Skip to content

API Reference

Constructs

CloudfrontWebAcl

This construct creates a WAFv2 Web ACL for cloudfront in the us-east-1 region (required for cloudfront) no matter the region of the parent cdk stack.

Initializers 

import { CloudfrontWebAcl } from '@aws/pdk/static-website'

new CloudfrontWebAcl(scope: Construct, id: string, props?: CloudFrontWebAclProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props CloudFrontWebAclProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsOptional

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { CloudfrontWebAcl } from '@aws/pdk/static-website'

CloudfrontWebAcl.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
webAclArn string No description.
webAclId string No description.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

webAclArnRequired 
public readonly webAclArn: string;
  • Type: string
webAclIdRequired 
public readonly webAclId: string;
  • Type: string

StaticWebsite

Deploys a Static Website using by default a private S3 bucket as an origin and Cloudfront as the entrypoint.

This construct configures a webAcl containing rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10.

Initializers 

import { StaticWebsite } from '@aws/pdk/static-website'

new StaticWebsite(scope: Construct, id: string, props: StaticWebsiteProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props StaticWebsiteProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { StaticWebsite } from '@aws/pdk/static-website'

StaticWebsite.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
bucketDeployment aws-cdk-lib.aws_s3_deployment.BucketDeployment No description.
cloudFrontDistribution aws-cdk-lib.aws_cloudfront.Distribution No description.
websiteBucket aws-cdk-lib.aws_s3.IBucket No description.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

bucketDeploymentRequired 
public readonly bucketDeployment: BucketDeployment;
  • Type: aws-cdk-lib.aws_s3_deployment.BucketDeployment
cloudFrontDistributionRequired 
public readonly cloudFrontDistribution: Distribution;
  • Type: aws-cdk-lib.aws_cloudfront.Distribution
websiteBucketRequired 
public readonly websiteBucket: IBucket;
  • Type: aws-cdk-lib.aws_s3.IBucket

Structs

BucketDeploymentProps

BucketDeploymentProps.

Initializer 

import { BucketDeploymentProps } from '@aws/pdk/static-website'

const bucketDeploymentProps: BucketDeploymentProps = { ... }

Properties

Name Type Description
accessControl aws-cdk-lib.aws_s3.BucketAccessControl System-defined x-amz-acl metadata to be set on all objects in the deployment.
cacheControl aws-cdk-lib.aws_s3_deployment.CacheControl[] System-defined cache-control metadata to be set on all objects in the deployment.
contentDisposition string System-defined cache-disposition metadata to be set on all objects in the deployment.
contentEncoding string System-defined content-encoding metadata to be set on all objects in the deployment.
contentLanguage string System-defined content-language metadata to be set on all objects in the deployment.
contentType string System-defined content-type metadata to be set on all objects in the deployment.
destinationBucket aws-cdk-lib.aws_s3.IBucket The S3 bucket to sync the contents of the zip file to.
destinationKeyPrefix string Key prefix in the destination bucket.
distribution aws-cdk-lib.aws_cloudfront.IDistribution The CloudFront distribution using the destination bucket as an origin.
distributionPaths string[] The file paths to invalidate in the CloudFront distribution.
ephemeralStorageSize aws-cdk-lib.Size The size of the AWS Lambda function’s /tmp directory in MiB.
exclude string[] If this is set, matching files or objects will be excluded from the deployment's sync command.
expires aws-cdk-lib.Expiration System-defined expires metadata to be set on all objects in the deployment.
extract boolean If this is set, the zip file will be synced to the destination S3 bucket and extracted.
include string[] If this is set, matching files or objects will be included with the deployment's sync command.
logGroup aws-cdk-lib.aws_logs.ILogGroup The Log Group used for logging of events emitted by the custom resource's lambda function.
logRetention aws-cdk-lib.aws_logs.RetentionDays The number of days that the lambda function's log events are kept in CloudWatch Logs.
memoryLimit number The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket.
metadata {[ key: string ]: string} User-defined object metadata to be set on all objects in the deployment.
outputObjectKeys boolean If set to false, the custom resource will not send back the SourceObjectKeys.
prune boolean If this is set to false, files in the destination bucket that do not exist in the asset, will NOT be deleted during deployment (create/update).
retainOnDelete boolean If this is set to "false", the destination files will be deleted when the resource is deleted or the destination is updated.
role aws-cdk-lib.aws_iam.IRole Execution role associated with this function.
serverSideEncryption aws-cdk-lib.aws_s3_deployment.ServerSideEncryption System-defined x-amz-server-side-encryption metadata to be set on all objects in the deployment.
serverSideEncryptionAwsKmsKeyId string System-defined x-amz-server-side-encryption-aws-kms-key-id metadata to be set on all objects in the deployment.
serverSideEncryptionCustomerAlgorithm string System-defined x-amz-server-side-encryption-customer-algorithm metadata to be set on all objects in the deployment.
signContent boolean If set to true, uploads will precompute the value of x-amz-content-sha256 and include it in the signed S3 request headers.
sources aws-cdk-lib.aws_s3_deployment.ISource[] The sources from which to deploy the contents of this bucket.
storageClass aws-cdk-lib.aws_s3_deployment.StorageClass System-defined x-amz-storage-class metadata to be set on all objects in the deployment.
useEfs boolean Mount an EFS file system.
vpc aws-cdk-lib.aws_ec2.IVpc The VPC network to place the deployment lambda handler in.
vpcSubnets aws-cdk-lib.aws_ec2.SubnetSelection Where in the VPC to place the deployment lambda handler.
websiteRedirectLocation string System-defined x-amz-website-redirect-location metadata to be set on all objects in the deployment.
accessControlOptional 
public readonly accessControl: BucketAccessControl;
  • Type: aws-cdk-lib.aws_s3.BucketAccessControl
  • Default: Not set.

