aws-sdk-s3 1.150.0 → 1.169.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +110 -0
  3. data/VERSION +1 -1
  4. data/lib/aws-sdk-s3/access_grants_credentials_provider.rb +12 -3
  5. data/lib/aws-sdk-s3/bucket.rb +252 -88
  6. data/lib/aws-sdk-s3/bucket_acl.rb +3 -3
  7. data/lib/aws-sdk-s3/bucket_cors.rb +4 -4
  8. data/lib/aws-sdk-s3/bucket_lifecycle.rb +4 -4
  9. data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +42 -5
  10. data/lib/aws-sdk-s3/bucket_logging.rb +3 -3
  11. data/lib/aws-sdk-s3/bucket_notification.rb +3 -3
  12. data/lib/aws-sdk-s3/bucket_policy.rb +8 -8
  13. data/lib/aws-sdk-s3/bucket_request_payment.rb +3 -3
  14. data/lib/aws-sdk-s3/bucket_tagging.rb +4 -4
  15. data/lib/aws-sdk-s3/bucket_versioning.rb +5 -5
  16. data/lib/aws-sdk-s3/bucket_website.rb +4 -4
  17. data/lib/aws-sdk-s3/client.rb +1685 -668
  18. data/lib/aws-sdk-s3/client_api.rb +49 -4
  19. data/lib/aws-sdk-s3/customizations/bucket.rb +1 -1
  20. data/lib/aws-sdk-s3/customizations/object.rb +11 -5
  21. data/lib/aws-sdk-s3/customizations/object_summary.rb +5 -0
  22. data/lib/aws-sdk-s3/customizations/object_version.rb +13 -0
  23. data/lib/aws-sdk-s3/customizations.rb +24 -38
  24. data/lib/aws-sdk-s3/encryption/client.rb +2 -2
  25. data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb +2 -2
  26. data/lib/aws-sdk-s3/encryptionV2/client.rb +2 -2
  27. data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +2 -2
  28. data/lib/aws-sdk-s3/endpoint_parameters.rb +21 -18
  29. data/lib/aws-sdk-s3/endpoint_provider.rb +1 -0
  30. data/lib/aws-sdk-s3/endpoints.rb +416 -1614
  31. data/lib/aws-sdk-s3/errors.rb +3 -0
  32. data/lib/aws-sdk-s3/file_downloader.rb +1 -1
  33. data/lib/aws-sdk-s3/file_uploader.rb +1 -1
  34. data/lib/aws-sdk-s3/multipart_stream_uploader.rb +1 -1
  35. data/lib/aws-sdk-s3/multipart_upload.rb +31 -8
  36. data/lib/aws-sdk-s3/multipart_upload_part.rb +11 -11
  37. data/lib/aws-sdk-s3/object.rb +441 -158
  38. data/lib/aws-sdk-s3/object_acl.rb +3 -3
  39. data/lib/aws-sdk-s3/object_copier.rb +1 -1
  40. data/lib/aws-sdk-s3/object_summary.rb +403 -134
  41. data/lib/aws-sdk-s3/object_version.rb +53 -13
  42. data/lib/aws-sdk-s3/plugins/access_grants.rb +75 -5
  43. data/lib/aws-sdk-s3/plugins/endpoints.rb +24 -212
  44. data/lib/aws-sdk-s3/plugins/express_session_auth.rb +7 -1
  45. data/lib/aws-sdk-s3/plugins/http_200_errors.rb +53 -16
  46. data/lib/aws-sdk-s3/resource.rb +37 -11
  47. data/lib/aws-sdk-s3/types.rb +1106 -401
  48. data/lib/aws-sdk-s3.rb +35 -31
  49. data/sig/bucket.rbs +4 -0
  50. data/sig/bucket_lifecycle_configuration.rbs +7 -3
  51. data/sig/client.rbs +49 -5
  52. data/sig/multipart_upload.rbs +1 -0
  53. data/sig/object.rbs +7 -0
  54. data/sig/object_summary.rbs +1 -0
  55. data/sig/object_version.rbs +6 -0
  56. data/sig/resource.rbs +7 -1
  57. data/sig/types.rbs +36 -2
  58. data/sig/waiters.rbs +12 -0
  59. metadata +7 -6
@@ -344,11 +344,18 @@ module Aws::S3
344
344
  # changes to your bucket, such as editing its bucket policy.
345
345
  # @return [Time]
346
346
  #
347
+ # @!attribute [rw] bucket_region
348
+ # `BucketRegion` indicates the Amazon Web Services region where the
349
+ # bucket is located. If the request contains at least one valid
350
+ # parameter, it is included in the response.
