aws-sdk-s3 1.147.0 → 1.163.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (66) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +103 -2
  3. data/VERSION +1 -1
  4. data/lib/aws-sdk-s3/access_grants_credentials.rb +57 -0
  5. data/lib/aws-sdk-s3/access_grants_credentials_provider.rb +250 -0
  6. data/lib/aws-sdk-s3/bucket.rb +209 -69
  7. data/lib/aws-sdk-s3/bucket_acl.rb +3 -3
  8. data/lib/aws-sdk-s3/bucket_cors.rb +4 -4
  9. data/lib/aws-sdk-s3/bucket_lifecycle.rb +4 -4
  10. data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +4 -4
  11. data/lib/aws-sdk-s3/bucket_logging.rb +3 -3
  12. data/lib/aws-sdk-s3/bucket_notification.rb +3 -3
  13. data/lib/aws-sdk-s3/bucket_policy.rb +4 -4
  14. data/lib/aws-sdk-s3/bucket_region_cache.rb +9 -5
  15. data/lib/aws-sdk-s3/bucket_request_payment.rb +3 -3
  16. data/lib/aws-sdk-s3/bucket_tagging.rb +4 -4
  17. data/lib/aws-sdk-s3/bucket_versioning.rb +5 -5
  18. data/lib/aws-sdk-s3/bucket_website.rb +4 -4
  19. data/lib/aws-sdk-s3/client.rb +1653 -637
  20. data/lib/aws-sdk-s3/client_api.rb +35 -3
  21. data/lib/aws-sdk-s3/customizations/bucket.rb +1 -1
  22. data/lib/aws-sdk-s3/customizations/errors.rb +15 -2
  23. data/lib/aws-sdk-s3/customizations/object.rb +5 -5
  24. data/lib/aws-sdk-s3/customizations.rb +4 -1
  25. data/lib/aws-sdk-s3/encryption/client.rb +2 -2
  26. data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb +2 -2
  27. data/lib/aws-sdk-s3/encryptionV2/client.rb +2 -2
  28. data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +2 -2
  29. data/lib/aws-sdk-s3/endpoint_parameters.rb +8 -0
  30. data/lib/aws-sdk-s3/endpoint_provider.rb +1 -0
  31. data/lib/aws-sdk-s3/endpoints.rb +199 -397
  32. data/lib/aws-sdk-s3/express_credentials_provider.rb +27 -4
  33. data/lib/aws-sdk-s3/file_downloader.rb +1 -1
  34. data/lib/aws-sdk-s3/file_uploader.rb +1 -1
  35. data/lib/aws-sdk-s3/multipart_stream_uploader.rb +1 -1
  36. data/lib/aws-sdk-s3/multipart_upload.rb +24 -4
  37. data/lib/aws-sdk-s3/multipart_upload_part.rb +3 -3
  38. data/lib/aws-sdk-s3/object.rb +394 -137
  39. data/lib/aws-sdk-s3/object_acl.rb +3 -3
  40. data/lib/aws-sdk-s3/object_copier.rb +1 -1
  41. data/lib/aws-sdk-s3/object_multipart_copier.rb +10 -8
  42. data/lib/aws-sdk-s3/object_summary.rb +358 -115
  43. data/lib/aws-sdk-s3/object_version.rb +46 -9
  44. data/lib/aws-sdk-s3/plugins/access_grants.rb +178 -0
  45. data/lib/aws-sdk-s3/plugins/endpoints.rb +10 -1
  46. data/lib/aws-sdk-s3/plugins/express_session_auth.rb +8 -2
  47. data/lib/aws-sdk-s3/plugins/http_200_errors.rb +53 -16
  48. data/lib/aws-sdk-s3/plugins/s3_signer.rb +7 -2
  49. data/lib/aws-sdk-s3/presigner.rb +1 -0
  50. data/lib/aws-sdk-s3/resource.rb +12 -10
  51. data/lib/aws-sdk-s3/types.rb +966 -350
  52. data/lib/aws-sdk-s3.rb +1 -1
  53. data/sig/bucket.rbs +1 -0
  54. data/sig/client.rbs +38 -2
  55. data/sig/customizations/bucket.rbs +19 -0
  56. data/sig/customizations/object.rbs +38 -0
  57. data/sig/customizations/object_summary.rbs +35 -0
  58. data/sig/multipart_upload.rbs +1 -0
  59. data/sig/object.rbs +7 -0
  60. data/sig/object_summary.rbs +1 -0
  61. data/sig/object_version.rbs +6 -0
  62. data/sig/resource.rbs +6 -1
  63. data/sig/types.rbs +25 -2
  64. data/sig/waiters.rbs +12 -0
  65. metadata +12 -7
  66. data/lib/aws-sdk-s3/express_credentials_cache.rb +0 -30
@@ -865,11 +865,6 @@ module Aws::S3
865
865
  # @!attribute [rw] server_side_encryption
866
866
  # The server-side encryption algorithm used when storing this object
867
867
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
868
- #
869
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
870
- # managed keys (SSE-S3) (`AES256`) is supported.
871
- #
872
- # </note>
873
868
  # @return [String]
874
869
  #
875
870
  # @!attribute [rw] version_id
@@ -882,23 +877,14 @@ module Aws::S3
882
877
  # @return [String]
883
878
  #
884
879
  # @!attribute [rw] ssekms_key_id
885
- # If present, indicates the ID of the Key Management Service (KMS)
886
- # symmetric encryption customer managed key that was used for the
887
- # object.
888
- #
889
- # <note markdown="1"> This functionality is not supported for directory buckets.
890
- #
891
- # </note>
880
+ # If present, indicates the ID of the KMS key that was used for object
881
+ # encryption.
892
882
  # @return [String]
893
883
  #
894
884
  # @!attribute [rw] bucket_key_enabled
895
885
  # Indicates whether the multipart upload uses an S3 Bucket Key for
896
886
  # server-side encryption with Key Management Service (KMS) keys
897
887
  # (SSE-KMS).
898
- #
899
- # <note markdown="1"> This functionality is not supported for directory buckets.
900
- #
901
- # </note>
902
888
  # @return [Boolean]
903
889
  #
904
890
  # @!attribute [rw] request_charged
@@ -1061,6 +1047,27 @@ module Aws::S3
1061
1047
  # denied).
1062
1048
  # @return [String]
1063
1049
  #
1050
+ # @!attribute [rw] if_none_match
1051
+ # Uploads the object only if the object key name does not already
1052
+ # exist in the bucket specified. Otherwise, Amazon S3 returns a `412
1053
+ # Precondition Failed` error.
1054
+ #
1055
+ # If a conflicting operation occurs during the upload S3 returns a
1056
+ # `409 ConditionalRequestConflict` response. On a 409 failure you
1057
+ # should re-initiate the multipart upload with `CreateMultipartUpload`
1058
+ # and re-upload each part.
1059
+ #
1060
+ # Expects the '*' (asterisk) character.
1061
+ #
1062
+ # For more information about conditional requests, see [RFC 7232][1],
1063
+ # or [Conditional requests][2] in the *Amazon S3 User Guide*.
1064
+ #
1065
+ #
1066
+ #
1067
+ # [1]: https://tools.ietf.org/html/rfc7232
1068
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-requests.html
1069
+ # @return [String]
1070
+ #
1064
1071
  # @!attribute [rw] sse_customer_algorithm
1065
1072
  # The server-side encryption (SSE) algorithm used to encrypt the
1066
1073
  # object. This parameter is required only when the object was created
@@ -1120,6 +1127,7 @@ module Aws::S3
1120
1127
  :checksum_sha256,
1121
1128
  :request_payer,
1122
1129
  :expected_bucket_owner,
1130
+ :if_none_match,
1123
1131
  :sse_customer_algorithm,
1124
1132
  :sse_customer_key,
1125
1133
  :sse_customer_key_md5)
@@ -1326,11 +1334,6 @@ module Aws::S3
1326
1334
  # @!attribute [rw] server_side_encryption
1327
1335
  # The server-side encryption algorithm used when you store this object
1328
1336
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1329
- #
1330
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1331
- # managed keys (SSE-S3) (`AES256`) is supported.
1332
- #
1333
- # </note>
1334
1337
  # @return [String]
1335
1338
  #
1336
1339
  # @!attribute [rw] sse_customer_algorithm
@@ -1355,13 +1358,8 @@ module Aws::S3
1355
1358
  # @return [String]
1356
1359
  #
1357
1360
  # @!attribute [rw] ssekms_key_id
1358
- # If present, indicates the ID of the Key Management Service (KMS)
1359
- # symmetric encryption customer managed key that was used for the
1360
- # object.
1361
- #
1362
- # <note markdown="1"> This functionality is not supported for directory buckets.
1363
- #
1364
- # </note>
1361
+ # If present, indicates the ID of the KMS key that was used for object
1362
+ # encryption.
1365
1363
  # @return [String]
1366
1364
  #
1367
1365
  # @!attribute [rw] ssekms_encryption_context
@@ -1369,20 +1367,12 @@ module Aws::S3
1369
1367
  # to use for object encryption. The value of this header is a
1370
1368
  # base64-encoded UTF-8 string holding JSON with the encryption context
1371
1369
  # key-value pairs.
1372
- #
1373
- # <note markdown="1"> This functionality is not supported for directory buckets.
1374
- #
1375
- # </note>
1376
1370
  # @return [String]
1377
1371
  #
1378
1372
  # @!attribute [rw] bucket_key_enabled
1379
1373
  # Indicates whether the copied object uses an S3 Bucket Key for
1380
1374
  # server-side encryption with Key Management Service (KMS) keys
1381
1375
  # (SSE-KMS).
1382
- #
1383
- # <note markdown="1"> This functionality is not supported for directory buckets.
1384
- #
1385
- # </note>
1386
1376
  # @return [Boolean]
1387
1377
  #
1388
1378
  # @!attribute [rw] request_charged
@@ -1810,9 +1800,8 @@ module Aws::S3
1810
1800
  #
1811
1801
  # @!attribute [rw] server_side_encryption
1812
1802
  # The server-side encryption algorithm used when storing this object
1813
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1814
- # Unrecognized or unsupported values won’t write a destination object
1815
- # and will receive a `400 Bad Request` response.
1803
+ # in Amazon S3. Unrecognized or unsupported values won’t write a
1804
+ # destination object and will receive a `400 Bad Request` response.
1816
1805
  #
1817
1806
  # Amazon S3 automatically encrypts all new objects that are copied to
1818
1807
  # an S3 bucket. When copying an object, if you don't specify
@@ -1821,21 +1810,8 @@ module Aws::S3
1821
1810
  # of the destination bucket. By default, all buckets have a base level
1822
1811
  # of encryption configuration that uses server-side encryption with
1823
1812
  # Amazon S3 managed keys (SSE-S3). If the destination bucket has a
1824
- # default encryption configuration that uses server-side encryption
1825
- # with Key Management Service (KMS) keys (SSE-KMS), dual-layer
1826
- # server-side encryption with Amazon Web Services KMS keys (DSSE-KMS),
1827
- # or server-side encryption with customer-provided encryption keys
1828
- # (SSE-C), Amazon S3 uses the corresponding KMS key, or a
1829
- # customer-provided key to encrypt the target object copy.
