distributionProps.

Note: If pass in your own ACL, make sure the SCOPE is CLOUDFRONT and it is created in us-east-1.

website_bucketOptional
  • Type: aws_cdk.aws_s3.IBucket

Predefined bucket to deploy the website into.

Methods

Name Description
to_string Returns a string representation of this construct.
to_string 
def to_string() -> str

Returns a string representation of this construct.

Static Functions

Name Description
is_construct Checks if x is a construct.
is_construct 
import aws.pdk.static_website

aws.pdk.static_website.StaticWebsite.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
bucket_deployment aws_cdk.aws_s3_deployment.BucketDeployment No description.
cloud_front_distribution aws_cdk.aws_cloudfront.Distribution No description.
website_bucket aws_cdk.aws_s3.IBucket No description.
nodeRequired 
node: Node
  • Type: constructs.Node

The tree node.

bucket_deploymentRequired 
bucket_deployment: BucketDeployment
  • Type: aws_cdk.aws_s3_deployment.BucketDeployment
cloud_front_distributionRequired 
cloud_front_distribution: Distribution
  • Type: aws_cdk.aws_cloudfront.Distribution
website_bucketRequired 
website_bucket: IBucket
  • Type: aws_cdk.aws_s3.IBucket

Structs

BucketDeploymentProps

BucketDeploymentProps.

Initializer 

import aws.pdk.static_website

aws.pdk.static_website.BucketDeploymentProps(
  access_control: BucketAccessControl = None,
  cache_control: typing.List[CacheControl] = None,
  content_disposition: str = None,
  content_encoding: str = None,
  content_language: str = None,
  content_type: str = None,
  destination_bucket: IBucket = None,
  destination_key_prefix: str = None,
  distribution: IDistribution = None,
  distribution_paths: typing.List[str] = None,
  ephemeral_storage_size: Size = None,
  exclude: typing.List[str] = None,
  expires: Expiration = None,
  extract: bool = None,
  include: typing.List[str] = None,
  log_group: ILogGroup = None,
  log_retention: RetentionDays = None,
  memory_limit: typing.Union[int, float] = None,
  metadata: typing.Mapping[str] = None,
  output_object_keys: bool = None,
  prune: bool = None,
  retain_on_delete: bool = None,
  role: IRole = None,
  server_side_encryption: ServerSideEncryption = None,
  server_side_encryption_aws_kms_key_id: str = None,
  server_side_encryption_customer_algorithm: str = None,
  sign_content: bool = None,
  sources: typing.List[ISource] = None,
  storage_class: StorageClass = None,
  use_efs: bool = None,
  vpc: IVpc = None,
  vpc_subnets: SubnetSelection = None,
  website_redirect_location: str = None
)