351
+ # @return [String]
352
+ #
347
353
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/Bucket AWS API Documentation
348
354
  #
349
355
  class Bucket < Struct.new(
350
356
  :name,
351
- :creation_date)
357
+ :creation_date,
358
+ :bucket_region)
352
359
  SENSITIVE = []
353
360
  include Aws::Structure
354
361
  end
@@ -634,7 +641,7 @@ module Aws::S3
634
641
  # Contains all the possible checksum or digest values for an object.
635
642
  #
636
643
  # @!attribute [rw] checksum_crc32
637
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
644
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
638
645
  # only be present if it was uploaded with the object. When you use an
639
646
  # API operation on an object that was uploaded using multipart
640
647
  # uploads, this value may not be a direct checksum value of the full
@@ -649,7 +656,7 @@ module Aws::S3
649
656
  # @return [String]
650
657
  #
651
658
  # @!attribute [rw] checksum_crc32c
652
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
659
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
653
660
  # only be present if it was uploaded with the object. When you use an
654
661
  # API operation on an object that was uploaded using multipart
655
662
  # uploads, this value may not be a direct checksum value of the full
@@ -803,7 +810,7 @@ module Aws::S3
803
810
  # @return [String]
804
811
  #
805
812
  # @!attribute [rw] checksum_crc32
806
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
813
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
807
814
  # only be present if it was uploaded with the object. When you use an
808
815
  # API operation on an object that was uploaded using multipart
809
816
  # uploads, this value may not be a direct checksum value of the full
@@ -818,7 +825,7 @@ module Aws::S3
818
825
  # @return [String]
819
826
  #
820
827
  # @!attribute [rw] checksum_crc32c
821
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
828
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
822
829
  # only be present if it was uploaded with the object. When you use an
823
830
  # API operation on an object that was uploaded using multipart
824
831
  # uploads, this value may not be a direct checksum value of the full
@@ -865,11 +872,6 @@ module Aws::S3
865
872
  # @!attribute [rw] server_side_encryption
866
873
  # The server-side encryption algorithm used when storing this object
867
874
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
868
- #
869
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
870
- # managed keys (SSE-S3) (`AES256`) is supported.
871
- #
872
- # </note>
873
875
  # @return [String]
874
876
  #
875
877
  # @!attribute [rw] version_id
@@ -882,23 +884,14 @@ module Aws::S3
882
884
  # @return [String]
883
885
  #
884
886
  # @!attribute [rw] ssekms_key_id
885
- # If present, indicates the ID of the Key Management Service (KMS)
886
- # symmetric encryption customer managed key that was used for the
887
- # object.
888
- #
889
- # <note markdown="1"> This functionality is not supported for directory buckets.
890
- #
891
- # </note>
887
+ # If present, indicates the ID of the KMS key that was used for object
888
+ # encryption.
892
889
  # @return [String]
893
890
  #
894
891
  # @!attribute [rw] bucket_key_enabled
895
892
  # Indicates whether the multipart upload uses an S3 Bucket Key for
896
893
  # server-side encryption with Key Management Service (KMS) keys
897
894
  # (SSE-KMS).
898
- #
899
- # <note markdown="1"> This functionality is not supported for directory buckets.
900
- #
901
- # </note>
902
895
  # @return [Boolean]
903
896
  #
904
897
  # @!attribute [rw] request_charged
@@ -991,7 +984,7 @@ module Aws::S3
991
984
  # @!attribute [rw] checksum_crc32
992
985
  # This header can be used as a data integrity check to verify that the
993
986
  # data received is the same data that was originally sent. This header
994
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
987
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
995
988
  # For more information, see [Checking object integrity][1] in the
996
989
  # *Amazon S3 User Guide*.
997
990
  #
@@ -1003,7 +996,7 @@ module Aws::S3
1003
996
  # @!attribute [rw] checksum_crc32c
1004
997
  # This header can be used as a data integrity check to verify that the
1005
998
  # data received is the same data that was originally sent. This header
1006
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object.