System-defined x-amz-acl metadata to be set on all objects in the deployment.

cacheControlOptional 
public readonly cacheControl: CacheControl[];
  • Type: aws-cdk-lib.aws_s3_deployment.CacheControl[]
  • Default: Not set.

System-defined cache-control metadata to be set on all objects in the deployment.

contentDispositionOptional 
public readonly contentDisposition: string;
  • Type: string
  • Default: Not set.

System-defined cache-disposition metadata to be set on all objects in the deployment.

contentEncodingOptional 
public readonly contentEncoding: string;
  • Type: string
  • Default: Not set.

System-defined content-encoding metadata to be set on all objects in the deployment.

contentLanguageOptional 
public readonly contentLanguage: string;
  • Type: string
  • Default: Not set.

System-defined content-language metadata to be set on all objects in the deployment.

contentTypeOptional 
public readonly contentType: string;
  • Type: string
  • Default: Not set.

System-defined content-type metadata to be set on all objects in the deployment.

destinationBucketOptional 
public readonly destinationBucket: IBucket;
  • Type: aws-cdk-lib.aws_s3.IBucket

The S3 bucket to sync the contents of the zip file to.

destinationKeyPrefixOptional 
public readonly destinationKeyPrefix: string;
  • Type: string
  • Default: "/" (unzip to root of the destination bucket)

Key prefix in the destination bucket.

Must be <=104 characters

distributionOptional 
public readonly distribution: IDistribution;
  • Type: aws-cdk-lib.aws_cloudfront.IDistribution
  • Default: No invalidation occurs

The CloudFront distribution using the destination bucket as an origin.

Files in the distribution's edge caches will be invalidated after files are uploaded to the destination bucket.

distributionPathsOptional 
public readonly distributionPaths: string[];
  • Type: string[]
  • Default: All files under the destination bucket key prefix will be invalidated.

The file paths to invalidate in the CloudFront distribution.

ephemeralStorageSizeOptional 
public readonly ephemeralStorageSize: Size;
  • Type: aws-cdk-lib.Size
  • Default: 512 MiB

The size of the AWS Lambda function’s /tmp directory in MiB.

excludeOptional 
public readonly exclude: string[];
  • Type: string[]
  • Default: No exclude filters are used

If this is set, matching files or objects will be excluded from the deployment's sync command.

This can be used to exclude a file from being pruned in the destination bucket.