1830
- #
1831
- # When you perform a `CopyObject` operation, if you want to use a
1832
- # different type of encryption setting for the target object, you can
1833
- # specify appropriate encryption-related headers to encrypt the target
1834
- # object with an Amazon S3 managed key, a KMS key, or a
1835
- # customer-provided key. If the encryption setting in your request is
1836
- # different from the default encryption configuration of the
1837
- # destination bucket, the encryption setting in your request takes
1838
- # precedence.
1813
+ # different default encryption configuration, Amazon S3 uses the
1814
+ # corresponding encryption key to encrypt the target object copy.
1839
1815
  #
1840
1816
  # With server-side encryption, Amazon S3 encrypts your data as it
1841
1817
  # writes your data to disks in its data centers and decrypts the data
@@ -1843,14 +1819,63 @@ module Aws::S3
1843
1819
  # encryption, see [Using Server-Side Encryption][1] in the *Amazon S3
1844
1820
  # User Guide*.
1845
1821
  #
1846
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1847
- # managed keys (SSE-S3) (`AES256`) is supported.
1848
- #
1849
- # </note>
1822
+ # <b>General purpose buckets </b>
1823
+ #
1824
+ # * For general purpose buckets, there are the following supported
1825
+ # options for server-side encryption: server-side encryption with
1826
+ # Key Management Service (KMS) keys (SSE-KMS), dual-layer
1827
+ # server-side encryption with Amazon Web Services KMS keys
1828
+ # (DSSE-KMS), and server-side encryption with customer-provided
1829
+ # encryption keys (SSE-C). Amazon S3 uses the corresponding KMS key,
1830
+ # or a customer-provided key to encrypt the target object copy.
1831
+ #
1832
+ # * When you perform a `CopyObject` operation, if you want to use a
1833
+ # different type of encryption setting for the target object, you
1834
+ # can specify appropriate encryption-related headers to encrypt the
1835
+ # target object with an Amazon S3 managed key, a KMS key, or a
1836
+ # customer-provided key. If the encryption setting in your request
1837
+ # is different from the default encryption configuration of the
1838
+ # destination bucket, the encryption setting in your request takes
1839
+ # precedence.
1840
+ #
1841
+ # <b>Directory buckets </b>
1842
+ #
1843
+ # * For directory buckets, there are only two supported options for
1844
+ # server-side encryption: server-side encryption with Amazon S3
1845
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with
1846
+ # KMS keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's
1847
+ # default encryption uses the desired encryption configuration and
1848
+ # you don't override the bucket default encryption in your
1849
+ # `CreateSession` requests or `PUT` object requests. Then, new
1850
+ # objects are automatically encrypted with the desired encryption
1851
+ # settings. For more information, see [Protecting data with
1852
+ # server-side encryption][2] in the *Amazon S3 User Guide*. For more
1853
+ # information about the encryption overriding behaviors in directory
1854
+ # buckets, see [Specifying server-side encryption with KMS for new
1855
+ # object uploads][3].
1856
+ #
1857
+ # * To encrypt new object copies to a directory bucket with SSE-KMS,
1858
+ # we recommend you specify SSE-KMS as the directory bucket's
1859
+ # default encryption configuration with a KMS key (specifically, a
1860
+ # [customer managed key][4]). [Amazon Web Services managed key][5]
1861
+ # (`aws/s3`) isn't supported. Your SSE-KMS configuration can only
1862
+ # support 1 [customer managed key][4] per directory bucket for the
1863
+ # lifetime of the bucket. After you specify a customer managed key
1864
+ # for SSE-KMS, you can't override the customer managed key for the
1865
+ # bucket's SSE-KMS configuration. Then, when you perform a
1866
+ # `CopyObject` operation and want to specify server-side encryption
1867
+ # settings for new object copies with SSE-KMS in the
1868
+ # encryption-related request headers, you must ensure the encryption
1869
+ # key is the same customer managed key that you specified for the
1870
+ # directory bucket's default encryption configuration.
1850
1871
  #
1851
1872
  #
1852
1873
  #
1853
1874
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1875
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1876
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1877
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1878
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1854
1879
  # @return [String]
1855
1880
  #
1856
1881
  # @!attribute [rw] storage_class
@@ -1956,7 +1981,7 @@ module Aws::S3
1956
1981
  # @return [String]
1957
1982
  #
1958
1983
  # @!attribute [rw] ssekms_key_id
1959
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
1984
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1960
1985
  # object encryption. All GET and PUT requests for an object protected
1961
1986
  # by KMS will fail if they're not made via SSL or using SigV4. For
1962
1987
  # information about configuring any of the officially supported Amazon
@@ -1964,27 +1989,45 @@ module Aws::S3
1964
1989
  # Signature Version in Request Authentication][1] in the *Amazon S3
1965
1990
  # User Guide*.
1966
1991
  #
1967
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1968
- # directory bucket.
1969
- #
1970
- # </note>
1992
+ # **Directory buckets** - If you specify
1993
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
1994
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
1995
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
1996
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
1997
+ # use the key ID or key ARN. The key alias format of the KMS key
1998
+ # isn't supported. Your SSE-KMS configuration can only support 1
1999
+ # [customer managed key][2] per directory bucket for the lifetime of
2000
+ # the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
2001
+ # supported.
1971
2002
  #
1972
2003
  #
1973
2004
  #
1974
2005
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2006
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2007
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1975
2008
  # @return [String]
1976
2009
  #
1977
2010
  # @!attribute [rw] ssekms_encryption_context
1978
- # Specifies the Amazon Web Services KMS Encryption Context to use for
1979
- # object encryption. The value of this header is a base64-encoded
1980
- # UTF-8 string holding JSON with the encryption context key-value
1981
- # pairs. This value must be explicitly added to specify encryption
1982
- # context for `CopyObject` requests.
2011
+ # Specifies the Amazon Web Services KMS Encryption Context as an
2012
+ # additional encryption context to use for the destination object
2013
+ # encryption. The value of this header is a base64-encoded UTF-8
2014
+ # string holding JSON with the encryption context key-value pairs.
1983
2015
  #
1984
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1985
- # directory bucket.
2016
+ # **General purpose buckets** - This value must be explicitly added to
2017
+ # specify encryption context for `CopyObject` requests if you want an
2018
+ # additional encryption context for your destination object. The
2019
+ # additional encryption context of the source object won't be copied
2020
+ # to the destination object. For more information, see [Encryption
2021
+ # context][1] in the *Amazon S3 User Guide*.
1986
2022
  #
1987
- # </note>
2023
+ # **Directory buckets** - You can optionally provide an explicit
2024
+ # encryption context value. The value must match the default
2025
+ # encryption context - the bucket Amazon Resource Name (ARN). An
2026
+ # additional encryption context value is not supported.
2027
+ #
2028
+ #
2029
+ #
2030
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
1988
2031
  # @return [String]
1989
2032
  #
1990
2033
  # @!attribute [rw] bucket_key_enabled
@@ -2001,14 +2044,19 @@ module Aws::S3
2001
2044
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
2002
2045
  # S3 User Guide*.
2003
2046
  #
2004
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
2005
- # directory bucket.
2047
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
2048
+ # copy SSE-KMS encrypted objects from general purpose buckets to
2049
+ # directory buckets, from directory buckets to general purpose
2050
+ # buckets, or between directory buckets, through [CopyObject][2]. In
2051
+ # this case, Amazon S3 makes a call to KMS every time a copy request
2052
+ # is made for a KMS-encrypted object.
2006
2053
  #
2007
2054
  # </note>
2008
2055
  #
2009
2056
  #
2010
2057
  #
2011
2058
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
2059
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2012
2060
  # @return [Boolean]
2013
2061
  #
2014
2062
  # @!attribute [rw] copy_source_sse_customer_algorithm
@@ -2620,11 +2668,6 @@ module Aws::S3
2620
2668
  # @!attribute [rw] server_side_encryption
2621
2669
  # The server-side encryption algorithm used when you store this object
2622
2670
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
2623
- #
2624
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
2625
- # managed keys (SSE-S3) (`AES256`) is supported.
2626
- #
2627
- # </note>
2628
2671
  # @return [String]
2629
2672
  #
2630
2673
  # @!attribute [rw] sse_customer_algorithm
@@ -2649,34 +2692,21 @@ module Aws::S3
2649
2692
  # @return [String]
2650
2693
  #
2651
2694
  # @!attribute [rw] ssekms_key_id
2652
- # If present, indicates the ID of the Key Management Service (KMS)
2653
- # symmetric encryption customer managed key that was used for the
2654
- # object.
2655
- #
2656
- # <note markdown="1"> This functionality is not supported for directory buckets.
2657
- #
2658
- # </note>
2695
+ # If present, indicates the ID of the KMS key that was used for object
2696
+ # encryption.
2659
2697
  # @return [String]
2660
2698
  #
2661
2699
  # @!attribute [rw] ssekms_encryption_context
2662
2700
  # If present, indicates the Amazon Web Services KMS Encryption Context
2663
2701
  # to use for object encryption. The value of this header is a
2664
- # base64-encoded UTF-8 string holding JSON with the encryption context
2665
- # key-value pairs.
2666
- #
2667
- # <note markdown="1"> This functionality is not supported for directory buckets.
2668
- #
2669
- # </note>
2702
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
2703
+ # encryption context as key-value pairs.
2670
2704
  # @return [String]
2671
2705
  #
2672
2706
  # @!attribute [rw] bucket_key_enabled
2673
2707
  # Indicates whether the multipart upload uses an S3 Bucket Key for
2674
2708
  # server-side encryption with Key Management Service (KMS) keys
2675
2709
  # (SSE-KMS).
2676
- #
2677
- # <note markdown="1"> This functionality is not supported for directory buckets.
2678
- #
2679
- # </note>
2680
2710
  # @return [Boolean]
2681
2711
  #
2682
2712
  # @!attribute [rw] request_charged
@@ -3088,10 +3118,53 @@ module Aws::S3
3088
3118
  # The server-side encryption algorithm used when you store this object
3089
3119
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3090
3120
  #
3091
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3092
- # managed keys (SSE-S3) (`AES256`) is supported.
3121
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3122
+ # two supported options for server-side encryption: server-side
3123
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3124
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3125
+ # recommend that the bucket's default encryption uses the desired
3126
+ # encryption configuration and you don't override the bucket
3127
+ # default encryption in your `CreateSession` requests or `PUT`
3128
+ # object requests. Then, new objects are automatically encrypted
3129
+ # with the desired encryption settings. For more information, see
3130
+ # [Protecting data with server-side encryption][1] in the *Amazon S3
3131
+ # User Guide*. For more information about the encryption overriding
3132
+ # behaviors in directory buckets, see [Specifying server-side
3133
+ # encryption with KMS for new object uploads][2].
3134
+ #
3135
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3136
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3137
+ # headers must match the encryption settings that are specified in
3138
+ # the `CreateSession` request. You can't override the values of the
3139
+ # encryption settings (`x-amz-server-side-encryption`,
3140
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3141
+ # `x-amz-server-side-encryption-context`, and
3142
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3143
+ # specified in the `CreateSession` request. You don't need to
3144
+ # explicitly specify these encryption settings values in Zonal
3145
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3146
+ # values from the `CreateSession` request to protect new objects in
3147
+ # the directory bucket.
3148
+ #
3149
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3150
+ # `CreateSession`, the session token refreshes automatically to
3151
+ # avoid service interruptions when a session expires. The CLI or the
3152
+ # Amazon Web Services SDKs use the bucket's default encryption
3153
+ # configuration for the `CreateSession` request. It's not supported
3154
+ # to override the encryption settings values in the `CreateSession`
3155
+ # request. So in the Zonal endpoint API calls (except
3156
+ # [CopyObject][3] and [UploadPartCopy][4]), the encryption request
3157
+ # headers must match the default encryption configuration of the
3158
+ # directory bucket.
