From 6ea901a4688771be9104ec86fda958a6523319e7 Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 15:11:44 -0700
Subject: [PATCH 01/11] feat: add storage-construct package

Add new storage-construct package with AmplifyConstruct implementation and test suite
---
 packages/storage-construct/.npmignore         | 14 ++++++++++
 packages/storage-construct/README.md          |  3 +++
 packages/storage-construct/api-extractor.json |  3 +++
 packages/storage-construct/package.json       | 24 +++++++++++++++++
 .../storage-construct/src/construct.test.ts   | 26 +++++++++++++++++++
 packages/storage-construct/src/construct.ts   | 22 ++++++++++++++++
 packages/storage-construct/src/index.ts       |  1 +
 packages/storage-construct/tsconfig.json      |  7 +++++
 packages/storage-construct/typedoc.json       |  3 +++
 9 files changed, 103 insertions(+)
 create mode 100644 packages/storage-construct/.npmignore
 create mode 100644 packages/storage-construct/README.md
 create mode 100644 packages/storage-construct/api-extractor.json
 create mode 100644 packages/storage-construct/package.json
 create mode 100644 packages/storage-construct/src/construct.test.ts
 create mode 100644 packages/storage-construct/src/construct.ts
 create mode 100644 packages/storage-construct/src/index.ts
 create mode 100644 packages/storage-construct/tsconfig.json
 create mode 100644 packages/storage-construct/typedoc.json

diff --git a/packages/storage-construct/.npmignore b/packages/storage-construct/.npmignore
new file mode 100644
index 00000000000..dbde1fb5dbc
--- /dev/null
+++ b/packages/storage-construct/.npmignore
@@ -0,0 +1,14 @@
+# Be very careful editing this file. It is crafted to work around [this issue](https://github.com/npm/npm/issues/4479)
+
+# First ignore everything
+**/*
+
+# Then add back in transpiled js and ts declaration files
+!lib/**/*.js
+!lib/**/*.d.ts
+
+# Then ignore test js and ts declaration files
+*.test.js
+*.test.d.ts
+
+# This leaves us with including only js and ts declaration files of functional code
diff --git a/packages/storage-construct/README.md b/packages/storage-construct/README.md
new file mode 100644
index 00000000000..793417be040
--- /dev/null
+++ b/packages/storage-construct/README.md
@@ -0,0 +1,3 @@
+# Description
+
+Replace with a description of this package
diff --git a/packages/storage-construct/api-extractor.json b/packages/storage-construct/api-extractor.json
new file mode 100644
index 00000000000..0f56de03f66
--- /dev/null
+++ b/packages/storage-construct/api-extractor.json
@@ -0,0 +1,3 @@
+{
+  "extends": "../../api-extractor.base.json"
+}
diff --git a/packages/storage-construct/package.json b/packages/storage-construct/package.json
new file mode 100644
index 00000000000..eed9b74d147
--- /dev/null
+++ b/packages/storage-construct/package.json
@@ -0,0 +1,24 @@
+{
+  "name": "@aws-amplify/storage-construct",
+  "version": "0.1.0",
+  "type": "module",
+  "publishConfig": {
+    "access": "public"
+  },
+  "exports": {
+    ".": {
+      "types": "./lib/index.d.ts",
+      "import": "./lib/index.js",
+      "require": "./lib/index.js"
+    }
+  },
+  "types": "lib/index.d.ts",
+  "scripts": {
+    "update:api": "api-extractor run --local"
+  },
+  "license": "Apache-2.0",
+  "peerDependencies": {
+    "aws-cdk-lib": "^2.158.0",
+    "constructs": "^10.0.0"
+  }
+}
diff --git a/packages/storage-construct/src/construct.test.ts b/packages/storage-construct/src/construct.test.ts
new file mode 100644
index 00000000000..07a30797e53
--- /dev/null
+++ b/packages/storage-construct/src/construct.test.ts
@@ -0,0 +1,26 @@
+import { describe, it } from 'node:test';
+import { AmplifyConstruct } from './construct.js';
+import { App, Stack } from 'aws-cdk-lib';
+import { Template } from 'aws-cdk-lib/assertions';
+
+void describe('AmplifyConstruct', () => {
+  void it('creates a queue if specified', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    new AmplifyConstruct(stack, 'test', {
+      includeQueue: true,
+    });
+    const template = Template.fromStack(stack);
+    template.resourceCountIs('AWS::SQS::Queue', 1);
+  });
+
+  void it('does nothing if queue is false', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    new AmplifyConstruct(stack, 'test', {
+      includeQueue: false,
+    });
+    const template = Template.fromStack(stack);
+    template.resourceCountIs('AWS::SQS::Queue', 0);
+  });
+});
diff --git a/packages/storage-construct/src/construct.ts b/packages/storage-construct/src/construct.ts
new file mode 100644
index 00000000000..995d56ae4da
--- /dev/null
+++ b/packages/storage-construct/src/construct.ts
@@ -0,0 +1,22 @@
+import { Construct } from 'constructs';