If you want to just exclude files from the deployment package (which excludes these files evaluated when invalidating the asset), you should leverage the exclude property of AssetOptions when defining your source.

expiresOptional 
public readonly expires: Expiration;
  • Type: aws-cdk-lib.Expiration
  • Default: The objects in the distribution will not expire.

System-defined expires metadata to be set on all objects in the deployment.

extractOptional 
public readonly extract: boolean;
  • Type: boolean
  • Default: true

If this is set, the zip file will be synced to the destination S3 bucket and extracted.

If false, the file will remain zipped in the destination bucket.

includeOptional 
public readonly include: string[];
  • Type: string[]
  • Default: No include filters are used and all files are included with the sync command

If this is set, matching files or objects will be included with the deployment's sync command.

Since all files from the deployment package are included by default, this property is usually leveraged alongside an exclude filter.

logGroupOptional 
public readonly logGroup: ILogGroup;
  • Type: aws-cdk-lib.aws_logs.ILogGroup
  • Default: a default log group created by AWS Lambda

The Log Group used for logging of events emitted by the custom resource's lambda function.

Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first.

logRetentionOptional 
public readonly logRetention: RetentionDays;
  • Type: aws-cdk-lib.aws_logs.RetentionDays
  • Default: logs.RetentionDays.INFINITE

The number of days that the lambda function's log events are kept in CloudWatch Logs.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.

memoryLimitOptional 
public readonly memoryLimit: number;
  • Type: number
  • Default: 128

The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket.

If you are deploying large files, you will need to increase this number accordingly.

metadataOptional 
public readonly metadata: {[ key: string ]: string};
  • Type: {[ key: string ]: string}
  • Default: No user metadata is set

User-defined object metadata to be set on all objects in the deployment.

outputObjectKeysOptional 
public readonly outputObjectKeys: boolean;
  • Type: boolean
  • Default: true

If set to false, the custom resource will not send back the SourceObjectKeys.

This is useful when you are facing the error Response object is too long

See aws-cdk#28579

pruneOptional 
public readonly prune: boolean;
  • Type: boolean
  • Default: true

If this is set to false, files in the destination bucket that do not exist in the asset, will NOT be deleted during deployment (create/update).

retainOnDeleteOptional 
public readonly retainOnDelete: boolean;
  • Type: boolean
  • Default: true - when resource is deleted/updated, files are retained

If this is set to "false", the destination files will be deleted when the resource is deleted or the destination is updated.

NOTICE: Configuring this to "false" might have operational implications. Please visit to the package documentation referred below to make sure you fully understand those implications.

roleOptional 
public readonly role: IRole;
  • Type: aws-cdk-lib.aws_iam.IRole
  • Default: A role is automatically created

Execution role associated with this function.

serverSideEncryptionOptional 
public readonly serverSideEncryption: ServerSideEncryption;
  • Type: aws-cdk-lib.aws_s3_deployment.ServerSideEncryption
  • Default: Server side encryption is not used.

System-defined x-amz-server-side-encryption metadata to be set on all objects in the deployment.

serverSideEncryptionAwsKmsKeyIdOptional 
public readonly serverSideEncryptionAwsKmsKeyId: string;
  • Type: string
  • Default: Not set.

System-defined x-amz-server-side-encryption-aws-kms-key-id metadata to be set on all objects in the deployment.

serverSideEncryptionCustomerAlgorithmOptional 
public readonly serverSideEncryptionCustomerAlgorithm: string;
  • Type: string
  • Default: Not set.

System-defined x-amz-server-side-encryption-customer-algorithm metadata to be set on all objects in the deployment.

Warning: This is not a useful parameter until this bug is fixed: aws-cdk#6080

signContentOptional 
public readonly signContent: boolean;
  • Type: boolean
  • Default: x-amz-content-sha256 will not be computed

If set to true, uploads will precompute the value of x-amz-content-sha256 and include it in the signed S3 request headers.

sourcesOptional 
public readonly sources: ISource[];
  • Type: aws-cdk-lib.aws_s3_deployment.ISource[]

The sources from which to deploy the contents of this bucket.

storageClassOptional 
public readonly storageClass: StorageClass;
  • Type: aws-cdk-lib.aws_s3_deployment.StorageClass
  • Default: Default storage-class for the bucket is used.