3093
3159
  #
3094
- # </note>
3160
+ # </note>
3161
+ #
3162
+ #
3163
+ #
3164
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3165
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3166
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3167
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3095
3168
  # @return [String]
3096
3169
  #
3097
3170
  # @!attribute [rw] storage_class
@@ -3157,37 +3230,75 @@ module Aws::S3
3157
3230
  # @return [String]
3158
3231
  #
3159
3232
  # @!attribute [rw] ssekms_key_id
3160
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3161
- # encryption customer managed key to use for object encryption.
3233
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3234
+ # object encryption. If the KMS key doesn't exist in the same account
3235
+ # that's issuing the command, you must use the full Key ARN not the
3236
+ # Key ID.
3237
+ #
3238
+ # **General purpose buckets** - If you specify
3239
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
3240
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
3241
+ # KMS key to use. If you specify
3242
+ # `x-amz-server-side-encryption:aws:kms` or
3243
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3244
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3245
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3162
3246
  #
3163
- # <note markdown="1"> This functionality is not supported for directory buckets.
3247
+ # **Directory buckets** - If you specify
3248
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
3249
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
3250
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
3251
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
3252
+ # use the key ID or key ARN. The key alias format of the KMS key
3253
+ # isn't supported. Your SSE-KMS configuration can only support 1
3254
+ # [customer managed key][1] per directory bucket for the lifetime of
3255
+ # the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
3256
+ # supported.
3164
3257
  #
3165
- # </note>
3258
+ #
3259
+ #
3260
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3261
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3166
3262
  # @return [String]
3167
3263
  #
3168
3264
  # @!attribute [rw] ssekms_encryption_context
3169
3265
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3170
- # object encryption. The value of this header is a base64-encoded
3171
- # UTF-8 string holding JSON with the encryption context key-value
3172
- # pairs.
3266
+ # object encryption. The value of this header is a Base64-encoded
3267
+ # string of a UTF-8 encoded JSON, which contains the encryption
3268
+ # context as key-value pairs.
3173
3269
  #
3174
- # <note markdown="1"> This functionality is not supported for directory buckets.
3175
- #
3176
- # </note>
3270
+ # **Directory buckets** - You can optionally provide an explicit
3271
+ # encryption context value. The value must match the default
3272
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3273
+ # additional encryption context value is not supported.
3177
3274
  # @return [String]
3178
3275
  #
3179
3276
  # @!attribute [rw] bucket_key_enabled
3180
3277
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3181
3278
  # encryption with server-side encryption using Key Management Service
3182
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3183
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3279
+ # (KMS) keys (SSE-KMS).
3184
3280
  #
3185
- # Specifying this header with an object action doesn’t affect
3186
- # bucket-level settings for S3 Bucket Key.
3281
+ # **General purpose buckets** - Setting this header to `true` causes
3282
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
3283
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
3284
+ # affect bucket-level settings for S3 Bucket Key.
3187
3285
  #
3188
- # <note markdown="1"> This functionality is not supported for directory buckets.
3286
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3287
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3288
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
3289
+ # objects from general purpose buckets to directory buckets, from
3290
+ # directory buckets to general purpose buckets, or between directory
3291
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
3292
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
3293
+ # case, Amazon S3 makes a call to KMS every time a copy request is
3294
+ # made for a KMS-encrypted object.
3189
3295
  #
3190
- # </note>
3296
+ #
3297
+ #
3298
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3299
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3300
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3301
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3191
3302
  # @return [Boolean]
3192
3303
  #
3193
3304
  # @!attribute [rw] request_payer
@@ -3297,16 +3408,45 @@ module Aws::S3
3297
3408
  include Aws::Structure
3298
3409
  end
3299
3410
 
3411
+ # @!attribute [rw] server_side_encryption
3412
+ # The server-side encryption algorithm used when you store objects in
3413
+ # the directory bucket.
3414
+ # @return [String]
3415
+ #
3416
+ # @!attribute [rw] ssekms_key_id
3417
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, this
3418
+ # header indicates the ID of the KMS symmetric encryption customer
3419
+ # managed key that was used for object encryption.
3420
+ # @return [String]
3421
+ #
3422
+ # @!attribute [rw] ssekms_encryption_context
3423
+ # If present, indicates the Amazon Web Services KMS Encryption Context
3424
+ # to use for object encryption. The value of this header is a
3425
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
3426
+ # encryption context as key-value pairs. This value is stored as
3427
+ # object metadata and automatically gets passed on to Amazon Web
3428
+ # Services KMS for future `GetObject` operations on this object.
3429
+ # @return [String]
3430
+ #
3431
+ # @!attribute [rw] bucket_key_enabled
3432
+ # Indicates whether to use an S3 Bucket Key for server-side encryption
3433
+ # with KMS keys (SSE-KMS).
3434
+ # @return [Boolean]
3435
+ #
3300
3436
  # @!attribute [rw] credentials
3301
3437
  # The established temporary security credentials for the created
3302
- # session..
3438
+ # session.
3303
3439
  # @return [Types::SessionCredentials]
3304
3440
  #
3305
3441
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionOutput AWS API Documentation
3306
3442
  #
3307
3443
  class CreateSessionOutput < Struct.new(
3444
+ :server_side_encryption,
3445
+ :ssekms_key_id,
3446
+ :ssekms_encryption_context,
3447
+ :bucket_key_enabled,
3308
3448
  :credentials)
3309
- SENSITIVE = []
3449
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3310
3450
  include Aws::Structure
3311
3451
  end
3312
3452
 
@@ -3314,27 +3454,114 @@ module Aws::S3
3314
3454
  # Specifies the mode of the session that will be created, either
3315
3455
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3316
3456
  # created. A `ReadWrite` session is capable of executing all the Zonal
3317
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3318
- # constrained to execute the following Zonal endpoint APIs:
3319
- # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3320
- # `ListParts`, and `ListMultipartUploads`.
3457
+ # endpoint API operations on a directory bucket. A `ReadOnly` session
3458
+ # is constrained to execute the following Zonal endpoint API
3459
+ # operations: `GetObject`, `HeadObject`, `ListObjectsV2`,
3460
+ # `GetObjectAttributes`, `ListParts`, and `ListMultipartUploads`.
3321
3461
  # @return [String]
3322
3462
  #
3323
3463
  # @!attribute [rw] bucket
3324
3464
  # The name of the bucket that you create a session for.
3325
3465
  # @return [String]
3326
3466
  #
3467
+ # @!attribute [rw] server_side_encryption
3468
+ # The server-side encryption algorithm to use when you store objects
3469
+ # in the directory bucket.
3470
+ #
3471
+ # For directory buckets, there are only two supported options for
3472
+ # server-side encryption: server-side encryption with Amazon S3
3473
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3474
+ # keys (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3475
+ # SSE-S3. For more information, see [Protecting data with server-side
3476
+ # encryption][1] in the *Amazon S3 User Guide*.
3477
+ #
3478
+ #
3479
+ #
3480
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3481
+ # @return [String]
3482
+ #
3483
+ # @!attribute [rw] ssekms_key_id
3484
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you
3485
+ # must specify the ` x-amz-server-side-encryption-aws-kms-key-id`
3486
+ # header with the ID (Key ID or Key ARN) of the KMS symmetric
3487
+ # encryption customer managed key to use. Otherwise, you get an HTTP
3488
+ # `400 Bad Request` error. Only use the key ID or key ARN. The key
3489
+ # alias format of the KMS key isn't supported. Also, if the KMS key
3490
+ # doesn't exist in the same account that't issuing the command, you
3491
+ # must use the full Key ARN not the Key ID.
3492
+ #
3493
+ # Your SSE-KMS configuration can only support 1 [customer managed
3494
+ # key][1] per directory bucket for the lifetime of the bucket. [Amazon
3495
+ # Web Services managed key][2] (`aws/s3`) isn't supported.
3496
+ #
3497
+ #
3498
+ #
3499
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3500
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3501
+ # @return [String]
3502
+ #
3503
+ # @!attribute [rw] ssekms_encryption_context
3504
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3505
+ # additional encryption context to use for object encryption. The
3506
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
3507
+ # JSON, which contains the encryption context as key-value pairs. This
3508
+ # value is stored as object metadata and automatically gets passed on
3509
+ # to Amazon Web Services KMS for future `GetObject` operations on this
3510
+ # object.
3511
+ #
3512
+ # **General purpose buckets** - This value must be explicitly added
3513
+ # during `CopyObject` operations if you want an additional encryption
3514
+ # context for your object. For more information, see [Encryption
3515
+ # context][1] in the *Amazon S3 User Guide*.
3516
+ #
3517
+ # **Directory buckets** - You can optionally provide an explicit
3518
+ # encryption context value. The value must match the default
3519
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3520
+ # additional encryption context value is not supported.
3521
+ #
3522
+ #
3523
+ #
3524
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3525
+ # @return [String]
3526
+ #
3527
+ # @!attribute [rw] bucket_key_enabled
3528
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3529
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3530
+ #
3531
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in
3532
+ # a directory bucket and can’t be disabled. S3 Bucket Keys aren't
3533
+ # supported, when you copy SSE-KMS encrypted objects from general
3534
+ # purpose buckets to directory buckets, from directory buckets to
3535
+ # general purpose buckets, or between directory buckets, through
3536
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3537
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3
3538
+ # makes a call to KMS every time a copy request is made for a
3539
+ # KMS-encrypted object.
3540
+ #
3541
+ #
3542
+ #
3543
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3544
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3545
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3546
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3547
+ # @return [Boolean]
3548
+ #
3327
3549
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionRequest AWS API Documentation
3328
3550
  #
3329
3551
  class CreateSessionRequest < Struct.new(
3330
3552
  :session_mode,
3331
- :bucket)
3332
- SENSITIVE = []
3553
+ :bucket,
3554
+ :server_side_encryption,
3555
+ :ssekms_key_id,
3556
+ :ssekms_encryption_context,
3557
+ :bucket_key_enabled)
3558
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3333
3559
  include Aws::Structure
3334
3560
  end
3335
3561
 
3336
- # The container element for specifying the default Object Lock retention
3337
- # settings for new objects placed in the specified bucket.
3562
+ # The container element for optionally specifying the default Object
3563
+ # Lock retention settings for new objects placed in the specified
3564
+ # bucket.
3338
3565
  #
3339
3566
  # <note markdown="1"> * The `DefaultRetention` settings require both a mode and a period.
3340
3567
  #
@@ -3447,6 +3674,20 @@ module Aws::S3
3447
3674
  # @!attribute [rw] bucket
3448
3675
  # The name of the bucket containing the server-side encryption
3449
3676
  # configuration to delete.
3677
+ #
3678
+ # <b>Directory buckets </b> - When you use this operation with a
3679
+ # directory bucket, you must use path-style requests in the format
3680
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
3681
+ # Virtual-hosted-style requests aren't supported. Directory bucket
3682
+ # names must be unique in the chosen Availability Zone. Bucket names
3683
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
3684
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
3685
+ # about bucket naming restrictions, see [Directory bucket naming
3686
+ # rules][1] in the *Amazon S3 User Guide*
3687
+ #
3688
+ #
3689
+ #
3690
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
3450
3691
  # @return [String]
3451
3692
  #
3452
3693
  # @!attribute [rw] expected_bucket_owner
@@ -3454,6 +3695,12 @@ module Aws::S3
3454
3695
  # you provide does not match the actual owner of the bucket, the
3455
3696
  # request fails with the HTTP status code `403 Forbidden` (access
3456
3697
  # denied).
3698
+ #
3699
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
3700
+ # operation. If you specify this header, the request fails with the
3701
+ # HTTP status code `501 Not Implemented`.