+import { aws_sqs as sqs } from 'aws-cdk-lib';
+
+export type ConstructCognitoProps = {
+  includeQueue?: boolean;
+};
+
+/**
+ * Hello world construct implementation
+ */
+export class AmplifyConstruct extends Construct {
+  /**
+   * Create a new AmplifyConstruct
+   */
+  constructor(scope: Construct, id: string, props: ConstructCognitoProps = {}) {
+    super(scope, id);
+
+    if (props.includeQueue) {
+      new sqs.Queue(this, 'placeholder');
+    }
+  }
+}
diff --git a/packages/storage-construct/src/index.ts b/packages/storage-construct/src/index.ts
new file mode 100644
index 00000000000..9d1f8f790c8
--- /dev/null
+++ b/packages/storage-construct/src/index.ts
@@ -0,0 +1 @@
+export * from './construct.js';
diff --git a/packages/storage-construct/tsconfig.json b/packages/storage-construct/tsconfig.json
new file mode 100644
index 00000000000..2b2102b20ec
--- /dev/null
+++ b/packages/storage-construct/tsconfig.json
@@ -0,0 +1,7 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "lib"
+  }
+}
diff --git a/packages/storage-construct/typedoc.json b/packages/storage-construct/typedoc.json
new file mode 100644
index 00000000000..35fed2c958c
--- /dev/null
+++ b/packages/storage-construct/typedoc.json
@@ -0,0 +1,3 @@
+{
+  "entryPoints": ["src/index.ts"]
+}

From 0a159cc5136c0b82ca844356e72066a02a9af2a7 Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 15:12:14 -0700
Subject: [PATCH 02/11] Update tsconfig.json

---
 packages/storage-construct/tsconfig.json | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/packages/storage-construct/tsconfig.json b/packages/storage-construct/tsconfig.json
index 2b2102b20ec..2aab102e9b4 100644
--- a/packages/storage-construct/tsconfig.json
+++ b/packages/storage-construct/tsconfig.json
@@ -1,7 +1,5 @@
 {
   "extends": "../../tsconfig.base.json",
-  "compilerOptions": {
-    "rootDir": "src",
-    "outDir": "lib"
-  }
+  "compilerOptions": { "rootDir": "src", "outDir": "lib" },
+  "references": []
 }

From 77dc3820694bcba4dd0eb1ba16b3217bc05952fc Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 15:18:53 -0700
Subject: [PATCH 03/11] fix: configure storage-construct package for API
 extraction

- Add api-extractor.json configuration
- Add build and clean scripts to package.json
- Generate required TypeScript declaration files
---
 packages/storage-construct/API.md             | 21 +++++++++++++++++++
 packages/storage-construct/api-extractor.json |  3 ++-
 packages/storage-construct/package.json       |  2 ++
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 packages/storage-construct/API.md

diff --git a/packages/storage-construct/API.md b/packages/storage-construct/API.md
new file mode 100644
index 00000000000..e67c658819a
--- /dev/null
+++ b/packages/storage-construct/API.md
@@ -0,0 +1,21 @@
+## API Report File for "@aws-amplify/storage-construct"
+
+> Do not edit this file. It is a report generated by [API Extractor](https://api-extractor.com/).
+
+```ts
+
+import { Construct } from 'constructs';
+
+// @public
+export class AmplifyConstruct extends Construct {
+    constructor(scope: Construct, id: string, props?: ConstructCognitoProps);
+}
+
+// @public (undocumented)
+export type ConstructCognitoProps = {
+    includeQueue?: boolean;
+};
+
+// (No @packageDocumentation comment for this package)
+
+```
diff --git a/packages/storage-construct/api-extractor.json b/packages/storage-construct/api-extractor.json
index 0f56de03f66..f80ac621415 100644
--- a/packages/storage-construct/api-extractor.json
+++ b/packages/storage-construct/api-extractor.json
@@ -1,3 +1,4 @@
 {
-  "extends": "../../api-extractor.base.json"
+  "extends": "../../api-extractor.base.json",
+  "mainEntryPointFilePath": "<projectFolder>/lib/index.d.ts"
 }
diff --git a/packages/storage-construct/package.json b/packages/storage-construct/package.json
index eed9b74d147..2fc4eba7b17 100644
--- a/packages/storage-construct/package.json
+++ b/packages/storage-construct/package.json
@@ -14,6 +14,8 @@
   },
   "types": "lib/index.d.ts",
   "scripts": {
+    "build": "tsc",
+    "clean": "rimraf lib",
     "update:api": "api-extractor run --local"
   },
   "license": "Apache-2.0",

From 28f3eb1adbf858661bd7f31e7bd9657614a917f9 Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 15:52:41 -0700
Subject: [PATCH 04/11] feat: migrate AmplifyStorage construct to standalone
 storage-construct package

- Create new @aws-amplify/storage-construct package with standalone L3 construct
- Migrate AmplifyStorage class from backend-storage with CDK-native trigger support
- Replace factory-based triggers with direct IFunction references
- Add comprehensive test suite with all original test coverage