System-defined x-amz-storage-class metadata to be set on all objects in the deployment.

useEfsOptional 
public readonly useEfs: boolean;
  • Type: boolean
  • Default: No EFS. Lambda has access only to 512MB of disk space.

Mount an EFS file system.

Enable this if your assets are large and you encounter disk space errors. Enabling this option will require a VPC to be specified.

vpcOptional 
public readonly vpc: IVpc;
  • Type: aws-cdk-lib.aws_ec2.IVpc
  • Default: None

The VPC network to place the deployment lambda handler in.

This is required if useEfs is set.

vpcSubnetsOptional 
public readonly vpcSubnets: SubnetSelection;
  • Type: aws-cdk-lib.aws_ec2.SubnetSelection
  • Default: the Vpc default strategy if not specified

Where in the VPC to place the deployment lambda handler.

Only used if 'vpc' is supplied.

websiteRedirectLocationOptional 
public readonly websiteRedirectLocation: string;
  • Type: string
  • Default: No website redirection.

System-defined x-amz-website-redirect-location metadata to be set on all objects in the deployment.

CidrAllowList

Representation of a CIDR range.

Initializer 

import { CidrAllowList } from '@aws/pdk/static-website'

const cidrAllowList: CidrAllowList = { ... }

Properties

Name Type Description
cidrRanges string[] Specify an IPv4 address by using CIDR notation.
cidrType string Type of CIDR range.
cidrRangesRequired 
public readonly cidrRanges: string[];
  • Type: string[]

Specify an IPv4 address by using CIDR notation.

For example: To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify 192.0.2.44/32 . To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24 .

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing .

Specify an IPv6 address by using CIDR notation. For example: To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128 . To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64 .

cidrTypeRequired 
public readonly cidrType: string;
  • Type: string

Type of CIDR range.

CloudFrontWebAclProps

Properties to configure the web acl.

Initializer 

import { CloudFrontWebAclProps } from '@aws/pdk/static-website'

const cloudFrontWebAclProps: CloudFrontWebAclProps = { ... }

Properties

Name Type Description
cidrAllowList CidrAllowList List of cidr ranges to allow.
disable boolean Set to true to prevent creation of a web acl for the static website.
managedRules ManagedRule[] List of managed rules to apply to the web acl.
cidrAllowListOptional 
public readonly cidrAllowList: CidrAllowList;

List of cidr ranges to allow.

disableOptional 
public readonly disable: boolean;
  • Type: boolean
  • Default: false

Set to true to prevent creation of a web acl for the static website.

managedRulesOptional 
public readonly managedRules: ManagedRule[];
  • Type: ManagedRule[]
  • Default: [{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" }]

List of managed rules to apply to the web acl.

DistributionProps

DistributionProps.

Initializer 

import { DistributionProps } from '@aws/pdk/static-website'

const distributionProps: DistributionProps = { ... }

Properties

Name Type Description
additionalBehaviors {[ key: string ]: aws-cdk-lib.aws_cloudfront.BehaviorOptions} Additional behaviors for the distribution, mapped by the pathPattern that specifies which requests to apply the behavior to.
certificate aws-cdk-lib.aws_certificatemanager.ICertificate A certificate to associate with the distribution.
comment string Any comments you want to include about the distribution.
defaultBehavior aws-cdk-lib.aws_cloudfront.BehaviorOptions The default behavior for the distribution.
defaultRootObject string The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution. If no default object is set, the request goes to the origin's root (e.g., example.com/).
domainNames string[] Alternative domain names for this distribution.
enabled boolean Enable or disable the distribution.
enableIpv6 boolean Whether CloudFront will respond to IPv6 DNS requests with an IPv6 address.
enableLogging boolean Enable access logging for the distribution.
errorResponses aws-cdk-lib.aws_cloudfront.ErrorResponse[] How CloudFront should handle requests that are not successful (e.g., PageNotFound).
geoRestriction aws-cdk-lib.aws_cloudfront.GeoRestriction Controls the countries in which your content is distributed.
httpVersion aws-cdk-lib.aws_cloudfront.HttpVersion Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront.
logBucket aws-cdk-lib.aws_s3.IBucket The Amazon S3 bucket to store the access logs in.
logFilePrefix string An optional string that you want CloudFront to prefix to the access log filenames for this distribution.
logIncludesCookies boolean Specifies whether you want CloudFront to include cookies in access logs.
minimumProtocolVersion aws-cdk-lib.aws_cloudfront.SecurityPolicyProtocol The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
priceClass aws-cdk-lib.aws_cloudfront.PriceClass The price class that corresponds with the maximum price that you want to pay for CloudFront service.
publishAdditionalMetrics boolean Whether to enable additional CloudWatch metrics.
sslSupportMethod aws-cdk-lib.aws_cloudfront.SSLMethod The SSL method CloudFront will use for your distribution.
webAclId string Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.
additionalBehaviorsOptional 
public readonly additionalBehaviors: {[ key: string ]: BehaviorOptions};
  • Type: {[ key: string ]: aws-cdk-lib.aws_cloudfront.BehaviorOptions}
  • Default: no additional behaviors are added.