999
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
1007
1000
  # For more information, see [Checking object integrity][1] in the
1008
1001
  # *Amazon S3 User Guide*.
1009
1002
  #
@@ -1061,6 +1054,27 @@ module Aws::S3
1061
1054
  # denied).
1062
1055
  # @return [String]
1063
1056
  #
1057
+ # @!attribute [rw] if_none_match
1058
+ # Uploads the object only if the object key name does not already
1059
+ # exist in the bucket specified. Otherwise, Amazon S3 returns a `412
1060
+ # Precondition Failed` error.
1061
+ #
1062
+ # If a conflicting operation occurs during the upload S3 returns a
1063
+ # `409 ConditionalRequestConflict` response. On a 409 failure you
1064
+ # should re-initiate the multipart upload with `CreateMultipartUpload`
1065
+ # and re-upload each part.
1066
+ #
1067
+ # Expects the '*' (asterisk) character.
1068
+ #
1069
+ # For more information about conditional requests, see [RFC 7232][1],
1070
+ # or [Conditional requests][2] in the *Amazon S3 User Guide*.
1071
+ #
1072
+ #
1073
+ #
1074
+ # [1]: https://tools.ietf.org/html/rfc7232
1075
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-requests.html
1076
+ # @return [String]
1077
+ #
1064
1078
  # @!attribute [rw] sse_customer_algorithm
1065
1079
  # The server-side encryption (SSE) algorithm used to encrypt the
1066
1080
  # object. This parameter is required only when the object was created
@@ -1120,6 +1134,7 @@ module Aws::S3
1120
1134
  :checksum_sha256,
1121
1135
  :request_payer,
1122
1136
  :expected_bucket_owner,
1137
+ :if_none_match,
1123
1138
  :sse_customer_algorithm,
1124
1139
  :sse_customer_key,
1125
1140
  :sse_customer_key_md5)
@@ -1151,7 +1166,7 @@ module Aws::S3
1151
1166
  # @return [String]
1152
1167
  #
1153
1168
  # @!attribute [rw] checksum_crc32
1154
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
1169
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
1155
1170
  # only be present if it was uploaded with the object. When you use an
1156
1171
  # API operation on an object that was uploaded using multipart
1157
1172
  # uploads, this value may not be a direct checksum value of the full
@@ -1166,7 +1181,7 @@ module Aws::S3
1166
1181
  # @return [String]
1167
1182
  #
1168
1183
  # @!attribute [rw] checksum_crc32c
1169
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
1184
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
1170
1185
  # only be present if it was uploaded with the object. When you use an
1171
1186
  # API operation on an object that was uploaded using multipart
1172
1187
  # uploads, this value may not be a direct checksum value of the full
@@ -1326,11 +1341,6 @@ module Aws::S3
1326
1341
  # @!attribute [rw] server_side_encryption
1327
1342
  # The server-side encryption algorithm used when you store this object
1328
1343
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1329
- #
1330
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1331
- # managed keys (SSE-S3) (`AES256`) is supported.
1332
- #
1333
- # </note>
1334
1344
  # @return [String]
1335
1345
  #
1336
1346
  # @!attribute [rw] sse_customer_algorithm
@@ -1355,13 +1365,8 @@ module Aws::S3
1355
1365
  # @return [String]
1356
1366
  #
1357
1367
  # @!attribute [rw] ssekms_key_id
1358
- # If present, indicates the ID of the Key Management Service (KMS)
1359
- # symmetric encryption customer managed key that was used for the
1360
- # object.
1361
- #
1362
- # <note markdown="1"> This functionality is not supported for directory buckets.
1363
- #
1364
- # </note>
1368
+ # If present, indicates the ID of the KMS key that was used for object
1369
+ # encryption.