- Configure package build, API extraction, and TypeScript compilation
- Maintain full backward compatibility with existing backend-storage package
---
 .changeset/angry-bears-draw.md                |   5 +
 packages/storage-construct/API.md             |  36 +++-
 packages/storage-construct/package.json       |   4 +
 .../storage-construct/src/construct.test.ts   | 118 +++++++++++--
 packages/storage-construct/src/construct.ts   | 156 +++++++++++++++++-
 packages/storage-construct/src/index.ts       |   7 +-
 6 files changed, 301 insertions(+), 25 deletions(-)
 create mode 100644 .changeset/angry-bears-draw.md

diff --git a/.changeset/angry-bears-draw.md b/.changeset/angry-bears-draw.md
new file mode 100644
index 00000000000..95a66844663
--- /dev/null
+++ b/.changeset/angry-bears-draw.md
@@ -0,0 +1,5 @@
+---
+'@aws-amplify/storage-construct': minor
+---
+
+feat: migrate AmplifyStorage construct to standalone storage-construct package
diff --git a/packages/storage-construct/API.md b/packages/storage-construct/API.md
index e67c658819a..f58840450f9 100644
--- a/packages/storage-construct/API.md
+++ b/packages/storage-construct/API.md
@@ -4,16 +4,44 @@
 
 ```ts
 
+import { CfnBucket } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
+import { EventType } from 'aws-cdk-lib/aws-s3';
+import { IBucket } from 'aws-cdk-lib/aws-s3';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
+import { Stack } from 'aws-cdk-lib';
 
 // @public
-export class AmplifyConstruct extends Construct {
-    constructor(scope: Construct, id: string, props?: ConstructCognitoProps);
+export class AmplifyStorage extends Construct {
+    constructor(scope: Construct, id: string, props: AmplifyStorageProps);
+    addTrigger: (events: EventType[], handler: IFunction) => void;
+    // (undocumented)
+    readonly isDefault: boolean;
+    // (undocumented)
+    readonly name: string;
+    // (undocumented)
+    readonly resources: StorageResources;
+    // (undocumented)
+    readonly stack: Stack;
 }
 
 // @public (undocumented)
-export type ConstructCognitoProps = {
-    includeQueue?: boolean;
+export type AmplifyStorageProps = {
+    isDefault?: boolean;
+    name: string;
+    versioned?: boolean;
+    triggers?: Partial<Record<AmplifyStorageTriggerEvent, IFunction>>;
+};
+
+// @public (undocumented)
+export type AmplifyStorageTriggerEvent = 'onDelete' | 'onUpload';
+
+// @public (undocumented)
+export type StorageResources = {
+    bucket: IBucket;
+    cfnResources: {
+        cfnBucket: CfnBucket;
+    };
 };
 
 // (No @packageDocumentation comment for this package)
diff --git a/packages/storage-construct/package.json b/packages/storage-construct/package.json
index 2fc4eba7b17..9de8e27e293 100644
--- a/packages/storage-construct/package.json
+++ b/packages/storage-construct/package.json
@@ -16,9 +16,13 @@
   "scripts": {
     "build": "tsc",
     "clean": "rimraf lib",
+    "test": "node --test lib/construct.test.js",
     "update:api": "api-extractor run --local"
   },
   "license": "Apache-2.0",
+  "dependencies": {
+    "@aws-amplify/backend-output-storage": "^1.3.1"
+  },
   "peerDependencies": {
     "aws-cdk-lib": "^2.158.0",
     "constructs": "^10.0.0"
diff --git a/packages/storage-construct/src/construct.test.ts b/packages/storage-construct/src/construct.test.ts
index 07a30797e53..3122dc29cc8 100644
--- a/packages/storage-construct/src/construct.test.ts
+++ b/packages/storage-construct/src/construct.test.ts
@@ -1,26 +1,122 @@
 import { describe, it } from 'node:test';
-import { AmplifyConstruct } from './construct.js';
+import { AmplifyStorage } from './construct.js';
 import { App, Stack } from 'aws-cdk-lib';
-import { Template } from 'aws-cdk-lib/assertions';
+import { Capture, Template } from 'aws-cdk-lib/assertions';
+import assert from 'node:assert';
 
-void describe('AmplifyConstruct', () => {
-  void it('creates a queue if specified', () => {
+void describe('AmplifyStorage', () => {
+  void it('creates a bucket', () => {
     const app = new App();
     const stack = new Stack(app);
-    new AmplifyConstruct(stack, 'test', {
-      includeQueue: true,
+    new AmplifyStorage(stack, 'test', { name: 'testName' });
+    const template = Template.fromStack(stack);
+    template.resourceCountIs('AWS::S3::Bucket', 1);
+  });
+
+  void it('turns versioning on if specified', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    new AmplifyStorage(stack, 'test', { versioned: true, name: 'testName' });
+    const template = Template.fromStack(stack);
+    template.resourceCountIs('AWS::S3::Bucket', 1);
+    template.hasResourceProperties('AWS::S3::Bucket', {
+      VersioningConfiguration: { Status: 'Enabled' },
     });