3702
+ #
3703
+ # </note>
3457
3704
  # @return [String]
3458
3705
  #
3459
3706
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/DeleteBucketEncryptionRequest AWS API Documentation
@@ -4390,6 +4637,14 @@ module Aws::S3
4390
4637
  # Specifies encryption-related information for an Amazon S3 bucket that
4391
4638
  # is a destination for replicated objects.
4392
4639
  #
4640
+ # <note markdown="1"> If you're specifying a customer managed KMS key, we recommend using a
4641
+ # fully qualified KMS key ARN. If you use a KMS key alias instead, then
4642
+ # KMS resolves the key within the requester’s account. This behavior can
4643
+ # result in data that's encrypted with a KMS key that belongs to the
4644
+ # requester, and not the bucket owner.
4645
+ #
4646
+ # </note>
4647
+ #
4393
4648
  # @!attribute [rw] replica_kms_key_id
4394
4649
  # Specifies the ID (Key ARN or Alias ARN) of the customer managed
4395
4650
  # Amazon Web Services KMS key stored in Amazon Web Services Key
@@ -5295,12 +5550,16 @@ module Aws::S3
5295
5550
  class EventBridgeConfiguration < Aws::EmptyStructure; end
5296
5551
 
5297
5552
  # Optional configuration to replicate existing source bucket objects.
5298
- # For more information, see [Replicating Existing Objects][1] in the
5553
+ #
5554
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing objects,
5555
+ # see [Replicating existing objects with S3 Batch Replication][1] in the
5299
5556
  # *Amazon S3 User Guide*.
5300
5557
  #
5558
+ # </note>
5559
+ #
5301
5560
  #
5302
5561
  #
5303
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
5562
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
5304
5563
  #
5305
5564
  # @!attribute [rw] status
5306
5565
  # Specifies whether Amazon S3 replicates existing source bucket
@@ -5564,6 +5823,20 @@ module Aws::S3
5564
5823
  # @!attribute [rw] bucket
5565
5824
  # The name of the bucket from which the server-side encryption
5566
5825
  # configuration is retrieved.
5826
+ #
5827
+ # <b>Directory buckets </b> - When you use this operation with a
5828
+ # directory bucket, you must use path-style requests in the format
5829
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
5830
+ # Virtual-hosted-style requests aren't supported. Directory bucket
5831
+ # names must be unique in the chosen Availability Zone. Bucket names
5832
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
5833
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
5834
+ # about bucket naming restrictions, see [Directory bucket naming
5835
+ # rules][1] in the *Amazon S3 User Guide*
5836
+ #
5837
+ #
5838
+ #
5839
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5567
5840
  # @return [String]
5568
5841
  #
5569
5842
  # @!attribute [rw] expected_bucket_owner
@@ -5571,6 +5844,12 @@ module Aws::S3
5571
5844
  # you provide does not match the actual owner of the bucket, the
5572
5845
  # request fails with the HTTP status code `403 Forbidden` (access
5573
5846
  # denied).
5847
+ #
5848
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
5849
+ # operation. If you specify this header, the request fails with the
5850
+ # HTTP status code `501 Not Implemented`.
5851
+ #
5852
+ # </note>
5574
5853
  # @return [String]
5575
5854
  #
5576
5855
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketEncryptionRequest AWS API Documentation
@@ -6892,12 +7171,7 @@ module Aws::S3
6892
7171
  #
6893
7172
  # @!attribute [rw] server_side_encryption
6894
7173
  # The server-side encryption algorithm used when you store this object
6895
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
6896
- #
6897
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
6898
- # managed keys (SSE-S3) (`AES256`) is supported.
6899
- #
6900
- # </note>
7174
+ # in Amazon S3.
6901
7175
  # @return [String]
6902
7176
  #
6903
7177
  # @!attribute [rw] metadata
@@ -6926,22 +7200,13 @@ module Aws::S3
6926
7200
  # @return [String]
6927
7201
  #
6928
7202
  # @!attribute [rw] ssekms_key_id
6929
- # If present, indicates the ID of the Key Management Service (KMS)
6930
- # symmetric encryption customer managed key that was used for the
6931
- # object.
6932
- #
6933
- # <note markdown="1"> This functionality is not supported for directory buckets.
6934
- #
6935
- # </note>
7203
+ # If present, indicates the ID of the KMS key that was used for object
7204
+ # encryption.
6936
7205
  # @return [String]
6937
7206
  #
6938
7207
  # @!attribute [rw] bucket_key_enabled
6939
7208
  # Indicates whether the object uses an S3 Bucket Key for server-side
6940
7209
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
6941
- #
6942
- # <note markdown="1"> This functionality is not supported for directory buckets.
6943
- #
6944
- # </note>
6945
7210
  # @return [Boolean]
6946
7211
  #
6947
7212
  # @!attribute [rw] storage_class
@@ -7381,6 +7646,15 @@ module Aws::S3
7381
7646
  #
7382
7647
  # @!attribute [rw] checksum_mode
7383
7648
  # To retrieve the checksum, this mode must be enabled.
7649
+ #
7650
+ # **General purpose buckets** - In addition, if you enable checksum
7651
+ # mode and the object is uploaded with a [checksum][1] and encrypted
7652
+ # with an Key Management Service (KMS) key, you must have permission
7653
+ # to use the `kms:Decrypt` action to retrieve the checksum.
7654
+ #
7655
+ #
7656
+ #
7657
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
7384
7658
  # @return [String]
7385
7659
  #
7386
7660
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetObjectRequest AWS API Documentation
@@ -7802,17 +8076,13 @@ module Aws::S3
7802
8076
  #
7803
8077
  # @!attribute [rw] bucket_region
7804
8078
  # The Region that the bucket is located.
7805
- #
7806
- # <note markdown="1"> This functionality is not supported for directory buckets.
7807
- #
7808
- # </note>
7809
8079
  # @return [String]
7810
8080
  #
7811
8081
  # @!attribute [rw] access_point_alias
7812
8082
  # Indicates whether the bucket name used in the request is an access
7813
8083
  # point alias.
7814
8084
  #
7815
- # <note markdown="1"> This functionality is not supported for directory buckets.
8085
+ # <note markdown="1"> For directory buckets, the value of this field is `false`.
7816
8086
  #
7817
8087
  # </note>
7818
8088
  # @return [Boolean]
@@ -8101,11 +8371,6 @@ module Aws::S3
8101
8371
  # @!attribute [rw] server_side_encryption
8102
8372
  # The server-side encryption algorithm used when you store this object
8103
8373
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
8104
- #
8105
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
8106
- # managed keys (SSE-S3) (`AES256`) is supported.
8107
- #
8108
- # </note>
8109
8374
  # @return [String]
8110
8375
  #
8111
8376
  # @!attribute [rw] metadata
@@ -8134,22 +8399,13 @@ module Aws::S3
8134
8399
  # @return [String]
8135
8400
  #
8136
8401
  # @!attribute [rw] ssekms_key_id
8137
- # If present, indicates the ID of the Key Management Service (KMS)
8138
- # symmetric encryption customer managed key that was used for the
8139
- # object.
8140
- #
8141
- # <note markdown="1"> This functionality is not supported for directory buckets.
8142
- #
8143
- # </note>
8402
+ # If present, indicates the ID of the KMS key that was used for object
8403
+ # encryption.
8144
8404
  # @return [String]
8145
8405
  #
8146
8406
  # @!attribute [rw] bucket_key_enabled
8147
8407
  # Indicates whether the object uses an S3 Bucket Key for server-side
8148
8408
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
8149
- #
8150
- # <note markdown="1"> This functionality is not supported for directory buckets.
8151
- #
8152
- # </note>
8153
8409
  # @return [Boolean]
8154
8410
  #
8155
8411
  # @!attribute [rw] storage_class
@@ -8452,6 +8708,30 @@ module Aws::S3
8452
8708
  # Not Satisfiable` error.
8453
8709
  # @return [String]
8454
8710
  #
8711
+ # @!attribute [rw] response_cache_control
8712
+ # Sets the `Cache-Control` header of the response.
8713
+ # @return [String]
8714
+ #
8715
+ # @!attribute [rw] response_content_disposition
8716
+ # Sets the `Content-Disposition` header of the response.
8717
+ # @return [String]
8718
+ #
8719
+ # @!attribute [rw] response_content_encoding
8720
+ # Sets the `Content-Encoding` header of the response.
8721
+ # @return [String]
8722
+ #
8723
+ # @!attribute [rw] response_content_language
8724
+ # Sets the `Content-Language` header of the response.
8725
+ # @return [String]
8726
+ #
8727
+ # @!attribute [rw] response_content_type
8728
+ # Sets the `Content-Type` header of the response.
8729
+ # @return [String]
8730
+ #
8731
+ # @!attribute [rw] response_expires
8732
+ # Sets the `Expires` header of the response.
8733
+ # @return [Time]
8734
+ #
8455
8735
  # @!attribute [rw] version_id
8456
8736
  # Version ID used to reference a specific version of the object.
8457
8737
  #
@@ -8527,10 +8807,20 @@ module Aws::S3
8527
8807
  # @!attribute [rw] checksum_mode
8528
8808
  # To retrieve the checksum, this parameter must be enabled.
8529
8809
  #
8530
- # In addition, if you enable `ChecksumMode` and the object is
8531
- # encrypted with Amazon Web Services Key Management Service (Amazon
8532
- # Web Services KMS), you must have permission to use the `kms:Decrypt`
8533
- # action for the request to succeed.
8810
+ # **General purpose buckets** - If you enable checksum mode and the
8811
+ # object is uploaded with a [checksum][1] and encrypted with an Key
8812
+ # Management Service (KMS) key, you must have permission to use the
8813
+ # `kms:Decrypt` action to retrieve the checksum.
8814
+ #
8815
+ # **Directory buckets** - If you enable `ChecksumMode` and the object
8816
+ # is encrypted with Amazon Web Services Key Management Service (Amazon
8817
+ # Web Services KMS), you must also have the `kms:GenerateDataKey` and
8818
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
8819
+ # policies for the KMS key to retrieve the checksum of the object.
8820
+ #
8821
+ #
8822
+ #
8823
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
8534
8824
  # @return [String]
8535
8825
  #
8536
8826
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/HeadObjectRequest AWS API Documentation
@@ -8543,6 +8833,12 @@ module Aws::S3
8543
8833
  :if_unmodified_since,
8544
8834
  :key,
8545
8835
  :range,
8836
+ :response_cache_control,
8837
+ :response_content_disposition,
8838
+ :response_content_encoding,
8839
+ :response_content_language,
8840
+ :response_content_type,
8841
+ :response_expires,
8546
8842
  :version_id,
8547
8843
  :sse_customer_algorithm,
8548
8844
  :sse_customer_key,
@@ -8559,10 +8855,11 @@ module Aws::S3
8559
8855
  #
8560
8856
  # @!attribute [rw] suffix
8561
8857
  # A suffix that is appended to a request that is for a directory on
8562
- # the website endpoint (for example,if the suffix is index.html and
8563
- # you make a request to samplebucket/images/ the data that is returned
8564
- # will be for the object with the key name images/index.html) The
8565
- # suffix must not be empty and must not include a slash character.