Properties

Name Type Description
access_control aws_cdk.aws_s3.BucketAccessControl System-defined x-amz-acl metadata to be set on all objects in the deployment.
cache_control typing.List[aws_cdk.aws_s3_deployment.CacheControl] System-defined cache-control metadata to be set on all objects in the deployment.
content_disposition str System-defined cache-disposition metadata to be set on all objects in the deployment.
content_encoding str System-defined content-encoding metadata to be set on all objects in the deployment.
content_language str System-defined content-language metadata to be set on all objects in the deployment.
content_type str System-defined content-type metadata to be set on all objects in the deployment.
destination_bucket aws_cdk.aws_s3.IBucket The S3 bucket to sync the contents of the zip file to.
destination_key_prefix str Key prefix in the destination bucket.
distribution aws_cdk.aws_cloudfront.IDistribution The CloudFront distribution using the destination bucket as an origin.
distribution_paths typing.List[str] The file paths to invalidate in the CloudFront distribution.
ephemeral_storage_size aws_cdk.Size The size of the AWS Lambda function’s /tmp directory in MiB.
exclude typing.List[str] If this is set, matching files or objects will be excluded from the deployment's sync command.
expires aws_cdk.Expiration System-defined expires metadata to be set on all objects in the deployment.
extract bool If this is set, the zip file will be synced to the destination S3 bucket and extracted.
include typing.List[str] If this is set, matching files or objects will be included with the deployment's sync command.
log_group aws_cdk.aws_logs.ILogGroup The Log Group used for logging of events emitted by the custom resource's lambda function.
log_retention aws_cdk.aws_logs.RetentionDays The number of days that the lambda function's log events are kept in CloudWatch Logs.
memory_limit typing.Union[int, float] The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket.
metadata typing.Mapping[str] User-defined object metadata to be set on all objects in the deployment.
output_object_keys bool If set to false, the custom resource will not send back the SourceObjectKeys.
prune bool If this is set to false, files in the destination bucket that do not exist in the asset, will NOT be deleted during deployment (create/update).
retain_on_delete bool If this is set to "false", the destination files will be deleted when the resource is deleted or the destination is updated.
role aws_cdk.aws_iam.IRole Execution role associated with this function.
server_side_encryption aws_cdk.aws_s3_deployment.ServerSideEncryption System-defined x-amz-server-side-encryption metadata to be set on all objects in the deployment.
server_side_encryption_aws_kms_key_id str System-defined x-amz-server-side-encryption-aws-kms-key-id metadata to be set on all objects in the deployment.
server_side_encryption_customer_algorithm str System-defined x-amz-server-side-encryption-customer-algorithm metadata to be set on all objects in the deployment.
sign_content bool If set to true, uploads will precompute the value of x-amz-content-sha256 and include it in the signed S3 request headers.
sources typing.List[aws_cdk.aws_s3_deployment.ISource] The sources from which to deploy the contents of this bucket.
storage_class aws_cdk.aws_s3_deployment.StorageClass System-defined x-amz-storage-class metadata to be set on all objects in the deployment.
use_efs bool Mount an EFS file system.
vpc aws_cdk.aws_ec2.IVpc The VPC network to place the deployment lambda handler in.
vpc_subnets aws_cdk.aws_ec2.SubnetSelection Where in the VPC to place the deployment lambda handler.
website_redirect_location str System-defined x-amz-website-redirect-location metadata to be set on all objects in the deployment.
access_controlOptional 
access_control: BucketAccessControl
  • Type: aws_cdk.aws_s3.BucketAccessControl
  • Default: Not set.

System-defined x-amz-acl metadata to be set on all objects in the deployment.

cache_controlOptional 
cache_control: typing.List[CacheControl]
  • Type: typing.List[aws_cdk.aws_s3_deployment.CacheControl]
  • Default: Not set.

System-defined cache-control metadata to be set on all objects in the deployment.

content_dispositionOptional 
content_disposition: str
  • Type: str
  • Default: Not set.

System-defined cache-disposition metadata to be set on all objects in the deployment.

content_encodingOptional 
content_encoding: str
  • Type: str
  • Default: Not set.

System-defined content-encoding metadata to be set on all objects in the deployment.

content_languageOptional 
content_language: str
  • Type: str
  • Default: Not set.

System-defined content-language metadata to be set on all objects in the deployment.

content_typeOptional 
content_type: str
  • Type: str
  • Default: Not set.

System-defined content-type metadata to be set on all objects in the deployment.

destination_bucketOptional 
destination_bucket: IBucket
  • Type: aws_cdk.aws_s3.IBucket

The S3 bucket to sync the contents of the zip file to.

destination_key_prefixOptional 
destination_key_prefix: str
  • Type: str
  • Default: "/" (unzip to root of the destination bucket)

Key prefix in the destination bucket.

Must be <=104 characters

distributionOptional 
distribution: IDistribution
  • Type: aws_cdk.aws_cloudfront.IDistribution
  • Default: No invalidation occurs

The CloudFront distribution using the destination bucket as an origin.

Files in the distribution's edge caches will be invalidated after files are uploaded to the destination bucket.

distribution_pathsOptional 
distribution_paths: typing.List[str]
  • Type: typing.List[str]
  • Default: All files under the destination bucket key prefix will be invalidated.

The file paths to invalidate in the CloudFront distribution.

ephemeral_storage_sizeOptional 
ephemeral_storage_size: Size
  • Type: aws_cdk.Size
  • Default: 512 MiB

The size of the AWS Lambda function’s /tmp directory in MiB.

excludeOptional 
exclude: typing.List[str]
  • Type: typing.List[str]
  • Default: No exclude filters are used

If this is set, matching files or objects will be excluded from the deployment's sync command.

This can be used to exclude a file from being pruned in the destination bucket.

