Overview
TheStorageFactory creates S3 bucket resources with type-safe configurations. All buckets use the single S3Bucket class, with different property combinations controlling behaviour (private, website hosting, public read access).
For databases (Aurora, RDS, DynamoDB), use the DatabaseFactory instead.
Basic Usage
Bucket Configurations
Private Bucket (Default)
Standard bucket with no public access. Best for application assets, uploads, and caches:- Private by default (no public access)
- Optional versioning
- Optional encryption (AES256 or KMS)
Website Hosting Bucket
Configure a bucket for static website hosting using thewebsiteHosting property:
- Static website hosting enabled
- Configurable index and error documents
- CORS support
Public Read Access Bucket
Enable public read access for all objects using thepublicReadAccess property:
- All objects publicly readable
- Best for CDN origin buckets
- Optional versioning and encryption
Configuration Parameters
| Parameter | Type | Description | Default |
|---|---|---|---|
versioned | boolean | Enable versioning | false |
encryption | "AES256" | "KMS" | Encryption type | None |
kmsKeyArn | string | KMS key ARN (if using KMS encryption) | - |
publicReadAccess | boolean | Allow public read access | false |
websiteHosting | object | Website hosting configuration | - |
websiteHosting.indexDocument | string | Index document name | "index.html" |
websiteHosting.errorDocument | string | Error document name | - |
cors | array | CORS rules | - |
stackPlacement | "storage" | "cdn" | "compute" | Which CDK stack to place the bucket in | "storage" |
backupVaultTier | BackupTier | AWS Backup tier (standard, resilient, enterprise) | - |
deployment | object | Auto-deploy files from local path | - |
Common Patterns
Media Uploads
Store user-uploaded media with versioning:Static Assets with Deployment
Auto-deploy static assets during CDK deployment:ISR Cache Bucket
Cache bucket for Next.js ISR:Website with CORS
Website bucket with CORS for API requests:CDN Origin Bucket
Place a bucket in the CDN stack to avoid circular dependencies:KMS Encryption
Accessing Bucket Information
Connecting to Compute Resources
Granting Access
Security
Automatic Security Features
- Private by default: No public access unless explicitly configured
- Encryption options: S3-managed (AES256) or customer-managed KMS keys
- Block public access: Enabled by default on private buckets
- IAM policies: Automatic least-privilege policies
Event Notifications
Best Practices
- Keep buckets private by default - Only enable
publicReadAccessorwebsiteHostingwhen needed - Enable versioning for important data that may need recovery
- Use encryption for sensitive data
- Use deployment config for static assets instead of manual S3 sync
- Set
stackPlacementto"cdn"when the bucket is used as a CloudFront origin
Next Steps
Database Factory
Create Aurora, RDS, and DynamoDB databases
Compute Factory
Deploy Lambda and ECS compute resources
Network Factory
Configure VPC and networking
Payload Pattern
Full-stack Payload CMS deployment