8858
+ # the website endpoint. (For example, if the suffix is `index.html`
8859
+ # and you make a request to `samplebucket/images/`, the data that is
8860
+ # returned will be for the object with the key name
8861
+ # `images/index.html`.) The suffix must not be empty and must not
8862
+ # include a slash character.
8566
8863
  #
8567
8864
  # Replacement must be made for object keys containing special
8568
8865
  # characters (such as carriage returns) when using XML requests. For
@@ -9495,11 +9792,45 @@ module Aws::S3
9495
9792
  # The owner of the buckets listed.
9496
9793
  # @return [Types::Owner]
9497
9794
  #
9795
+ # @!attribute [rw] continuation_token
9796
+ # `ContinuationToken` is included in the response when there are more
9797
+ # buckets that can be listed with pagination. The next `ListBuckets`
9798
+ # request to Amazon S3 can be continued with this `ContinuationToken`.
9799
+ # `ContinuationToken` is obfuscated and is not a real bucket.
9800
+ # @return [String]
9801
+ #
9498
9802
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ListBucketsOutput AWS API Documentation
9499
9803
  #
9500
9804
  class ListBucketsOutput < Struct.new(
9501
9805
  :buckets,
9502
- :owner)
9806
+ :owner,
9807
+ :continuation_token)
9808
+ SENSITIVE = []
9809
+ include Aws::Structure
9810
+ end
9811
+
9812
+ # @!attribute [rw] max_buckets
9813
+ # Maximum number of buckets to be returned in response. When the
9814
+ # number is more than the count of buckets that are owned by an Amazon
9815
+ # Web Services account, return all the buckets in response.
9816
+ # @return [Integer]
9817
+ #
9818
+ # @!attribute [rw] continuation_token
9819
+ # `ContinuationToken` indicates to Amazon S3 that the list is being
9820
+ # continued on this bucket with a token. `ContinuationToken` is
9821
+ # obfuscated and is not a real key. You can use this
9822
+ # `ContinuationToken` for pagination of the list results.
9823
+ #
9824
+ # Length Constraints: Minimum length of 0. Maximum length of 1024.
9825
+ #
9826
+ # Required: No.
9827
+ # @return [String]
9828
+ #
9829
+ # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ListBucketsRequest AWS API Documentation
9830
+ #
9831
+ class ListBucketsRequest < Struct.new(
9832
+ :max_buckets,
9833
+ :continuation_token)
9503
9834
  SENSITIVE = []
9504
9835
  include Aws::Structure
9505
9836
  end
@@ -9525,9 +9856,10 @@ module Aws::S3
9525
9856
 
9526
9857
  # @!attribute [rw] continuation_token
9527
9858
  # `ContinuationToken` indicates to Amazon S3 that the list is being
9528
- # continued on this bucket with a token. `ContinuationToken` is
9529
- # obfuscated and is not a real key. You can use this
9530
- # `ContinuationToken` for pagination of the list results.
9859
+ # continued on buckets in this account with a token.
9860
+ # `ContinuationToken` is obfuscated and is not a real bucket name. You
9861
+ # can use this `ContinuationToken` for the pagination of the list
9862
+ # results.
9531
9863
  # @return [String]
9532
9864
  #
9533
9865
  # @!attribute [rw] max_directory_buckets
@@ -9737,12 +10069,26 @@ module Aws::S3
9737
10069
  # @return [String]
9738
10070
  #
9739
10071
  # @!attribute [rw] encoding_type
9740
- # Requests Amazon S3 to encode the object keys in the response and
9741
- # specifies the encoding method to use. An object key can contain any
9742
- # Unicode character; however, the XML 1.0 parser cannot parse some
9743
- # characters, such as characters with an ASCII value from 0 to 10. For
9744
- # characters that are not supported in XML 1.0, you can add this
9745
- # parameter to request that Amazon S3 encode the keys in the response.
10072
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10073
+ # the response. Responses are encoded only in UTF-8. An object key can
10074
+ # contain any Unicode character. However, the XML 1.0 parser can't
10075
+ # parse certain characters, such as characters with an ASCII value
10076
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10077
+ # can add this parameter to request that Amazon S3 encode the keys in
10078
+ # the response. For more information about characters to avoid in
10079
+ # object key names, see [Object key naming guidelines][2].
10080
+ #
10081
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10082
+ # in an object's key name will be percent-encoded according to UTF-8
10083
+ # code values. For example, the object `test_file(3).png` will appear
10084
+ # as `test_file%283%29.png`.
10085
+ #
10086
+ # </note>
10087
+ #
10088
+ #
10089
+ #
10090
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10091
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
9746
10092
  # @return [String]
9747
10093
  #
9748
10094
  # @!attribute [rw] key_marker
@@ -9967,12 +10313,26 @@ module Aws::S3
9967
10313
  # @return [String]
9968
10314
  #
9969
10315
  # @!attribute [rw] encoding_type
9970
- # Requests Amazon S3 to encode the object keys in the response and
9971
- # specifies the encoding method to use. An object key can contain any
9972
- # Unicode character; however, the XML 1.0 parser cannot parse some
9973
- # characters, such as characters with an ASCII value from 0 to 10. For
9974
- # characters that are not supported in XML 1.0, you can add this
9975
- # parameter to request that Amazon S3 encode the keys in the response.
10316
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10317
+ # the response. Responses are encoded only in UTF-8. An object key can
10318
+ # contain any Unicode character. However, the XML 1.0 parser can't
10319
+ # parse certain characters, such as characters with an ASCII value
10320
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10321
+ # can add this parameter to request that Amazon S3 encode the keys in
10322
+ # the response. For more information about characters to avoid in
10323
+ # object key names, see [Object key naming guidelines][2].
10324
+ #
10325
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10326
+ # in an object's key name will be percent-encoded according to UTF-8
10327
+ # code values. For example, the object `test_file(3).png` will appear
10328
+ # as `test_file%283%29.png`.
10329
+ #
10330
+ # </note>
10331
+ #
10332
+ #
10333
+ #
10334
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10335
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
9976
10336
  # @return [String]
9977
10337
  #
9978
10338
  # @!attribute [rw] key_marker
@@ -10119,10 +10479,26 @@ module Aws::S3
10119
10479
  # @return [Array<Types::CommonPrefix>]
10120
10480
  #
10121
10481
  # @!attribute [rw] encoding_type
10122
- # Encoding type used by Amazon S3 to encode object keys in the
10123
- # response. If using `url`, non-ASCII characters used in an object's
10124
- # key name will be URL encoded. For example, the object
10125
- # test\_file(3).png will appear as test\_file%283%29.png.
10482
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10483
+ # the response. Responses are encoded only in UTF-8. An object key can
10484
+ # contain any Unicode character. However, the XML 1.0 parser can't
10485
+ # parse certain characters, such as characters with an ASCII value
10486
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10487
+ # can add this parameter to request that Amazon S3 encode the keys in
10488
+ # the response. For more information about characters to avoid in
10489
+ # object key names, see [Object key naming guidelines][2].
10490
+ #
10491
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10492
+ # in an object's key name will be percent-encoded according to UTF-8
10493
+ # code values. For example, the object `test_file(3).png` will appear
10494
+ # as `test_file%283%29.png`.
10495
+ #
10496
+ # </note>
10497
+ #
10498
+ #
10499
+ #
10500
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10501
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
10126
10502
  # @return [String]
10127
10503
  #
10128
10504
  # @!attribute [rw] request_charged
@@ -10202,12 +10578,26 @@ module Aws::S3
10202
10578
  # @return [String]
10203
10579
  #
10204
10580
  # @!attribute [rw] encoding_type
10205
- # Requests Amazon S3 to encode the object keys in the response and
10206
- # specifies the encoding method to use. An object key can contain any
10207
- # Unicode character; however, the XML 1.0 parser cannot parse some
10208
- # characters, such as characters with an ASCII value from 0 to 10. For
10209
- # characters that are not supported in XML 1.0, you can add this
10210
- # parameter to request that Amazon S3 encode the keys in the response.
10581
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10582
+ # the response. Responses are encoded only in UTF-8. An object key can
10583
+ # contain any Unicode character. However, the XML 1.0 parser can't
10584
+ # parse certain characters, such as characters with an ASCII value
10585
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10586
+ # can add this parameter to request that Amazon S3 encode the keys in
10587
+ # the response. For more information about characters to avoid in
10588
+ # object key names, see [Object key naming guidelines][2].
10589
+ #
10590
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10591
+ # in an object's key name will be percent-encoded according to UTF-8
10592
+ # code values. For example, the object `test_file(3).png` will appear
10593
+ # as `test_file%283%29.png`.
10594
+ #
10595
+ # </note>
10596
+ #
10597
+ #
10598
+ #
10599
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10600
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
10211
10601
  # @return [String]
10212
10602
  #
10213
10603
  # @!attribute [rw] marker
@@ -10475,10 +10865,26 @@ module Aws::S3
10475
10865
  # @return [String]
10476
10866
  #
10477
10867
  # @!attribute [rw] encoding_type
10478
- # Encoding type used by Amazon S3 to encode object keys in the
10479
- # response. If using `url`, non-ASCII characters used in an object's
10480
- # key name will be URL encoded. For example, the object
10481
- # test\_file(3).png will appear as test\_file%283%29.png.
10868
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10869
+ # the response. Responses are encoded only in UTF-8. An object key can
10870
+ # contain any Unicode character. However, the XML 1.0 parser can't
10871
+ # parse certain characters, such as characters with an ASCII value
10872
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10873
+ # can add this parameter to request that Amazon S3 encode the keys in
10874
+ # the response. For more information about characters to avoid in
10875
+ # object key names, see [Object key naming guidelines][2].
10876
+ #
10877
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10878
+ # in an object's key name will be percent-encoded according to UTF-8
10879
+ # code values. For example, the object `test_file(3).png` will appear
10880
+ # as `test_file%283%29.png`.
10881
+ #
10882
+ # </note>
10883
+ #
10884
+ #
10885
+ #
10886
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10887
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
10482
10888
  # @return [String]
10483
10889
  #
10484
10890
  # @!attribute [rw] max_keys
@@ -11173,10 +11579,10 @@ module Aws::S3
11173
11579
  # @return [Integer]
11174
11580
  #
11175
11581
  # @!attribute [rw] newer_noncurrent_versions
11176
- # Specifies how many newer noncurrent versions must exist before
11177
- # Amazon S3 can perform the associated action on a given version. If
11178
- # there are this many more recent noncurrent versions, Amazon S3 will
11179
- # take the associated action. For more information about noncurrent
11582
+ # Specifies how many noncurrent versions Amazon S3 will retain. You
11583
+ # can specify up to 100 noncurrent versions to retain. Amazon S3 will
11584
+ # permanently delete any additional noncurrent versions beyond the
11585
+ # specified number to retain. For more information about noncurrent
11180
11586
  # versions, see [Lifecycle configuration elements][1] in the *Amazon
11181
11587
  # S3 User Guide*.
11182
11588
  #
@@ -11220,12 +11626,12 @@ module Aws::S3
11220
11626
  # @return [String]
11221
11627
  #
11222
11628
  # @!attribute [rw] newer_noncurrent_versions
11223
- # Specifies how many newer noncurrent versions must exist before
11224
- # Amazon S3 can perform the associated action on a given version. If
11225
- # there are this many more recent noncurrent versions, Amazon S3 will
11226
- # take the associated action. For more information about noncurrent
11227
- # versions, see [Lifecycle configuration elements][1] in the *Amazon
11228
- # S3 User Guide*.