1365
1370
  # @return [String]
1366
1371
  #
1367
1372
  # @!attribute [rw] ssekms_encryption_context
@@ -1369,20 +1374,12 @@ module Aws::S3
1369
1374
  # to use for object encryption. The value of this header is a
1370
1375
  # base64-encoded UTF-8 string holding JSON with the encryption context
1371
1376
  # key-value pairs.
1372
- #
1373
- # <note markdown="1"> This functionality is not supported for directory buckets.
1374
- #
1375
- # </note>
1376
1377
  # @return [String]
1377
1378
  #
1378
1379
  # @!attribute [rw] bucket_key_enabled
1379
1380
  # Indicates whether the copied object uses an S3 Bucket Key for
1380
1381
  # server-side encryption with Key Management Service (KMS) keys
1381
1382
  # (SSE-KMS).
1382
- #
1383
- # <note markdown="1"> This functionality is not supported for directory buckets.
1384
- #
1385
- # </note>
1386
1383
  # @return [Boolean]
1387
1384
  #
1388
1385
  # @!attribute [rw] request_charged
@@ -1810,9 +1807,8 @@ module Aws::S3
1810
1807
  #
1811
1808
  # @!attribute [rw] server_side_encryption
1812
1809
  # The server-side encryption algorithm used when storing this object
1813
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1814
- # Unrecognized or unsupported values won’t write a destination object
1815
- # and will receive a `400 Bad Request` response.
1810
+ # in Amazon S3. Unrecognized or unsupported values won’t write a
1811
+ # destination object and will receive a `400 Bad Request` response.
1816
1812
  #
1817
1813
  # Amazon S3 automatically encrypts all new objects that are copied to
1818
1814
  # an S3 bucket. When copying an object, if you don't specify
@@ -1821,21 +1817,8 @@ module Aws::S3
1821
1817
  # of the destination bucket. By default, all buckets have a base level
1822
1818
  # of encryption configuration that uses server-side encryption with
1823
1819
  # Amazon S3 managed keys (SSE-S3). If the destination bucket has a
1824
- # default encryption configuration that uses server-side encryption
1825
- # with Key Management Service (KMS) keys (SSE-KMS), dual-layer
1826
- # server-side encryption with Amazon Web Services KMS keys (DSSE-KMS),
1827
- # or server-side encryption with customer-provided encryption keys
1828
- # (SSE-C), Amazon S3 uses the corresponding KMS key, or a
1829
- # customer-provided key to encrypt the target object copy.
1830
- #
1831
- # When you perform a `CopyObject` operation, if you want to use a
1832
- # different type of encryption setting for the target object, you can
1833
- # specify appropriate encryption-related headers to encrypt the target
1834
- # object with an Amazon S3 managed key, a KMS key, or a
1835
- # customer-provided key. If the encryption setting in your request is
1836
- # different from the default encryption configuration of the
1837
- # destination bucket, the encryption setting in your request takes
1838
- # precedence.
1820
+ # different default encryption configuration, Amazon S3 uses the
1821
+ # corresponding encryption key to encrypt the target object copy.
1839
1822
  #
1840
1823
  # With server-side encryption, Amazon S3 encrypts your data as it
1841
1824
  # writes your data to disks in its data centers and decrypts the data
@@ -1843,14 +1826,63 @@ module Aws::S3
1843
1826
  # encryption, see [Using Server-Side Encryption][1] in the *Amazon S3
1844
1827
  # User Guide*.
1845
1828
  #
1846
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1847
- # managed keys (SSE-S3) (`AES256`) is supported.
1848
- #
1849
- # </note>
1829
+ # <b>General purpose buckets </b>
1830
+ #
1831
+ # * For general purpose buckets, there are the following supported
1832
+ # options for server-side encryption: server-side encryption with
1833
+ # Key Management Service (KMS) keys (SSE-KMS), dual-layer
1834
+ # server-side encryption with Amazon Web Services KMS keys
1835
+ # (DSSE-KMS), and server-side encryption with customer-provided
1836
+ # encryption keys (SSE-C). Amazon S3 uses the corresponding KMS key,
1837
+ # or a customer-provided key to encrypt the target object copy.