Additional behaviors for the distribution, mapped by the pathPattern that specifies which requests to apply the behavior to.

certificateOptional 
public readonly certificate: ICertificate;
  • Type: aws-cdk-lib.aws_certificatemanager.ICertificate
  • Default: the CloudFront wildcard certificate (*.cloudfront.net) will be used.

A certificate to associate with the distribution.

The certificate must be located in N. Virginia (us-east-1).

commentOptional 
public readonly comment: string;
  • Type: string
  • Default: no comment

Any comments you want to include about the distribution.

defaultBehaviorOptional 
public readonly defaultBehavior: BehaviorOptions;
  • Type: aws-cdk-lib.aws_cloudfront.BehaviorOptions

The default behavior for the distribution.

defaultRootObjectOptional 
public readonly defaultRootObject: string;
  • Type: string
  • Default: no default root object

The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution. If no default object is set, the request goes to the origin's root (e.g., example.com/).

domainNamesOptional 
public readonly domainNames: string[];
  • Type: string[]
  • Default: The distribution will only support the default generated name (e.g., d111111abcdef8.cloudfront.net)

Alternative domain names for this distribution.

If you want to use your own domain name, such as www.example.com, instead of the cloudfront.net domain name, you can add an alternate domain name to your distribution. If you attach a certificate to the distribution, you should add (at least one of) the domain names of the certificate to this list.

When you want to move a domain name between distributions, you can associate a certificate without specifying any domain names. For more information, see the Moving an alternate domain name to a different distribution section in the README.

enabledOptional 
public readonly enabled: boolean;
  • Type: boolean
  • Default: true

Enable or disable the distribution.

enableIpv6Optional 
public readonly enableIpv6: boolean;
  • Type: boolean
  • Default: true

Whether CloudFront will respond to IPv6 DNS requests with an IPv6 address.

If you specify false, CloudFront responds to IPv6 DNS requests with the DNS response code NOERROR and with no IP addresses. This allows viewers to submit a second request, for an IPv4 address for your distribution.

enableLoggingOptional 
public readonly enableLogging: boolean;
  • Type: boolean
  • Default: false, unless logBucket is specified.

Enable access logging for the distribution.

errorResponsesOptional 
public readonly errorResponses: ErrorResponse[];
  • Type: aws-cdk-lib.aws_cloudfront.ErrorResponse[]
  • Default: No custom error responses.

How CloudFront should handle requests that are not successful (e.g., PageNotFound).

geoRestrictionOptional 
public readonly geoRestriction: GeoRestriction;
  • Type: aws-cdk-lib.aws_cloudfront.GeoRestriction
  • Default: No geographic restrictions

Controls the countries in which your content is distributed.

httpVersionOptional 
public readonly httpVersion: HttpVersion;
  • Type: aws-cdk-lib.aws_cloudfront.HttpVersion
  • Default: HttpVersion.HTTP2

Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront.

For viewers and CloudFront to use HTTP/2, viewers must support TLS 1.2 or later, and must support server name identification (SNI).

logBucketOptional 
public readonly logBucket: IBucket;
  • Type: aws-cdk-lib.aws_s3.IBucket
  • Default: A bucket is created if enableLogging is true

The Amazon S3 bucket to store the access logs in.