11629
+ # Specifies how many noncurrent versions Amazon S3 will retain in the
11630
+ # same storage class before transitioning objects. You can specify up
11631
+ # to 100 noncurrent versions to retain. Amazon S3 will transition any
11632
+ # additional noncurrent versions beyond the specified number to
11633
+ # retain. For more information about noncurrent versions, see
11634
+ # [Lifecycle configuration elements][1] in the *Amazon S3 User Guide*.
11229
11635
  #
11230
11636
  #
11231
11637
  #
@@ -11932,7 +12338,15 @@ module Aws::S3
11932
12338
  #
11933
12339
  # @!attribute [rw] partition_date_source
11934
12340
  # Specifies the partition date source for the partitioned prefix.
11935
- # PartitionDateSource can be EventTime or DeliveryTime.
12341
+ # `PartitionDateSource` can be `EventTime` or `DeliveryTime`.
12342
+ #
12343
+ # For `DeliveryTime`, the time in the log file names corresponds to
12344
+ # the delivery time for the log files.
12345
+ #
12346
+ # For `EventTime`, The logs delivered are for a specific day only. The
12347
+ # year, month, and day correspond to the day on which the event
12348
+ # occurred, and the hour, minutes and seconds are set to 00 in the
12349
+ # key.
11936
12350
  # @return [String]
11937
12351
  #
11938
12352
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PartitionedPrefix AWS API Documentation
@@ -12045,8 +12459,9 @@ module Aws::S3
12045
12459
  # @!attribute [rw] restrict_public_buckets
12046
12460
  # Specifies whether Amazon S3 should restrict public bucket policies
12047
12461
  # for this bucket. Setting this element to `TRUE` restricts access to
12048
- # this bucket to only Amazon Web Service principals and authorized
12049
- # users within this account if the bucket has a public policy.
12462
+ # this bucket to only Amazon Web Servicesservice principals and
12463
+ # authorized users within this account if the bucket has a public
12464
+ # policy.
12050
12465
  #
12051
12466
  # Enabling this setting doesn't affect previously stored bucket
12052
12467
  # policies, except that public and cross-account access within any
@@ -12301,18 +12716,21 @@ module Aws::S3
12301
12716
 
12302
12717
  # @!attribute [rw] bucket
12303
12718
  # Specifies default encryption for a bucket using server-side
12304
- # encryption with different key options. By default, all buckets have
12305
- # a default encryption configuration that uses server-side encryption
12306
- # with Amazon S3 managed keys (SSE-S3). You can optionally configure
12307
- # default encryption for a bucket by using server-side encryption with
12308
- # an Amazon Web Services KMS key (SSE-KMS) or a customer-provided key
12309
- # (SSE-C). For information about the bucket default encryption
12310
- # feature, see [Amazon S3 Bucket Default Encryption][1] in the *Amazon
12311
- # S3 User Guide*.
12719
+ # encryption with different key options.
12312
12720
  #
12721
+ # <b>Directory buckets </b> - When you use this operation with a
12722
+ # directory bucket, you must use path-style requests in the format
12723
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
12724
+ # Virtual-hosted-style requests aren't supported. Directory bucket
12725
+ # names must be unique in the chosen Availability Zone. Bucket names
12726
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
12727
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
12728
+ # about bucket naming restrictions, see [Directory bucket naming
12729
+ # rules][1] in the *Amazon S3 User Guide*
12313
12730
  #
12314
12731
  #
12315
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12732
+ #
12733
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12316
12734
  # @return [String]
12317
12735
  #
12318
12736
  # @!attribute [rw] content_md5
@@ -12322,6 +12740,10 @@ module Aws::S3
12322
12740
  # For requests made using the Amazon Web Services Command Line
12323
12741
  # Interface (CLI) or Amazon Web Services SDKs, this field is
12324
12742
  # calculated automatically.
12743
+ #
12744
+ # <note markdown="1"> This functionality is not supported for directory buckets.
12745
+ #
12746
+ # </note>
12325
12747
  # @return [String]
12326
12748
  #
12327
12749
  # @!attribute [rw] checksum_algorithm
@@ -12336,6 +12758,12 @@ module Aws::S3
12336
12758
  # If you provide an individual checksum, Amazon S3 ignores any
12337
12759
  # provided `ChecksumAlgorithm` parameter.
12338
12760
  #
12761
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs,
12762
+ # `CRC32` is the default checksum algorithm that's used for
12763
+ # performance.
12764
+ #
12765
+ # </note>
12766
+ #
12339
12767
  #
12340
12768
  #
12341
12769
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12350,6 +12778,12 @@ module Aws::S3
12350
12778
  # you provide does not match the actual owner of the bucket, the
12351
12779
  # request fails with the HTTP status code `403 Forbidden` (access
12352
12780
  # denied).
12781
+ #
12782
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
12783
+ # operation. If you specify this header, the request fails with the
12784
+ # HTTP status code `501 Not Implemented`.
12785
+ #
12786
+ # </note>
12353
12787
  # @return [String]
12354
12788
  #
12355
12789
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketEncryptionRequest AWS API Documentation
@@ -13618,12 +14052,7 @@ module Aws::S3
13618
14052
  #
13619
14053
  # @!attribute [rw] server_side_encryption
13620
14054
  # The server-side encryption algorithm used when you store this object
13621
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
13622
- #
13623
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
13624
- # managed keys (SSE-S3) (`AES256`) is supported.
13625
- #
13626
- # </note>
14055
+ # in Amazon S3.
13627
14056
  # @return [String]
13628
14057
  #
13629
14058
  # @!attribute [rw] version_id
@@ -13671,37 +14100,23 @@ module Aws::S3
13671
14100
  # @return [String]
13672
14101
  #
13673
14102
  # @!attribute [rw] ssekms_key_id
13674
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
13675
- # `aws:kms:dsse`, this header indicates the ID of the Key Management
13676
- # Service (KMS) symmetric encryption customer managed key that was
13677
- # used for the object.
13678
- #
13679
- # <note markdown="1"> This functionality is not supported for directory buckets.
13680
- #
13681
- # </note>
14103
+ # If present, indicates the ID of the KMS key that was used for object
14104
+ # encryption.
13682
14105
  # @return [String]
13683
14106
  #
13684
14107
  # @!attribute [rw] ssekms_encryption_context
13685
14108
  # If present, indicates the Amazon Web Services KMS Encryption Context
13686
14109
  # to use for object encryption. The value of this header is a
13687
- # base64-encoded UTF-8 string holding JSON with the encryption context
13688
- # key-value pairs. This value is stored as object metadata and
13689
- # automatically gets passed on to Amazon Web Services KMS for future
13690
- # `GetObject` or `CopyObject` operations on this object.
13691
- #
13692
- # <note markdown="1"> This functionality is not supported for directory buckets.
13693
- #
13694
- # </note>
14110
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
14111
+ # encryption context as key-value pairs. This value is stored as
14112
+ # object metadata and automatically gets passed on to Amazon Web
14113
+ # Services KMS for future `GetObject` operations on this object.
13695
14114
  # @return [String]
13696
14115
  #
13697
14116
  # @!attribute [rw] bucket_key_enabled
13698
14117
  # Indicates whether the uploaded object uses an S3 Bucket Key for
13699
14118
  # server-side encryption with Key Management Service (KMS) keys
13700
14119
  # (SSE-KMS).
13701
- #
13702
- # <note markdown="1"> This functionality is not supported for directory buckets.
13703
- #
13704
- # </note>
13705
14120
  # @return [Boolean]
13706
14121
  #
13707
14122
  # @!attribute [rw] request_charged
@@ -14003,6 +14418,26 @@ module Aws::S3
14003
14418
  # [1]: https://www.rfc-editor.org/rfc/rfc7234#section-5.3
14004
14419
  # @return [Time]
14005
14420
  #
14421
+ # @!attribute [rw] if_none_match
14422
+ # Uploads the object only if the object key name does not already
14423
+ # exist in the bucket specified. Otherwise, Amazon S3 returns a `412
14424
+ # Precondition Failed` error.
14425
+ #
14426
+ # If a conflicting operation occurs during the upload S3 returns a
14427
+ # `409 ConditionalRequestConflict` response. On a 409 failure you
14428
+ # should retry the upload.
14429
+ #
14430
+ # Expects the '*' (asterisk) character.
14431
+ #
14432
+ # For more information about conditional requests, see [RFC 7232][1],
14433
+ # or [Conditional requests][2] in the *Amazon S3 User Guide*.
14434
+ #
14435
+ #
14436
+ #
14437
+ # [1]: https://tools.ietf.org/html/rfc7232
14438
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-requests.html
14439
+ # @return [String]
14440
+ #
14006
14441
  # @!attribute [rw] grant_full_control
14007
14442
  # Gives the grantee READ, READ\_ACP, and WRITE\_ACP permissions on the
14008
14443
  # object.
@@ -14057,25 +14492,66 @@ module Aws::S3
14057
14492
  # this object in Amazon S3 (for example, `AES256`, `aws:kms`,
14058
14493
  # `aws:kms:dsse`).
14059
14494
  #
14060
- # <b>General purpose buckets </b> - You have four mutually exclusive
14061
- # options to protect data using server-side encryption in Amazon S3,
14062
- # depending on how you choose to manage the encryption keys.
14063
- # Specifically, the encryption key options are Amazon S3 managed keys
14064
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
14065
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
14066
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14067
- # default. You can optionally tell Amazon S3 to encrypt data at rest
14068
- # by using server-side encryption with other key options. For more
14069
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
14070
- # User Guide*.
14495
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
14496
+ # options to protect data using server-side encryption in Amazon S3,
14497
+ # depending on how you choose to manage the encryption keys.
14498
+ # Specifically, the encryption key options are Amazon S3 managed
14499
+ # keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS),
14500
+ # and customer-provided keys (SSE-C). Amazon S3 encrypts data with
14501
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14502
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
14503
+ # by using server-side encryption with other key options. For more
14504
+ # information, see [Using Server-Side Encryption][1] in the *Amazon
14505
+ # S3 User Guide*.
14506
+ #
14507
+ # * <b>Directory buckets </b> - For directory buckets, there are only
14508
+ # two supported options for server-side encryption: server-side
14509
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
14510
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
14511
+ # recommend that the bucket's default encryption uses the desired
14512
+ # encryption configuration and you don't override the bucket
14513
+ # default encryption in your `CreateSession` requests or `PUT`
14514
+ # object requests. Then, new objects are automatically encrypted
14515
+ # with the desired encryption settings. For more information, see
14516
+ # [Protecting data with server-side encryption][2] in the *Amazon S3
14517
+ # User Guide*. For more information about the encryption overriding
14518
+ # behaviors in directory buckets, see [Specifying server-side
14519
+ # encryption with KMS for new object uploads][3].
14520
+ #
14521
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
14522
+ # [UploadPartCopy][5]) using the REST API, the encryption request
14523
+ # headers must match the encryption settings that are specified in
14524
+ # the `CreateSession` request. You can't override the values of the
14525
+ # encryption settings (`x-amz-server-side-encryption`,
14526
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
14527
+ # `x-amz-server-side-encryption-context`, and
14528
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
14529
+ # specified in the `CreateSession` request. You don't need to
14530
+ # explicitly specify these encryption settings values in Zonal
14531
+ # endpoint API calls, and Amazon S3 will use the encryption settings
14532
+ # values from the `CreateSession` request to protect new objects in
14533
+ # the directory bucket.