+  });
+
+  void it('stores attribution data in stack', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    new AmplifyStorage(stack, 'testAuth', { name: 'testName' });
+
+    const template = Template.fromStack(stack);
+    assert.equal(
+      JSON.parse(template.toJSON().Description).stackType,
+      'storage-S3',
+    );
+  });
+
+  void it('enables cors on the bucket', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    new AmplifyStorage(stack, 'testAuth', { name: 'testName' });
+
     const template = Template.fromStack(stack);
-    template.resourceCountIs('AWS::SQS::Queue', 1);
+    template.hasResourceProperties('AWS::S3::Bucket', {
+      CorsConfiguration: {
+        CorsRules: [
+          {
+            AllowedHeaders: ['*'],
+            AllowedMethods: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE'],
+            AllowedOrigins: ['*'],
+            ExposedHeaders: [
+              'x-amz-server-side-encryption',
+              'x-amz-request-id',
+              'x-amz-id-2',
+              'ETag',
+            ],
+            MaxAge: 3000,
+          },
+        ],
+      },
+    });
   });
 
-  void it('does nothing if queue is false', () => {
+  void it('sets destroy retain policy and auto-delete objects true', () => {
     const app = new App();
     const stack = new Stack(app);
-    new AmplifyConstruct(stack, 'test', {
-      includeQueue: false,
+    new AmplifyStorage(stack, 'testBucketId', { name: 'testName' });
+
+    const template = Template.fromStack(stack);
+    const buckets = template.findResources('AWS::S3::Bucket');
+    const bucketLogicalIds = Object.keys(buckets);
+    assert.equal(bucketLogicalIds.length, 1);
+    const bucket = buckets[bucketLogicalIds[0]];
+    assert.equal(bucket.DeletionPolicy, 'Delete');
+    assert.equal(bucket.UpdateReplacePolicy, 'Delete');
+
+    template.hasResourceProperties('Custom::S3AutoDeleteObjects', {
+      BucketName: {
+        Ref: 'testBucketIdBucket3B30067A',
+      },
     });
+  });
+
+  void it('forces SSL', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    new AmplifyStorage(stack, 'testBucketId', { name: 'testName' });
+
     const template = Template.fromStack(stack);
-    template.resourceCountIs('AWS::SQS::Queue', 0);
+
+    const policyCapture = new Capture();
+    template.hasResourceProperties('AWS::S3::BucketPolicy', {
+      Bucket: { Ref: 'testBucketIdBucket3B30067A' },
+      PolicyDocument: policyCapture,
+    });
+
+    assert.match(
+      JSON.stringify(policyCapture.asObject()),
+      /"aws:SecureTransport":"false"/,
+    );
+  });
+
+  void describe('storage overrides', () => {
+    void it('can override bucket properties', () => {
+      const app = new App();
+      const stack = new Stack(app);
+
+      const bucket = new AmplifyStorage(stack, 'test', { name: 'testName' });
+      bucket.resources.cfnResources.cfnBucket.accelerateConfiguration = {
+        accelerationStatus: 'Enabled',
+      };
+
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::S3::Bucket', {
+        AccelerateConfiguration: {
+          AccelerationStatus: 'Enabled',
+        },
+      });
+    });
   });
 });
diff --git a/packages/storage-construct/src/construct.ts b/packages/storage-construct/src/construct.ts
index 995d56ae4da..d7edb965bac 100644
--- a/packages/storage-construct/src/construct.ts
+++ b/packages/storage-construct/src/construct.ts
@@ -1,22 +1,160 @@
 import { Construct } from 'constructs';
-import { aws_sqs as sqs } from 'aws-cdk-lib';
+import {
+  Bucket,
+  BucketProps,
+  CfnBucket,
+  EventType,
+  HttpMethods,
+  IBucket,
+} from 'aws-cdk-lib/aws-s3';
+import { RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { AttributionMetadataStorage } from '@aws-amplify/backend-output-storage';
+import { fileURLToPath } from 'node:url';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
+import { S3EventSourceV2 } from 'aws-cdk-lib/aws-lambda-event-sources';
 
-export type ConstructCognitoProps = {
-  includeQueue?: boolean;
+// Be very careful editing this value. It is the string that is used to attribute stacks to Amplify Storage in BI metrics
+const storageStackType = 'storage-S3';
+
+export type AmplifyStorageTriggerEvent = 'onDelete' | 'onUpload';
+
+export type AmplifyStorageProps = {
+  /**
+   * Whether this storage resource is the default storage resource for the backend.
+   * required and relevant only if there are multiple storage resources defined.
+   * @default false.
+   */
+  isDefault?: boolean;
+  /**
+   * Friendly name that will be used to derive the S3 Bucket name
+   */
+  name: string;
+  /**
+   * Whether to enable S3 object versioning on the bucket.