If you want to just exclude files from the deployment package (which excludes these files evaluated when invalidating the asset), you should leverage the exclude property of AssetOptions when defining your source.

expiresOptional 
expires: Expiration
  • Type: aws_cdk.Expiration
  • Default: The objects in the distribution will not expire.

System-defined expires metadata to be set on all objects in the deployment.

extractOptional 
extract: bool
  • Type: bool
  • Default: true

If this is set, the zip file will be synced to the destination S3 bucket and extracted.

If false, the file will remain zipped in the destination bucket.

includeOptional 
include: typing.List[str]
  • Type: typing.List[str]
  • Default: No include filters are used and all files are included with the sync command

If this is set, matching files or objects will be included with the deployment's sync command.

Since all files from the deployment package are included by default, this property is usually leveraged alongside an exclude filter.

log_groupOptional 
log_group: ILogGroup
  • Type: aws_cdk.aws_logs.ILogGroup
  • Default: a default log group created by AWS Lambda

The Log Group used for logging of events emitted by the custom resource's lambda function.

Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first.

log_retentionOptional 
log_retention: RetentionDays
  • Type: aws_cdk.aws_logs.RetentionDays
  • Default: logs.RetentionDays.INFINITE

The number of days that the lambda function's log events are kept in CloudWatch Logs.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.

memory_limitOptional 
memory_limit: typing.Union[int, float]
  • Type: typing.Union[int, float]
  • Default: 128

The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket.

If you are deploying large files, you will need to increase this number accordingly.

metadataOptional 
metadata: typing.Mapping[str]
  • Type: typing.Mapping[str]
  • Default: No user metadata is set

User-defined object metadata to be set on all objects in the deployment.

output_object_keysOptional 
output_object_keys: bool
  • Type: bool
  • Default: true

If set to false, the custom resource will not send back the SourceObjectKeys.

This is useful when you are facing the error Response object is too long

See aws-cdk#28579

pruneOptional 
prune: bool
  • Type: bool
  • Default: true

If this is set to false, files in the destination bucket that do not exist in the asset, will NOT be deleted during deployment (create/update).

retain_on_deleteOptional 
retain_on_delete: bool
  • Type: bool
  • Default: true - when resource is deleted/updated, files are retained

If this is set to "false", the destination files will be deleted when the resource is deleted or the destination is updated.

NOTICE: Configuring this to "false" might have operational implications. Please visit to the package documentation referred below to make sure you fully understand those implications.

roleOptional 
role: IRole
  • Type: aws_cdk.aws_iam.IRole
  • Default: A role is automatically created

Execution role associated with this function.

server_side_encryptionOptional 
server_side_encryption: ServerSideEncryption
  • Type: aws_cdk.aws_s3_deployment.ServerSideEncryption
  • Default: Server side encryption is not used.

System-defined x-amz-server-side-encryption metadata to be set on all objects in the deployment.

server_side_encryption_aws_kms_key_idOptional 
server_side_encryption_aws_kms_key_id: str
  • Type: str
  • Default: Not set.

System-defined x-amz-server-side-encryption-aws-kms-key-id metadata to be set on all objects in the deployment.

server_side_encryption_customer_algorithmOptional 
server_side_encryption_customer_algorithm: str
  • Type: str
  • Default: Not set.

System-defined x-amz-server-side-encryption-customer-algorithm metadata to be set on all objects in the deployment.

Warning: This is not a useful parameter until this bug is fixed: aws-cdk#6080

sign_contentOptional 
sign_content: bool
  • Type: bool
  • Default: x-amz-content-sha256 will not be computed

If set to true, uploads will precompute the value of x-amz-content-sha256 and include it in the signed S3 request headers.

sourcesOptional 
sources: typing.List[ISource]
  • Type: typing.List[aws_cdk.aws_s3_deployment.ISource]

The sources from which to deploy the contents of this bucket.

storage_classOptional 
storage_class: StorageClass
  • Type: aws_cdk.aws_s3_deployment.StorageClass
  • Default: Default storage-class for the bucket is used.

System-defined x-amz-storage-class metadata to be set on all objects in the deployment.

use_efsOptional 
use_efs: bool
  • Type: bool
  • Default: No EFS. Lambda has access only to 512MB of disk space.

Mount an EFS file system.