Make sure to set objectOwnership to s3.ObjectOwnership.OBJECT_WRITER in your custom bucket.

logFilePrefixOptional 
public readonly logFilePrefix: string;
  • Type: string
  • Default: no prefix

An optional string that you want CloudFront to prefix to the access log filenames for this distribution.

logIncludesCookiesOptional 
public readonly logIncludesCookies: boolean;
  • Type: boolean
  • Default: false

Specifies whether you want CloudFront to include cookies in access logs.

minimumProtocolVersionOptional 
public readonly minimumProtocolVersion: SecurityPolicyProtocol;
  • Type: aws-cdk-lib.aws_cloudfront.SecurityPolicyProtocol
  • Default: SecurityPolicyProtocol.TLS_V1_2_2021 if the 'aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019.

The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.

CloudFront serves your objects only to browsers or devices that support at least the SSL version that you specify.

priceClassOptional 
public readonly priceClass: PriceClass;
  • Type: aws-cdk-lib.aws_cloudfront.PriceClass
  • Default: PriceClass.PRICE_CLASS_ALL

The price class that corresponds with the maximum price that you want to pay for CloudFront service.

If you specify PriceClass_All, CloudFront responds to requests for your objects from all CloudFront edge locations. If you specify a price class other than PriceClass_All, CloudFront serves your objects from the CloudFront edge location that has the lowest latency among the edge locations in your price class.

publishAdditionalMetricsOptional 
public readonly publishAdditionalMetrics: boolean;
  • Type: boolean
  • Default: false

Whether to enable additional CloudWatch metrics.

sslSupportMethodOptional 
public readonly sslSupportMethod: SSLMethod;
  • Type: aws-cdk-lib.aws_cloudfront.SSLMethod
  • Default: SSLMethod.SNI

The SSL method CloudFront will use for your distribution.

Server Name Indication (SNI) - is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.

CloudFront can use SNI to host multiple distributions on the same IP - which a large majority of clients will support.

If your clients cannot support SNI however - CloudFront can use dedicated IPs for your distribution - but there is a prorated monthly charge for using this feature. By default, we use SNI - but you can optionally enable dedicated IPs (VIP).

See the CloudFront SSL for more details about pricing : https://aws.amazon.com/cloudfront/custom-ssl-domains/

webAclIdOptional 
public readonly webAclId: string;
  • Type: string
  • Default: No AWS Web Application Firewall web access control list (web ACL).

Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.

To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.

ManagedRule

Represents a WAF V2 managed rule.

Initializer 

import { ManagedRule } from '@aws/pdk/static-website'

const managedRule: ManagedRule = { ... }

Properties

Name Type Description
name string The name of the managed rule group.
vendor string The name of the managed rule group vendor.
nameRequired 
public readonly name: string;
  • Type: string

The name of the managed rule group.

You use this, along with the vendor name, to identify the rule group.

vendorRequired 
public readonly vendor: string;
  • Type: string

The name of the managed rule group vendor.

You use this, along with the rule group name, to identify the rule group.

RuntimeOptions

Dynamic configuration which gets resolved only during deployment.

Example

// Will store a JSON file called runtime-config.json in the root of the StaticWebsite S3 bucket containing any
// and all resolved values.
const runtimeConfig = {jsonPayload: {bucketArn: s3Bucket.bucketArn}};
new StaticWebsite(scope, 'StaticWebsite', {websiteContentPath: 'path/to/website', runtimeConfig});

Initializer 

import { RuntimeOptions } from '@aws/pdk/static-website'

const runtimeOptions: RuntimeOptions = { ... }

Properties

Name Type Description
jsonPayload any Arbitrary JSON payload containing runtime values to deploy.
jsonFileName string File name to store runtime configuration (jsonPayload).
jsonPayloadRequired 
public readonly jsonPayload: any;
  • Type: any

Arbitrary JSON payload containing runtime values to deploy.

Typically this contains resourceArns, etc which are only known at deploy time.

Example

{ userPoolId: some.userPool.userPoolId, someResourceArn: some.resource.Arn }
jsonFileNameOptional 
public readonly jsonFileName: string;
  • Type: string
  • Default: "runtime-config.json"

File name to store runtime configuration (jsonPayload).