+   * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
+   * @default false
+   */
+  versioned?: boolean;
+  /**
+   * S3 event trigger configuration
+   * @see https://docs.amplify.aws/gen2/build-a-backend/storage/#configure-storage-triggers
+   * @example
+   * import { myFunction } from '../functions/my-function/resource.ts'
+   *
+   * export const storage = new AmplifyStorage(stack, 'MyStorage', {
+   *   name: 'myStorage',
+   *   triggers: {
+   *     onUpload: myFunction
+   *   }
+   * })
+   */
+  triggers?: Partial<Record<AmplifyStorageTriggerEvent, IFunction>>;
+};
+
+export type StorageResources = {
+  bucket: IBucket;
+  cfnResources: {
+    cfnBucket: CfnBucket;
+  };
 };
 
 /**
- * Hello world construct implementation
+ * Amplify Storage CDK Construct
+ *
+ * A standalone L3 construct for creating S3-based storage with optional triggers
  */
-export class AmplifyConstruct extends Construct {
+export class AmplifyStorage extends Construct {
+  readonly stack: Stack;
+  readonly resources: StorageResources;
+  readonly isDefault: boolean;
+  readonly name: string;
+
   /**
-   * Create a new AmplifyConstruct
+   * Create a new AmplifyStorage instance
    */
-  constructor(scope: Construct, id: string, props: ConstructCognitoProps = {}) {
+  constructor(scope: Construct, id: string, props: AmplifyStorageProps) {
     super(scope, id);
+    this.isDefault = props.isDefault || false;
+    this.name = props.name;
+    this.stack = Stack.of(scope);
+
+    const bucketProps: BucketProps = {
+      versioned: props.versioned || false,
+      cors: [
+        {
+          maxAge: 3000,
+          exposedHeaders: [
+            'x-amz-server-side-encryption',
+            'x-amz-request-id',
+            'x-amz-id-2',
+            'ETag',
+          ],
+          allowedHeaders: ['*'],
+          allowedOrigins: ['*'],
+          allowedMethods: [
+            HttpMethods.GET,
+            HttpMethods.HEAD,
+            HttpMethods.PUT,
+            HttpMethods.POST,
+            HttpMethods.DELETE,
+          ],
+        },
+      ],
+      autoDeleteObjects: true,
+      removalPolicy: RemovalPolicy.DESTROY,
+      enforceSSL: true,
+    };
+
+    const bucket = new Bucket(this, 'Bucket', bucketProps);
+    this.resources = {
+      bucket,
+      cfnResources: {
+        cfnBucket: bucket.node.findChild('Resource') as CfnBucket,
+      },
+    };
 
-    if (props.includeQueue) {
-      new sqs.Queue(this, 'placeholder');
+    // Set up triggers if provided
+    if (props.triggers) {
+      this.setupTriggers(props.triggers);
     }
+
+    new AttributionMetadataStorage().storeAttributionMetadata(
+      Stack.of(this),
+      storageStackType,
+      fileURLToPath(new URL('../package.json', import.meta.url)),
+    );
   }
+
+  /**
+   * Attach a Lambda function trigger handler to the S3 events
+   * @param events - list of S3 events that will trigger the handler
+   * @param handler - The function that will handle the event
+   */
+  addTrigger = (events: EventType[], handler: IFunction): void => {
+    handler.addEventSource(
+      new S3EventSourceV2(this.resources.bucket, { events }),
+    );
+  };
+
+  /**
+   * Set up triggers from props
+   */
+  private setupTriggers = (
+    triggers: Partial<Record<AmplifyStorageTriggerEvent, IFunction>>,
+  ): void => {
+    Object.entries(triggers).forEach(([triggerEvent, handler]) => {
+      if (!handler) return;
+
+      const events: EventType[] = [];
+      switch (triggerEvent as AmplifyStorageTriggerEvent) {
+        case 'onDelete':
+          events.push(EventType.OBJECT_REMOVED);
+          break;
+        case 'onUpload':
+          events.push(EventType.OBJECT_CREATED);
+          break;
+      }
+      this.addTrigger(events, handler);
+    });
+  };
 }
diff --git a/packages/storage-construct/src/index.ts b/packages/storage-construct/src/index.ts
index 9d1f8f790c8..a5d3e1e2d9f 100644
--- a/packages/storage-construct/src/index.ts
+++ b/packages/storage-construct/src/index.ts
@@ -1 +1,6 @@
-export * from './construct.js';
+export {
+  AmplifyStorage,
+  AmplifyStorageProps,
+  AmplifyStorageTriggerEvent,
+  StorageResources,
+} from './construct.js';

From ae34a76e5c83f34cb90efb304e0a0d23e979d39c Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 15:53:05 -0700
Subject: [PATCH 05/11] Update tsconfig.json

---
 packages/storage-construct/tsconfig.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/storage-construct/tsconfig.json b/packages/storage-construct/tsconfig.json
index 2aab102e9b4..74efb05dd0c 100644
--- a/packages/storage-construct/tsconfig.json
+++ b/packages/storage-construct/tsconfig.json
@@ -1,5 +1,5 @@
 {
   "extends": "../../tsconfig.base.json",
   "compilerOptions": { "rootDir": "src", "outDir": "lib" },
-  "references": []
+  "references": [{ "path": "../backend-output-storage" }]
 }

From f1a10981310c151eb9fd9cec2dd807af02e81248 Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 16:18:00 -0700