Enable this if your assets are large and you encounter disk space errors. Enabling this option will require a VPC to be specified.

vpcOptional 
vpc: IVpc
  • Type: aws_cdk.aws_ec2.IVpc
  • Default: None

The VPC network to place the deployment lambda handler in.

This is required if useEfs is set.

vpc_subnetsOptional 
vpc_subnets: SubnetSelection
  • Type: aws_cdk.aws_ec2.SubnetSelection
  • Default: the Vpc default strategy if not specified

Where in the VPC to place the deployment lambda handler.

Only used if 'vpc' is supplied.

website_redirect_locationOptional 
website_redirect_location: str
  • Type: str
  • Default: No website redirection.

System-defined x-amz-website-redirect-location metadata to be set on all objects in the deployment.

CidrAllowList

Representation of a CIDR range.

Initializer 

import aws.pdk.static_website

aws.pdk.static_website.CidrAllowList(
  cidr_ranges: typing.List[str],
  cidr_type: str
)

Properties

Name Type Description
cidr_ranges typing.List[str] Specify an IPv4 address by using CIDR notation.
cidr_type str Type of CIDR range.
cidr_rangesRequired 
cidr_ranges: typing.List[str]
  • Type: typing.List[str]

Specify an IPv4 address by using CIDR notation.

For example: To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify 192.0.2.44/32 . To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24 .

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing .

Specify an IPv6 address by using CIDR notation. For example: To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128 . To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64 .

cidr_typeRequired 
cidr_type: str
  • Type: str

Type of CIDR range.

CloudFrontWebAclProps

Properties to configure the web acl.

Initializer 

import aws.pdk.static_website

aws.pdk.static_website.CloudFrontWebAclProps(
  cidr_allow_list: CidrAllowList = None,
  disable: bool = None,
  managed_rules: typing.List[ManagedRule] = None
)

Properties

Name Type Description
cidr_allow_list CidrAllowList List of cidr ranges to allow.
disable bool Set to true to prevent creation of a web acl for the static website.
managed_rules typing.List[ManagedRule] List of managed rules to apply to the web acl.
cidr_allow_listOptional 
cidr_allow_list: CidrAllowList

List of cidr ranges to allow.

disableOptional 
disable: bool
  • Type: bool
  • Default: false

Set to true to prevent creation of a web acl for the static website.

managed_rulesOptional 
managed_rules: typing.List[ManagedRule]
  • Type: typing.List[ManagedRule]
  • Default: [{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" }]

List of managed rules to apply to the web acl.

DistributionProps

DistributionProps.

Initializer 

import aws.pdk.static_website

aws.pdk.static_website.DistributionProps(
  additional_behaviors: typing.Mapping[BehaviorOptions] = None,
  certificate: ICertificate = None,
  comment: str = None,
  default_behavior: BehaviorOptions = None,
  default_root_object: str = None,
  domain_names: typing.List[str] = None,
  enabled: bool = None,
  enable_ipv6: bool = None,
  enable_logging: bool = None,
  error_responses: typing.List[ErrorResponse] = None,
  geo_restriction: GeoRestriction = None,
  http_version: HttpVersion = None,
  log_bucket: IBucket = None,
  log_file_prefix: str = None,
  log_includes_cookies: bool = None,
  minimum_protocol_version: SecurityPolicyProtocol = None,
  price_class: PriceClass = None,
  publish_additional_metrics: bool = None,
  ssl_support_method: SSLMethod = None,
  web_acl_id: str = None
)