14534
+ #
14535
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
14536
+ # `CreateSession`, the session token refreshes automatically to
14537
+ # avoid service interruptions when a session expires. The CLI or the
14538
+ # Amazon Web Services SDKs use the bucket's default encryption
14539
+ # configuration for the `CreateSession` request. It's not supported
14540
+ # to override the encryption settings values in the `CreateSession`
14541
+ # request. So in the Zonal endpoint API calls (except
14542
+ # [CopyObject][4] and [UploadPartCopy][5]), the encryption request
14543
+ # headers must match the default encryption configuration of the
14544
+ # directory bucket.
14071
14545
  #
14072
- # <b>Directory buckets </b> - For directory buckets, only the
14073
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
14074
- # (`AES256`) value is supported.
14546
+ # </note>
14075
14547
  #
14076
14548
  #
14077
14549
  #
14078
14550
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
14551
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
14552
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
14553
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14554
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14079
14555
  # @return [String]
14080
14556
  #
14081
14557
  # @!attribute [rw] storage_class
@@ -14161,48 +14637,87 @@ module Aws::S3
14161
14637
  # @return [String]
14162
14638
  #
14163
14639
  # @!attribute [rw] ssekms_key_id
14164
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
14165
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or
14166
- # Key Alias) of the Key Management Service (KMS) symmetric encryption
14167
- # customer managed key that was used for the object. If you specify
14640
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
14641
+ # object encryption. If the KMS key doesn't exist in the same account
14642
+ # that's issuing the command, you must use the full Key ARN not the
14643
+ # Key ID.
14644
+ #
14645
+ # **General purpose buckets** - If you specify
14646
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
14647
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
14648
+ # KMS key to use. If you specify
14168
14649
  # `x-amz-server-side-encryption:aws:kms` or
14169
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
14170
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14171
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If
14172
- # the KMS key does not exist in the same account that's issuing the
14173
- # command, you must use the full ARN and not just the ID.
14650
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
14651
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14652
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
14174
14653
  #
14175
- # <note markdown="1"> This functionality is not supported for directory buckets.
14654
+ # **Directory buckets** - If you specify
14655
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
14656
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
14657
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
14658
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
14659
+ # use the key ID or key ARN. The key alias format of the KMS key
14660
+ # isn't supported. Your SSE-KMS configuration can only support 1
14661
+ # [customer managed key][1] per directory bucket for the lifetime of
14662
+ # the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
14663
+ # supported.
14176
14664
  #
14177
- # </note>
14665
+ #
14666
+ #
14667
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
14668
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
14178
14669
  # @return [String]
14179
14670
  #
14180
14671
  # @!attribute [rw] ssekms_encryption_context
14181
- # Specifies the Amazon Web Services KMS Encryption Context to use for
14182
- # object encryption. The value of this header is a base64-encoded
14183
- # UTF-8 string holding JSON with the encryption context key-value
14184
- # pairs. This value is stored as object metadata and automatically
14185
- # gets passed on to Amazon Web Services KMS for future `GetObject` or
14186
- # `CopyObject` operations on this object. This value must be
14187
- # explicitly added during `CopyObject` operations.
14672
+ # Specifies the Amazon Web Services KMS Encryption Context as an
14673
+ # additional encryption context to use for object encryption. The
14674
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
14675
+ # JSON, which contains the encryption context as key-value pairs. This
14676
+ # value is stored as object metadata and automatically gets passed on
14677
+ # to Amazon Web Services KMS for future `GetObject` operations on this
14678
+ # object.
14188
14679
  #
14189
- # <note markdown="1"> This functionality is not supported for directory buckets.
14680
+ # **General purpose buckets** - This value must be explicitly added
14681
+ # during `CopyObject` operations if you want an additional encryption
14682
+ # context for your object. For more information, see [Encryption
14683
+ # context][1] in the *Amazon S3 User Guide*.
14190
14684
  #
14191
- # </note>
14685
+ # **Directory buckets** - You can optionally provide an explicit
14686
+ # encryption context value. The value must match the default
14687
+ # encryption context - the bucket Amazon Resource Name (ARN). An
14688
+ # additional encryption context value is not supported.
14689
+ #
14690
+ #
14691
+ #
14692
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
14192
14693
  # @return [String]
14193
14694
  #
14194
14695
  # @!attribute [rw] bucket_key_enabled
14195
14696
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
14196
14697
  # encryption with server-side encryption using Key Management Service
14197
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
14198
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
14698
+ # (KMS) keys (SSE-KMS).
14199
14699
  #
14200
- # Specifying this header with a PUT action doesn’t affect bucket-level
14201
- # settings for S3 Bucket Key.
14700
+ # **General purpose buckets** - Setting this header to `true` causes
14701
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
14702
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
14703
+ # affect bucket-level settings for S3 Bucket Key.
14202
14704
  #
14203
- # <note markdown="1"> This functionality is not supported for directory buckets.
14705
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
14706
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
14707
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
14708
+ # objects from general purpose buckets to directory buckets, from
14709
+ # directory buckets to general purpose buckets, or between directory
14710
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
14711
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
14712
+ # case, Amazon S3 makes a call to KMS every time a copy request is
14713
+ # made for a KMS-encrypted object.
14204
14714
  #
14205
- # </note>
14715
+ #
14716
+ #
14717
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14718
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14719
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
14720
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
14206
14721
  # @return [Boolean]
14207
14722
  #
14208
14723
  # @!attribute [rw] request_payer
@@ -14289,6 +14804,7 @@ module Aws::S3
14289
14804
  :checksum_sha1,
14290
14805
  :checksum_sha256,
14291
14806
  :expires,
14807
+ :if_none_match,
14292
14808
  :grant_full_control,
14293
14809
  :grant_read,
14294
14810
  :grant_read_acp,
@@ -14699,7 +15215,15 @@ module Aws::S3
14699
15215
  # The container for the records event.
14700
15216
  #
14701
15217
  # @!attribute [rw] payload
14702
- # The byte array of partial, one or more result records.
15218
+ # The byte array of partial, one or more result records. S3 Select
15219
+ # doesn't guarantee that a record will be self-contained in one
15220
+ # record frame. To ensure continuous streaming of data, S3 Select
15221
+ # might split the same record across multiple record frames instead of
15222
+ # aggregating the results in memory. Some S3 clients (for example, the
15223
+ # SDK for Java) handle this behavior by creating a `ByteStream` out of
15224
+ # the response by default. Other clients might not handle this
15225
+ # behavior by default. In those cases, you must aggregate the results
15226
+ # on the client side and parse the response.
14703
15227
  # @return [String]
14704
15228
  #
14705
15229
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/RecordsEvent AWS API Documentation
@@ -14907,12 +15431,16 @@ module Aws::S3
14907
15431
  #
14908
15432
  # @!attribute [rw] existing_object_replication
14909
15433
  # Optional configuration to replicate existing source bucket objects.
14910
- # For more information, see [Replicating Existing Objects][1] in the
14911
- # *Amazon S3 User Guide*.
14912
15434
  #
15435
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing
15436
+ # objects, see [Replicating existing objects with S3 Batch
15437
+ # Replication][1] in the *Amazon S3 User Guide*.
15438
+ #
15439
+ # </note>
14913
15440
  #
14914
15441
  #
14915
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
15442
+ #
15443
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
14916
15444
  # @return [Types::ExistingObjectReplication]
14917
15445
  #
14918
15446
  # @!attribute [rw] destination
@@ -15243,7 +15771,15 @@ module Aws::S3
15243
15771
  # @return [Types::GlacierJobParameters]
15244
15772
  #
15245
15773
  # @!attribute [rw] type
15774
+ # Amazon S3 Select is no longer available to new customers. Existing
15775
+ # customers of Amazon S3 Select can continue to use the feature as
15776
+ # usual. [Learn more][1]
15777
+ #
15246
15778
  # Type of restore request.
15779
+ #
15780
+ #
15781
+ #
15782
+ # [1]: http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/
15247
15783
  # @return [String]
15248
15784
  #
15249
15785
  # @!attribute [rw] tier
@@ -15255,7 +15791,15 @@ module Aws::S3
15255
15791
  # @return [String]
15256
15792
  #
15257
15793
  # @!attribute [rw] select_parameters
15794
+ # Amazon S3 Select is no longer available to new customers. Existing
15795
+ # customers of Amazon S3 Select can continue to use the feature as
15796
+ # usual. [Learn more][1]
15797
+ #
15258
15798
  # Describes the parameters for Select job types.
15799
+ #
15800
+ #
15801
+ #
15802
+ # [1]: http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/
15259
15803
  # @return [Types::SelectParameters]
15260
15804
  #
15261
15805
  # @!attribute [rw] output_location
@@ -15586,6 +16130,12 @@ module Aws::S3
15586
16130
  include Aws::Structure
15587
16131
  end
15588
16132
 
16133
+ # <note markdown="1"> Learn Amazon S3 Select is no longer available to new customers.
16134
+ # Existing customers of Amazon S3 Select can continue to use the feature
16135
+ # as usual. [Learn more][1]
16136
+ #
16137
+ # </note>
16138
+ #
15589
16139
  # Request to filter the contents of an Amazon S3 object based on a
15590
16140
  # simple Structured Query Language (SQL) statement. In the request,
15591
16141
  # along with the SQL expression, you must specify a data serialization
@@ -15593,11 +16143,12 @@ module Aws::S3
15593
16143
  # object data into records. It returns only records that match the
15594
16144
  # specified SQL expression. You must also specify the data serialization
15595
16145
  # format for the response. For more information, see [S3Select API
15596
- # Documentation][1].
16146
+ # Documentation][2].
15597
16147
  #
15598
16148
  #
15599
16149
  #
15600
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectSELECTContent.html
16150
+ # [1]: http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/
16151
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectSELECTContent.html
15601
16152
  #
15602
16153
  # @!attribute [rw] bucket
15603
16154
  # The S3 bucket.
@@ -15709,8 +16260,21 @@ module Aws::S3
15709
16260
  include Aws::Structure
15710
16261
  end
15711
16262
 
16263
+ # Amazon S3 Select is no longer available to new customers. Existing
16264
+ # customers of Amazon S3 Select can continue to use the feature as
16265
+ # usual. [Learn more][1]
16266
+ #
15712
16267
  # Describes the parameters for Select job types.
15713
16268
  #
16269
+ # Learn [How to optimize querying your data in Amazon S3][1] using
16270
+ # [Amazon Athena][2], [S3 Object Lambda][3], or client-side filtering.