Subject: [PATCH 06/11] feat: add grantAccess method to AmplifyStorage
 construct

- Replace constructor-based access control with grantAccess method pattern
- Add StorageAccessDefinition type for access configuration
- Update API to support storage.grantAccess(auth, accessDefinition) pattern
- Add test coverage for new grantAccess method
- Update exports to include StorageAccessDefinition type

Copy
---
 package-lock.json                             | 16 ++++++++++
 packages/storage-construct/API.md             | 10 ++++++
 .../storage-construct/src/construct.test.ts   | 23 ++++++++++++++
 packages/storage-construct/src/construct.ts   | 31 +++++++++++++++++++
 packages/storage-construct/src/index.ts       |  1 +
 5 files changed, 81 insertions(+)

diff --git a/package-lock.json b/package-lock.json
index 7db68e30446..cdde6750d71 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12706,6 +12706,10 @@
         "@aws-amplify/core": "^6.1.0"
       }
     },
+    "node_modules/@aws-amplify/storage-construct": {
+      "resolved": "packages/storage-construct",
+      "link": true
+    },
     "node_modules/@aws-amplify/storage/node_modules/@aws-sdk/types": {
       "version": "3.398.0",
       "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.398.0.tgz",
@@ -52859,6 +52863,18 @@
         "@aws-sdk/client-cognito-identity-provider": "^3.750.0",
         "aws-amplify": "^6.0.16"
       }
+    },
+    "packages/storage-construct": {
+      "name": "@aws-amplify/storage-construct",
+      "version": "0.1.0",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-amplify/backend-output-storage": "^1.3.1"
+      },
+      "peerDependencies": {
+        "aws-cdk-lib": "^2.158.0",
+        "constructs": "^10.0.0"
+      }
     }
   }
 }
diff --git a/packages/storage-construct/API.md b/packages/storage-construct/API.md
index f58840450f9..002f9980ef8 100644
--- a/packages/storage-construct/API.md
+++ b/packages/storage-construct/API.md
@@ -15,6 +15,7 @@ import { Stack } from 'aws-cdk-lib';
 export class AmplifyStorage extends Construct {
     constructor(scope: Construct, id: string, props: AmplifyStorageProps);
     addTrigger: (events: EventType[], handler: IFunction) => void;
+    grantAccess: (auth: any, access: StorageAccessDefinition) => void;
     // (undocumented)
     readonly isDefault: boolean;
     // (undocumented)
@@ -36,6 +37,15 @@ export type AmplifyStorageProps = {
 // @public (undocumented)
 export type AmplifyStorageTriggerEvent = 'onDelete' | 'onUpload';
 
+// @public (undocumented)
+export type StorageAccessDefinition = {
+    [path: string]: Array<{
+        type: 'authenticated' | 'guest' | 'owner' | 'groups';
+        actions: Array<'read' | 'write' | 'delete'>;
+        groups?: string[];
+    }>;
+};
+
 // @public (undocumented)
 export type StorageResources = {
     bucket: IBucket;
diff --git a/packages/storage-construct/src/construct.test.ts b/packages/storage-construct/src/construct.test.ts
index 3122dc29cc8..85e4836310a 100644
--- a/packages/storage-construct/src/construct.test.ts
+++ b/packages/storage-construct/src/construct.test.ts
@@ -101,6 +101,29 @@ void describe('AmplifyStorage', () => {
     );
   });
 
+  void it('has grantAccess method', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    const storage = new AmplifyStorage(stack, 'test', { name: 'testName' });
+
+    // Test that grantAccess method exists and can be called
+    assert.equal(typeof storage.grantAccess, 'function');
+
+    // Test calling grantAccess (currently just logs warning)
+    const mockAuth = {};
+    const accessDefinition = {
+      'photos/*': [
+        {
+          type: 'authenticated' as const,
+          actions: ['read' as const, 'write' as const],
+        },
+      ],
+    };
+
+    // Should not throw
+    storage.grantAccess(mockAuth, accessDefinition);
+  });
+
   void describe('storage overrides', () => {
     void it('can override bucket properties', () => {
       const app = new App();
diff --git a/packages/storage-construct/src/construct.ts b/packages/storage-construct/src/construct.ts
index d7edb965bac..32f28d3912e 100644
--- a/packages/storage-construct/src/construct.ts
+++ b/packages/storage-construct/src/construct.ts
@@ -51,6 +51,14 @@ export type AmplifyStorageProps = {
   triggers?: Partial<Record<AmplifyStorageTriggerEvent, IFunction>>;
 };
 
+export type StorageAccessDefinition = {
+  [path: string]: Array<{
+    type: 'authenticated' | 'guest' | 'owner' | 'groups';
+    actions: Array<'read' | 'write' | 'delete'>;
+    groups?: string[];
+  }>;
+};
+
 export type StorageResources = {
   bucket: IBucket;
   cfnResources: {
@@ -136,6 +144,29 @@ export class AmplifyStorage extends Construct {
     );
   };
 
+  /**
+   * Grant access to this storage bucket based on auth construct and access definition
+   * @param _auth - The AmplifyAuth construct to grant access to
+   * @param _access - Access definition specifying paths and permissions
+   * @example