Properties

Name Type Description
additional_behaviors typing.Mapping[aws_cdk.aws_cloudfront.BehaviorOptions] Additional behaviors for the distribution, mapped by the pathPattern that specifies which requests to apply the behavior to.
certificate aws_cdk.aws_certificatemanager.ICertificate A certificate to associate with the distribution.
comment str Any comments you want to include about the distribution.
default_behavior aws_cdk.aws_cloudfront.BehaviorOptions The default behavior for the distribution.
default_root_object str The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution. If no default object is set, the request goes to the origin's root (e.g., example.com/).
domain_names typing.List[str] Alternative domain names for this distribution.
enabled bool Enable or disable the distribution.
enable_ipv6 bool Whether CloudFront will respond to IPv6 DNS requests with an IPv6 address.
enable_logging bool Enable access logging for the distribution.
error_responses typing.List[aws_cdk.aws_cloudfront.ErrorResponse] How CloudFront should handle requests that are not successful (e.g., PageNotFound).
geo_restriction aws_cdk.aws_cloudfront.GeoRestriction Controls the countries in which your content is distributed.
http_version aws_cdk.aws_cloudfront.HttpVersion Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront.
log_bucket aws_cdk.aws_s3.IBucket The Amazon S3 bucket to store the access logs in.
log_file_prefix str An optional string that you want CloudFront to prefix to the access log filenames for this distribution.
log_includes_cookies bool Specifies whether you want CloudFront to include cookies in access logs.
minimum_protocol_version aws_cdk.aws_cloudfront.SecurityPolicyProtocol The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
price_class aws_cdk.aws_cloudfront.PriceClass The price class that corresponds with the maximum price that you want to pay for CloudFront service.
publish_additional_metrics bool Whether to enable additional CloudWatch metrics.
ssl_support_method aws_cdk.aws_cloudfront.SSLMethod The SSL method CloudFront will use for your distribution.
web_acl_id str Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.
additional_behaviorsOptional 
additional_behaviors: typing.Mapping[BehaviorOptions]
  • Type: typing.Mapping[aws_cdk.aws_cloudfront.BehaviorOptions]
  • Default: no additional behaviors are added.

Additional behaviors for the distribution, mapped by the pathPattern that specifies which requests to apply the behavior to.

certificateOptional 
certificate: ICertificate
  • Type: aws_cdk.aws_certificatemanager.ICertificate
  • Default: the CloudFront wildcard certificate (*.cloudfront.net) will be used.

A certificate to associate with the distribution.

The certificate must be located in N. Virginia (us-east-1).

commentOptional 
comment: str
  • Type: str
  • Default: no comment

Any comments you want to include about the distribution.

default_behaviorOptional 
default_behavior: BehaviorOptions
  • Type: aws_cdk.aws_cloudfront.BehaviorOptions

The default behavior for the distribution.

default_root_objectOptional 
default_root_object: str
  • Type: str
  • Default: no default root object

The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution. If no default object is set, the request goes to the origin's root (e.g., example.com/).

domain_namesOptional 
domain_names: typing.List[str]
  • Type: typing.List[str]
  • Default: The distribution will only support the default generated name (e.g., d111111abcdef8.cloudfront.net)

Alternative domain names for this distribution.

If you want to use your own domain name, such as www.example.com, instead of the cloudfront.net domain name, you can add an alternate domain name to your distribution. If you attach a certificate to the distribution, you should add (at least one of) the domain names of the certificate to this list.

When you want to move a domain name between distributions, you can associate a certificate without specifying any domain names. For more information, see the Moving an alternate domain name to a different distribution section in the README.

enabledOptional 
enabled: bool
  • Type: bool
  • Default: true

Enable or disable the distribution.

enable_ipv6Optional 
enable_ipv6: bool
  • Type: bool
  • Default: true

Whether CloudFront will respond to IPv6 DNS requests with an IPv6 address.

If you specify false, CloudFront responds to IPv6 DNS requests with the DNS response code NOERROR and with no IP addresses. This allows viewers to submit a second request, for an IPv4 address for your distribution.

enable_loggingOptional 
enable_logging: bool
  • Type: bool
  • Default: false, unless logBucket is specified.

Enable access logging for the distribution.

error_responsesOptional 
error_responses: typing.List[ErrorResponse]
  • Type: typing.List[aws_cdk.aws_cloudfront.ErrorResponse]
  • Default: No custom error responses.

How CloudFront should handle requests that are not successful (e.g., PageNotFound).

geo_restrictionOptional 
geo_restriction: GeoRestriction
  • Type: aws_cdk.aws_cloudfront.GeoRestriction
  • Default: No geographic restrictions

Controls the countries in which your content is distributed.

http_versionOptional 
http_version: HttpVersion
  • Type: aws_cdk.aws_cloudfront.HttpVersion
  • Default: HttpVersion.HTTP2

Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront.

For viewers and CloudFront to use HTTP/2, viewers must support TLS 1.2 or later, and must support server name identification (SNI).

log_bucketOptional 
log_bucket: IBucket
  • Type: aws_cdk.aws_s3.IBucket
  • Default: A bucket is created if enableLogging is true

The Amazon S3 bucket to store the access logs in.