Must follow pattern: '*.json'

StaticWebsiteProps

Properties for configuring the StaticWebsite.

Initializer 

import { StaticWebsiteProps } from '@aws/pdk/static-website'

const staticWebsiteProps: StaticWebsiteProps = { ... }

Properties

Name Type Description
websiteContentPath string Path to the directory containing the static website files and assets.
bucketDeploymentProps BucketDeploymentProps Custom bucket deployment properties.
defaultWebsiteBucketEncryption aws-cdk-lib.aws_s3.BucketEncryption Bucket encryption to use for the default bucket.
defaultWebsiteBucketEncryptionKey aws-cdk-lib.aws_kms.Key A predefined KMS customer encryption key to use for the default bucket that gets created.
distributionProps DistributionProps Custom distribution properties.
runtimeOptions RuntimeOptions Dynamic configuration which gets resolved only during deployment.
webAclProps CloudFrontWebAclProps Limited configuration settings for the generated webAcl.
websiteBucket aws-cdk-lib.aws_s3.IBucket Predefined bucket to deploy the website into.
websiteContentPathRequired 
public readonly websiteContentPath: string;
  • Type: string

Path to the directory containing the static website files and assets.

This directory must contain an index.html file.

bucketDeploymentPropsOptional 
public readonly bucketDeploymentProps: BucketDeploymentProps;

Custom bucket deployment properties.

---

##### `defaultWebsiteBucketEncryption`<sup>Optional</sup> <a name="defaultWebsiteBucketEncryption" id="@aws/pdk/static-website.StaticWebsiteProps.property.defaultWebsiteBucketEncryption"></a>

```typescript
public readonly defaultWebsiteBucketEncryption: BucketEncryption;
  • Type: aws-cdk-lib.aws_s3.BucketEncryption
  • Default: "S3MANAGED"

Bucket encryption to use for the default bucket.

Supported options are KMS or S3MANAGED.

Note: If planning to use KMS, ensure you associate a Lambda Edge function to sign requests to S3 as OAI does not currently support KMS encryption. Refer to {@link https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/}

defaultWebsiteBucketEncryptionKeyOptional 
public readonly defaultWebsiteBucketEncryptionKey: Key;
  • Type: aws-cdk-lib.aws_kms.Key

A predefined KMS customer encryption key to use for the default bucket that gets created.

Note: This is only used if the websiteBucket is left undefined, otherwise all settings from the provided websiteBucket will be used.

distributionPropsOptional 
public readonly distributionProps: DistributionProps;

Custom distribution properties.

Note: defaultBehaviour.origin is a required parameter, however it will not be used as this construct will wire it on your behalf. You will need to pass in an instance of StaticWebsiteOrigin (NoOp) to keep the compiler happy.

runtimeOptionsOptional 
public readonly runtimeOptions: RuntimeOptions;

Dynamic configuration which gets resolved only during deployment.

webAclPropsOptional 
public readonly webAclProps: CloudFrontWebAclProps;

Limited configuration settings for the generated webAcl.

For more advanced settings, create your own ACL and pass in the webAclId as a param to distributionProps.

Note: If pass in your own ACL, make sure the SCOPE is CLOUDFRONT and it is created in us-east-1.

websiteBucketOptional 
public readonly websiteBucket: IBucket;
  • Type: aws-cdk-lib.aws_s3.IBucket

Predefined bucket to deploy the website into.

Classes

StaticWebsiteOrigin

  • Implements: aws-cdk-lib.aws_cloudfront.IOrigin

If passing in distributionProps, the default behaviour.origin is a required parameter. An instance of this class can be passed in to make the compiler happy.

Initializers 

import { StaticWebsiteOrigin } from '@aws/pdk/static-website'

new StaticWebsiteOrigin()
Name Type Description

Methods

Name Description
bind The method called when a given Origin is added (for the first time) to a Distribution.
bind 
public bind(_scope: Construct, _options: OriginBindOptions): OriginBindConfig

The method called when a given Origin is added (for the first time) to a Distribution.

_scopeRequired
  • Type: constructs.Construct
_optionsRequired
  • Type: aws-cdk-lib.aws_cloudfront.OriginBindOptions
Last update: 2025-07-17