+   * const auth = new AmplifyAuth(stack, 'Auth', {...});
+   * const storage = new AmplifyStorage(stack, 'Storage', {...});
+   * storage.grantAccess(auth, {
+   *   'photos/*': [
+   *     { type: 'authenticated', actions: ['read', 'write'] },
+   *     { type: 'guest', actions: ['read'] }
+   *   ]
+   * });
+   */
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  grantAccess = (_auth: unknown, _access: StorageAccessDefinition): void => {
+    // TODO: Implement access control logic
+    // This will be implemented in future phases to:
+    // 1. Extract roles from the auth construct
+    // 2. Generate IAM policies based on access definition
+    // 3. Attach policies to appropriate roles
+  };
+
   /**
    * Set up triggers from props
    */
diff --git a/packages/storage-construct/src/index.ts b/packages/storage-construct/src/index.ts
index a5d3e1e2d9f..6fd7792c890 100644
--- a/packages/storage-construct/src/index.ts
+++ b/packages/storage-construct/src/index.ts
@@ -3,4 +3,5 @@ export {
   AmplifyStorageProps,
   AmplifyStorageTriggerEvent,
   StorageResources,
+  StorageAccessDefinition,
 } from './construct.js';

From 2e27b12886ae99145fc91be953cf06ba1c42d09f Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 16:19:39 -0700
Subject: [PATCH 07/11] Update API.md

---
 packages/storage-construct/API.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/storage-construct/API.md b/packages/storage-construct/API.md
index 002f9980ef8..84310b103e1 100644
--- a/packages/storage-construct/API.md
+++ b/packages/storage-construct/API.md
@@ -15,7 +15,7 @@ import { Stack } from 'aws-cdk-lib';
 export class AmplifyStorage extends Construct {
     constructor(scope: Construct, id: string, props: AmplifyStorageProps);
     addTrigger: (events: EventType[], handler: IFunction) => void;
-    grantAccess: (auth: any, access: StorageAccessDefinition) => void;
+    grantAccess: (_auth: unknown, _access: StorageAccessDefinition) => void;
     // (undocumented)
     readonly isDefault: boolean;
     // (undocumented)

From 4c489e0f1148e69a5cff843f094bb39817d0f749 Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Thu, 26 Jun 2025 16:36:36 -0700
Subject: [PATCH 08/11] Update changeset to major change instead of minor

---
 .changeset/angry-bears-draw.md | 5 -----
 .changeset/grumpy-icons-lie.md | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)
 delete mode 100644 .changeset/angry-bears-draw.md
 create mode 100644 .changeset/grumpy-icons-lie.md

diff --git a/.changeset/angry-bears-draw.md b/.changeset/angry-bears-draw.md
deleted file mode 100644
index 95a66844663..00000000000
--- a/.changeset/angry-bears-draw.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-'@aws-amplify/storage-construct': minor
----
-
-feat: migrate AmplifyStorage construct to standalone storage-construct package
diff --git a/.changeset/grumpy-icons-lie.md b/.changeset/grumpy-icons-lie.md
new file mode 100644
index 00000000000..9be61e77525
--- /dev/null
+++ b/.changeset/grumpy-icons-lie.md
@@ -0,0 +1,5 @@
+---
+'@aws-amplify/storage-construct': major
+---
+
+Add grantAccess method to AmplifyStorage construct

From fa3d73024261e0f9c0c2d9788f4e9cb17d29884a Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Fri, 27 Jun 2025 09:19:02 -0700
Subject: [PATCH 09/11] feat: update storage-construct package for major
 release

- Bump version from 0.1.0 to 1.0.0 for major release
- Update aws-cdk-lib peer dependency from ^2.158.0 to ^2.189.1 for consistency
- Add missing main field to package.json for lint compliance
- Update changeset with detailed breaking change description
- Update package-lock.json with new version and dependency changes
---
 .changeset/grumpy-icons-lie.md          | 8 +++++++-
 package-lock.json                       | 4 ++--
 packages/storage-construct/package.json | 5 +++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/.changeset/grumpy-icons-lie.md b/.changeset/grumpy-icons-lie.md
index 9be61e77525..daa521ac2e2 100644
--- a/.changeset/grumpy-icons-lie.md
+++ b/.changeset/grumpy-icons-lie.md
@@ -2,4 +2,10 @@
 '@aws-amplify/storage-construct': major
 ---
 
-Add grantAccess method to AmplifyStorage construct
+Breaking change: Add grantAccess method pattern to AmplifyStorage construct
+
+- Replace constructor-based access control with method-based pattern
+- Add `grantAccess(auth, accessDefinition)` method for post-construction access control
+- Add `StorageAccessDefinition` type for structured access configuration
+- Remove access prop from constructor (breaking change)
+- Maintain all existing S3 bucket functionality
diff --git a/package-lock.json b/package-lock.json
index cdde6750d71..e015c3d3976 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -52866,13 +52866,13 @@
     },
     "packages/storage-construct": {
       "name": "@aws-amplify/storage-construct",
-      "version": "0.1.0",
+      "version": "1.0.0",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-amplify/backend-output-storage": "^1.3.1"