Make sure to set objectOwnership to s3.ObjectOwnership.OBJECT_WRITER in your custom bucket.

log_file_prefixOptional 
log_file_prefix: str
  • Type: str
  • Default: no prefix

An optional string that you want CloudFront to prefix to the access log filenames for this distribution.

log_includes_cookiesOptional 
log_includes_cookies: bool
  • Type: bool
  • Default: false

Specifies whether you want CloudFront to include cookies in access logs.

minimum_protocol_versionOptional 
minimum_protocol_version: SecurityPolicyProtocol
  • Type: aws_cdk.aws_cloudfront.SecurityPolicyProtocol
  • Default: SecurityPolicyProtocol.TLS_V1_2_2021 if the 'aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019.

The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.

CloudFront serves your objects only to browsers or devices that support at least the SSL version that you specify.

price_classOptional 
price_class: PriceClass
  • Type: aws_cdk.aws_cloudfront.PriceClass
  • Default: PriceClass.PRICE_CLASS_ALL

The price class that corresponds with the maximum price that you want to pay for CloudFront service.

If you specify PriceClass_All, CloudFront responds to requests for your objects from all CloudFront edge locations. If you specify a price class other than PriceClass_All, CloudFront serves your objects from the CloudFront edge location that has the lowest latency among the edge locations in your price class.

publish_additional_metricsOptional 
publish_additional_metrics: bool
  • Type: bool
  • Default: false

Whether to enable additional CloudWatch metrics.

ssl_support_methodOptional 
ssl_support_method: SSLMethod
  • Type: aws_cdk.aws_cloudfront.SSLMethod
  • Default: SSLMethod.SNI

The SSL method CloudFront will use for your distribution.

Server Name Indication (SNI) - is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.

CloudFront can use SNI to host multiple distributions on the same IP - which a large majority of clients will support.

If your clients cannot support SNI however - CloudFront can use dedicated IPs for your distribution - but there is a prorated monthly charge for using this feature. By default, we use SNI - but you can optionally enable dedicated IPs (VIP).

See the CloudFront SSL for more details about pricing : https://aws.amazon.com/cloudfront/custom-ssl-domains/

web_acl_idOptional 
web_acl_id: str
  • Type: str
  • Default: No AWS Web Application Firewall web access control list (web ACL).

Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.

To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.

ManagedRule

Represents a WAF V2 managed rule.

Initializer 

import aws.pdk.static_website

aws.pdk.static_website.ManagedRule(
  name: str,
  vendor: str
)

Properties

Name Type Description
name str The name of the managed rule group.
vendor str The name of the managed rule group vendor.
nameRequired 
name: str
  • Type: str

The name of the managed rule group.

You use this, along with the vendor name, to identify the rule group.

vendorRequired 
vendor: str
  • Type: str

The name of the managed rule group vendor.

You use this, along with the rule group name, to identify the rule group.

RuntimeOptions

Dynamic configuration which gets resolved only during deployment.

Example

# Example automatically generated from non-compiling source. May contain errors.
# Will store a JSON file called runtime-config.json in the root of the StaticWebsite S3 bucket containing any
# and all resolved values.
runtime_config = {"json_payload": {"bucket_arn": s3_bucket.bucket_arn}}
StaticWebsite(scope, "StaticWebsite", website_content_path="path/to/website", runtime_config=runtime_config)

Initializer 

import aws.pdk.static_website

aws.pdk.static_website.RuntimeOptions(
  json_payload: typing.Any,
  json_file_name: str = None
)

Properties

Name Type Description
json_payload typing.Any Arbitrary JSON payload containing runtime values to deploy.
json_file_name str File name to store runtime configuration (jsonPayload).
json_payloadRequired 
json_payload: typing.Any
  • Type: typing.Any

Arbitrary JSON payload containing runtime values to deploy.

Typically this contains resourceArns, etc which are only known at deploy time.

Example

# Example automatically generated from non-compiling source. May contain errors.
userPoolId: some.userPool.userPoolId, someResourceArnsome.resource.Arn
json_file_nameOptional 
json_file_name: str
  • Type: str
  • Default: "runtime-config.json"

File name to store runtime configuration (jsonPayload).