16271
+ #
16272
+ #
16273
+ #
16274
+ # [1]: http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/
16275
+ # [2]: https://docs.aws.amazon.com/athena/latest/ug/what-is.html
16276
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/transforming-objects.html
16277
+ #
15714
16278
  # @!attribute [rw] input_serialization
15715
16279
  # Describes the serialization format of the object.
15716
16280
  # @return [Types::InputSerialization]
@@ -15720,7 +16284,15 @@ module Aws::S3
15720
16284
  # @return [String]
15721
16285
  #
15722
16286
  # @!attribute [rw] expression
16287
+ # Amazon S3 Select is no longer available to new customers. Existing
16288
+ # customers of Amazon S3 Select can continue to use the feature as
16289
+ # usual. [Learn more][1]
16290
+ #
15723
16291
  # The expression that is used to query the object.
16292
+ #
16293
+ #
16294
+ #
16295
+ # [1]: http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/
15724
16296
  # @return [String]
15725
16297
  #
15726
16298
  # @!attribute [rw] output_serialization
@@ -15740,27 +16312,51 @@ module Aws::S3
15740
16312
 
15741
16313
  # Describes the default server-side encryption to apply to new objects
15742
16314
  # in the bucket. If a PUT Object request doesn't specify any
15743
- # server-side encryption, this default encryption will be applied. If
15744
- # you don't specify a customer managed key at configuration, Amazon S3
15745
- # automatically creates an Amazon Web Services KMS key in your Amazon
15746
- # Web Services account the first time that you add an object encrypted
15747
- # with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for
15748
- # SSE-KMS. For more information, see [PUT Bucket encryption][1] in the
15749
- # *Amazon S3 API Reference*.
16315
+ # server-side encryption, this default encryption will be applied. For
16316
+ # more information, see [PutBucketEncryption][1].
16317
+ #
16318
+ # <note markdown="1"> * **General purpose buckets** - If you don't specify a customer
16319
+ # managed key at configuration, Amazon S3 automatically creates an
16320
+ # Amazon Web Services KMS key (`aws/s3`) in your Amazon Web Services
16321
+ # account the first time that you add an object encrypted with SSE-KMS
16322
+ # to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
16323
+ #
16324
+ # * **Directory buckets** - Your SSE-KMS configuration can only support
16325
+ # 1 [customer managed key][2] per directory bucket for the lifetime of
16326
+ # the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
16327
+ # supported.
16328
+ #
16329
+ # * **Directory buckets** - For directory buckets, there are only two
16330
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
16331
+ #
16332
+ # </note>
15750
16333
  #
15751
16334
  #
15752
16335
  #
15753
16336
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html
16337
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16338
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
15754
16339
  #
15755
16340
  # @!attribute [rw] sse_algorithm
15756
16341
  # Server-side encryption algorithm to use for the default encryption.
16342
+ #
16343
+ # <note markdown="1"> For directory buckets, there are only two supported values for
16344
+ # server-side encryption: `AES256` and `aws:kms`.
16345
+ #
16346
+ # </note>
15757
16347
  # @return [String]
15758
16348
  #
15759
16349
  # @!attribute [rw] kms_master_key_id
15760
- # Amazon Web Services Key Management Service (KMS) customer Amazon Web
15761
- # Services KMS key ID to use for the default encryption. This
15762
- # parameter is allowed if and only if `SSEAlgorithm` is set to
15763
- # `aws:kms` or `aws:kms:dsse`.
16350
+ # Amazon Web Services Key Management Service (KMS) customer managed
16351
+ # key ID to use for the default encryption.
16352
+ #
16353
+ # <note markdown="1"> * **General purpose buckets** - This parameter is allowed if and
16354
+ # only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`.
16355
+ #
16356
+ # * **Directory buckets** - This parameter is allowed if and only if
16357
+ # `SSEAlgorithm` is set to `aws:kms`.
16358
+ #
16359
+ # </note>
15764
16360
  #
15765
16361
  # You can specify the key ID, key alias, or the Amazon Resource Name
15766
16362
  # (ARN) of the KMS key.
@@ -15772,22 +16368,36 @@ module Aws::S3
15772
16368
  #
15773
16369
  # * Key Alias: `alias/alias-name`
15774
16370
  #
15775
- # If you use a key ID, you can run into a LogDestination undeliverable
15776
- # error when creating a VPC flow log.
15777
- #
15778
16371
  # If you are using encryption with cross-account or Amazon Web
15779
- # Services service operations you must use a fully qualified KMS key
16372
+ # Services service operations, you must use a fully qualified KMS key
15780
16373
  # ARN. For more information, see [Using encryption for cross-account
15781
16374
  # operations][1].
15782
16375
  #
16376
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16377
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16378
+ # If you use a KMS key alias instead, then KMS resolves the key
16379
+ # within the requester’s account. This behavior can result in data
16380
+ # that's encrypted with a KMS key that belongs to the requester,
16381
+ # and not the bucket owner. Also, if you use a key ID, you can run
16382
+ # into a LogDestination undeliverable error when creating a VPC flow
16383
+ # log.
16384
+ #
16385
+ # * **Directory buckets** - When you specify an [KMS customer managed
16386
+ # key][2] for encryption in your directory bucket, only use the key
16387
+ # ID or key ARN. The key alias format of the KMS key isn't
16388
+ # supported.
16389
+ #
16390
+ # </note>
16391
+ #
15783
16392
  # Amazon S3 only supports symmetric encryption KMS keys. For more
15784
- # information, see [Asymmetric keys in Amazon Web Services KMS][2] in
16393
+ # information, see [Asymmetric keys in Amazon Web Services KMS][3] in
15785
16394
  # the *Amazon Web Services Key Management Service Developer Guide*.
15786
16395
  #
15787
16396
  #
15788
16397
  #
15789
16398
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy
15790
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
16399
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16400
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
15791
16401
  # @return [String]
15792
16402
  #
15793
16403
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionByDefault AWS API Documentation
@@ -15816,6 +16426,23 @@ module Aws::S3
15816
16426
 
15817
16427
  # Specifies the default server-side encryption configuration.
15818
16428
  #
16429
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16430
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16431
+ # If you use a KMS key alias instead, then KMS resolves the key within
16432
+ # the requester’s account. This behavior can result in data that's
16433
+ # encrypted with a KMS key that belongs to the requester, and not the
16434
+ # bucket owner.
16435
+ #
16436
+ # * **Directory buckets** - When you specify an [KMS customer managed
16437
+ # key][1] for encryption in your directory bucket, only use the key ID
16438
+ # or key ARN. The key alias format of the KMS key isn't supported.
16439
+ #
16440
+ # </note>
16441
+ #
16442
+ #
16443
+ #
16444
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16445
+ #
15819
16446
  # @!attribute [rw] apply_server_side_encryption_by_default
15820
16447
  # Specifies the default server-side encryption to apply to new objects
15821
16448
  # in the bucket. If a PUT Object request doesn't specify any
@@ -15827,14 +16454,31 @@ module Aws::S3
15827
16454
  # server-side encryption using KMS (SSE-KMS) for new objects in the
15828
16455
  # bucket. Existing objects are not affected. Setting the
15829
16456
  # `BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3
15830
- # Bucket Key. By default, S3 Bucket Key is not enabled.
16457
+ # Bucket Key.
15831
16458
  #
15832
- # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
15833
- # S3 User Guide*.
16459
+ # <note markdown="1"> * **General purpose buckets** - By default, S3 Bucket Key is not
16460
+ # enabled. For more information, see [Amazon S3 Bucket Keys][1] in
16461
+ # the *Amazon S3 User Guide*.
16462
+ #
16463
+ # * **Directory buckets** - S3 Bucket Keys are always enabled for
16464
+ # `GET` and `PUT` operations in a directory bucket and can’t be
16465
+ # disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS
16466
+ # encrypted objects from general purpose buckets to directory
16467
+ # buckets, from directory buckets to general purpose buckets, or
16468
+ # between directory buckets, through [CopyObject][2],
16469
+ # [UploadPartCopy][3], [the Copy operation in Batch Operations][4],
16470
+ # or [the import jobs][5]. In this case, Amazon S3 makes a call to
16471
+ # KMS every time a copy request is made for a KMS-encrypted object.
16472
+ #
16473
+ # </note>
15834
16474
  #
15835
16475
  #
15836
16476
  #
15837
16477
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
16478
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16479
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16480
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16481
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
15838
16482
  # @return [Boolean]
15839
16483
  #
15840
16484
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionRule AWS API Documentation
@@ -15849,8 +16493,8 @@ module Aws::S3
15849
16493
  # The established temporary security credentials of the session.
15850
16494
  #
15851
16495
  # <note markdown="1"> **Directory buckets** - These session credentials are only supported
15852
- # for the authentication and authorization of Zonal endpoint APIs on
15853
- # directory buckets.
16496
+ # for the authentication and authorization of Zonal endpoint API
16497
+ # operations on directory buckets.
15854
16498
  #
15855
16499
  # </note>
15856
16500
  #
@@ -16284,11 +16928,6 @@ module Aws::S3
16284
16928
  # @!attribute [rw] server_side_encryption
16285
16929
  # The server-side encryption algorithm used when you store this object
16286
16930
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16287
- #
16288
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16289
- # managed keys (SSE-S3) (`AES256`) is supported.
16290
- #
16291
- # </note>
16292
16931
  # @return [String]
16293
16932
  #
16294
16933
  # @!attribute [rw] sse_customer_algorithm
@@ -16313,23 +16952,14 @@ module Aws::S3
16313
16952
  # @return [String]
16314
16953
  #
16315
16954
  # @!attribute [rw] ssekms_key_id
16316
- # If present, indicates the ID of the Key Management Service (KMS)
16317
- # symmetric encryption customer managed key that was used for the
16318
- # object.
16319
- #
16320
- # <note markdown="1"> This functionality is not supported for directory buckets.
16321
- #
16322
- # </note>
16955
+ # If present, indicates the ID of the KMS key that was used for object
16956
+ # encryption.
16323
16957
  # @return [String]
16324
16958
  #
16325
16959
  # @!attribute [rw] bucket_key_enabled
16326
16960
  # Indicates whether the multipart upload uses an S3 Bucket Key for
16327
16961
  # server-side encryption with Key Management Service (KMS) keys
16328
16962
  # (SSE-KMS).
16329
- #
16330
- # <note markdown="1"> This functionality is not supported for directory buckets.
16331
- #
16332
- # </note>
16333
16963
  # @return [Boolean]
16334
16964
  #
16335
16965
  # @!attribute [rw] request_charged
@@ -16680,11 +17310,6 @@ module Aws::S3
16680
17310
  # @!attribute [rw] server_side_encryption
16681
17311
  # The server-side encryption algorithm used when you store this object
16682
17312
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16683
- #
16684
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16685
- # managed keys (SSE-S3) (`AES256`) is supported.
16686
- #
16687
- # </note>
16688
17313
  # @return [String]
16689
17314
  #
16690
17315
  # @!attribute [rw] etag
@@ -16773,23 +17398,14 @@ module Aws::S3
16773
17398
  # @return [String]
16774
17399
  #
16775
17400
  # @!attribute [rw] ssekms_key_id
16776
- # If present, indicates the ID of the Key Management Service (KMS)
16777
- # symmetric encryption customer managed key that was used for the
16778
- # object.
16779
- #
16780
- # <note markdown="1"> This functionality is not supported for directory buckets.
16781
- #
16782
- # </note>
17401
+ # If present, indicates the ID of the KMS key that was used for object
17402
+ # encryption.
16783
17403
  # @return [String]
16784
17404
  #
16785
17405
  # @!attribute [rw] bucket_key_enabled
16786
17406
  # Indicates whether the multipart upload uses an S3 Bucket Key for
16787
17407
  # server-side encryption with Key Management Service (KMS) keys
16788
17408
  # (SSE-KMS).
16789
- #
16790
- # <note markdown="1"> This functionality is not supported for directory buckets.
16791
- #
16792
- # </note>
16793
17409
  # @return [Boolean]
16794
17410
  #
16795
17411
  # @!attribute [rw] request_charged