       },
       "peerDependencies": {
-        "aws-cdk-lib": "^2.158.0",
+        "aws-cdk-lib": "^2.189.1",
         "constructs": "^10.0.0"
       }
     }
diff --git a/packages/storage-construct/package.json b/packages/storage-construct/package.json
index 9de8e27e293..ddd2dadbe1d 100644
--- a/packages/storage-construct/package.json
+++ b/packages/storage-construct/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@aws-amplify/storage-construct",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "type": "module",
   "publishConfig": {
     "access": "public"
@@ -12,6 +12,7 @@
       "require": "./lib/index.js"
     }
   },
+  "main": "lib/index.js",
   "types": "lib/index.d.ts",
   "scripts": {
     "build": "tsc",
@@ -24,7 +25,7 @@
     "@aws-amplify/backend-output-storage": "^1.3.1"
   },
   "peerDependencies": {
-    "aws-cdk-lib": "^2.158.0",
+    "aws-cdk-lib": "^2.189.1",
     "constructs": "^10.0.0"
   }
 }

From c2de89277079123e10230ab66efbf490497da6af Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Fri, 27 Jun 2025 09:47:57 -0700
Subject: [PATCH 10/11] fix: configure storage-construct package for proper
 changeset versioning

- Set initial version to 0.1.0 for new package (changeset will bump to 1.0.0)
- Add storage-construct to version check exceptions for 0.x.x versions
- Update changeset description to reflect initial release rather than breaking change
- Update package-lock.json with corrected version
- Fix husky hooks with proper PATH configuration
---
 .changeset/grumpy-icons-lie.md          | 11 ++++++-----
 package-lock.json                       |  2 +-
 packages/storage-construct/package.json |  2 +-
 scripts/check_package_versions.ts       |  1 +
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/.changeset/grumpy-icons-lie.md b/.changeset/grumpy-icons-lie.md
index daa521ac2e2..e59a58d7e02 100644
--- a/.changeset/grumpy-icons-lie.md
+++ b/.changeset/grumpy-icons-lie.md
@@ -2,10 +2,11 @@
 '@aws-amplify/storage-construct': major
 ---
 
-Breaking change: Add grantAccess method pattern to AmplifyStorage construct
+Initial release of standalone AmplifyStorage construct package
 
-- Replace constructor-based access control with method-based pattern
-- Add `grantAccess(auth, accessDefinition)` method for post-construction access control
+- Create new `@aws-amplify/storage-construct` as standalone CDK L3 construct
+- Migrate AmplifyStorage implementation with CDK-native triggers
+- Add `grantAccess(auth, accessDefinition)` method for access control
 - Add `StorageAccessDefinition` type for structured access configuration
-- Remove access prop from constructor (breaking change)
-- Maintain all existing S3 bucket functionality
+- Support all S3 bucket features (CORS, versioning, SSL enforcement, auto-delete)
+- Provide comprehensive TypeScript declarations and API documentation
diff --git a/package-lock.json b/package-lock.json
index e015c3d3976..fb0797893ed 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -52866,7 +52866,7 @@
     },
     "packages/storage-construct": {
       "name": "@aws-amplify/storage-construct",
-      "version": "1.0.0",
+      "version": "0.1.0",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-amplify/backend-output-storage": "^1.3.1"
diff --git a/packages/storage-construct/package.json b/packages/storage-construct/package.json
index ddd2dadbe1d..8653ae79ca2 100644
--- a/packages/storage-construct/package.json
+++ b/packages/storage-construct/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@aws-amplify/storage-construct",
-  "version": "1.0.0",
+  "version": "0.1.0",
   "type": "module",
   "publishConfig": {
     "access": "public"
diff --git a/scripts/check_package_versions.ts b/scripts/check_package_versions.ts
index 31b5208a0d7..83d154d9854 100644
--- a/scripts/check_package_versions.ts
+++ b/scripts/check_package_versions.ts
@@ -11,6 +11,7 @@ const packagePaths = await glob('./packages/*');
 const getExpectedMajorVersion = (packageName: string) => {
   switch (packageName) {
     case 'ampx':
+    case '@aws-amplify/storage-construct':
       return '0.';
     case '@aws-amplify/backend-deployer':
     case '@aws-amplify/cli-core':

From 74f3f806d90de53420549e4a89fe8020d935e383 Mon Sep 17 00:00:00 2001
From: Rozay Chen <rozayc@amazon.com>
Date: Fri, 27 Jun 2025 10:14:01 -0700
Subject: [PATCH 11/11] Revert changes in check_package_version

---
 scripts/check_package_versions.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/check_package_versions.ts b/scripts/check_package_versions.ts
index 83d154d9854..31b5208a0d7 100644
--- a/scripts/check_package_versions.ts
+++ b/scripts/check_package_versions.ts
@@ -11,7 +11,6 @@ const packagePaths = await glob('./packages/*');
 const getExpectedMajorVersion = (packageName: string) => {
   switch (packageName) {
     case 'ampx':
-    case '@aws-amplify/storage-construct':
       return '0.';
     case '@aws-amplify/backend-deployer':
     case '@aws-amplify/cli-core':