Must follow pattern: '*.json'

StaticWebsiteProps

Properties for configuring the StaticWebsite.

Initializer 

import aws.pdk.static_website

aws.pdk.static_website.StaticWebsiteProps(
  website_content_path: str,
  bucket_deployment_props: BucketDeploymentProps = None,
  default_website_bucket_encryption: BucketEncryption = None,
  default_website_bucket_encryption_key: Key = None,
  distribution_props: DistributionProps = None,
  runtime_options: RuntimeOptions = None,
  web_acl_props: CloudFrontWebAclProps = None,
  website_bucket: IBucket = None
)

Properties

Name Type Description
website_content_path str Path to the directory containing the static website files and assets.
bucket_deployment_props BucketDeploymentProps Custom bucket deployment properties.
default_website_bucket_encryption aws_cdk.aws_s3.BucketEncryption Bucket encryption to use for the default bucket.
default_website_bucket_encryption_key aws_cdk.aws_kms.Key A predefined KMS customer encryption key to use for the default bucket that gets created.
distribution_props DistributionProps Custom distribution properties.
runtime_options RuntimeOptions Dynamic configuration which gets resolved only during deployment.
web_acl_props CloudFrontWebAclProps Limited configuration settings for the generated webAcl.
website_bucket aws_cdk.aws_s3.IBucket Predefined bucket to deploy the website into.
website_content_pathRequired 
website_content_path: str
  • Type: str

Path to the directory containing the static website files and assets.

This directory must contain an index.html file.

bucket_deployment_propsOptional 
bucket_deployment_props: BucketDeploymentProps

Custom bucket deployment properties.
default_website_bucket_encryptionOptional 
default_website_bucket_encryption: BucketEncryption
  • Type: aws_cdk.aws_s3.BucketEncryption
  • Default: "S3MANAGED"

Bucket encryption to use for the default bucket.

Supported options are KMS or S3MANAGED.

Note: If planning to use KMS, ensure you associate a Lambda Edge function to sign requests to S3 as OAI does not currently support KMS encryption. Refer to {@link https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/}

default_website_bucket_encryption_keyOptional 
default_website_bucket_encryption_key: Key
  • Type: aws_cdk.aws_kms.Key

A predefined KMS customer encryption key to use for the default bucket that gets created.

Note: This is only used if the websiteBucket is left undefined, otherwise all settings from the provided websiteBucket will be used.

distribution_propsOptional 
distribution_props: DistributionProps

Custom distribution properties.

Note: defaultBehaviour.origin is a required parameter, however it will not be used as this construct will wire it on your behalf. You will need to pass in an instance of StaticWebsiteOrigin (NoOp) to keep the compiler happy.

runtime_optionsOptional 
runtime_options: RuntimeOptions

Dynamic configuration which gets resolved only during deployment.

web_acl_propsOptional 
web_acl_props: CloudFrontWebAclProps

Limited configuration settings for the generated webAcl.

For more advanced settings, create your own ACL and pass in the webAclId as a param to distributionProps.

Note: If pass in your own ACL, make sure the SCOPE is CLOUDFRONT and it is created in us-east-1.

website_bucketOptional 
website_bucket: IBucket
  • Type: aws_cdk.aws_s3.IBucket

Predefined bucket to deploy the website into.

Classes

StaticWebsiteOrigin

  • Implements: aws_cdk.aws_cloudfront.IOrigin

If passing in distributionProps, the default behaviour.origin is a required parameter. An instance of this class can be passed in to make the compiler happy.

Initializers 

import aws.pdk.static_website

aws.pdk.static_website.StaticWebsiteOrigin()
Name Type Description

Methods

Name Description
bind The method called when a given Origin is added (for the first time) to a Distribution.
bind 
def bind(
  _scope: Construct,
  origin_id: str,
  distribution_id: str = None
) -> OriginBindConfig

The method called when a given Origin is added (for the first time) to a Distribution.

_scopeRequired
  • Type: constructs.Construct
origin_idRequired
  • Type: str

The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.

distribution_idOptional
  • Type: str
  • Default: no distribution id

The identifier of the Distribution this Origin is used for.

This is used to grant origin access permissions to the distribution for origin access control.

Last update: 2025-07-17