1838
+ #
1839
+ # * When you perform a `CopyObject` operation, if you want to use a
1840
+ # different type of encryption setting for the target object, you
1841
+ # can specify appropriate encryption-related headers to encrypt the
1842
+ # target object with an Amazon S3 managed key, a KMS key, or a
1843
+ # customer-provided key. If the encryption setting in your request
1844
+ # is different from the default encryption configuration of the
1845
+ # destination bucket, the encryption setting in your request takes
1846
+ # precedence.
1847
+ #
1848
+ # <b>Directory buckets </b>
1849
+ #
1850
+ # * For directory buckets, there are only two supported options for
1851
+ # server-side encryption: server-side encryption with Amazon S3
1852
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with
1853
+ # KMS keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's
1854
+ # default encryption uses the desired encryption configuration and
1855
+ # you don't override the bucket default encryption in your
1856
+ # `CreateSession` requests or `PUT` object requests. Then, new
1857
+ # objects are automatically encrypted with the desired encryption
1858
+ # settings. For more information, see [Protecting data with
1859
+ # server-side encryption][2] in the *Amazon S3 User Guide*. For more
1860
+ # information about the encryption overriding behaviors in directory
1861
+ # buckets, see [Specifying server-side encryption with KMS for new
1862
+ # object uploads][3].
1863
+ #
1864
+ # * To encrypt new object copies to a directory bucket with SSE-KMS,
1865
+ # we recommend you specify SSE-KMS as the directory bucket's
1866
+ # default encryption configuration with a KMS key (specifically, a
1867
+ # [customer managed key][4]). The [Amazon Web Services managed
1868
+ # key][5] (`aws/s3`) isn't supported. Your SSE-KMS configuration
1869
+ # can only support 1 [customer managed key][4] per directory bucket
1870
+ # for the lifetime of the bucket. After you specify a customer
1871
+ # managed key for SSE-KMS, you can't override the customer managed
1872
+ # key for the bucket's SSE-KMS configuration. Then, when you
1873
+ # perform a `CopyObject` operation and want to specify server-side
1874
+ # encryption settings for new object copies with SSE-KMS in the
1875
+ # encryption-related request headers, you must ensure the encryption
1876
+ # key is the same customer managed key that you specified for the
1877
+ # directory bucket's default encryption configuration.
1850
1878
  #
1851
1879
  #
1852
1880
  #
1853
1881
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1882
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1883
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1884
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1885
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1854
1886
  # @return [String]
1855
1887
  #
1856
1888
  # @!attribute [rw] storage_class
@@ -1956,7 +1988,7 @@ module Aws::S3
1956
1988
  # @return [String]
1957
1989
  #
1958
1990
  # @!attribute [rw] ssekms_key_id
1959
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
1991
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1960
1992
  # object encryption. All GET and PUT requests for an object protected
1961
1993
  # by KMS will fail if they're not made via SSL or using SigV4. For
1962
1994
  # information about configuring any of the officially supported Amazon
@@ -1964,27 +1996,50 @@ module Aws::S3
1964
1996
  # Signature Version in Request Authentication][1] in the *Amazon S3
1965
1997
  # User Guide*.
1966
1998
  #
1967
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1968
- # directory bucket.
1969
- #
1970
- # </note>
1999
+ # **Directory buckets** - If you specify
2000
+ # `x-amz-server-side-encryption` with `aws:kms`, the `
2001
+ # x-amz-server-side-encryption-aws-kms-key-id` header is implicitly
2002
+ # assigned the ID of the KMS symmetric encryption customer managed key
2003
+ # that's configured for your directory bucket's default encryption
2004
+ # setting. If you want to specify the `
2005
+ # x-amz-server-side-encryption-aws-kms-key-id` header explicitly, you
2006
+ # can only specify it with the ID (Key ID or Key ARN) of the KMS
2007
+ # customer managed key that's configured for your directory bucket's
2008
+ # default encryption setting. Otherwise, you get an HTTP `400 Bad
2009
+ # Request` error. Only use the key ID or key ARN. The key alias format
2010
+ # of the KMS key isn't supported. Your SSE-KMS configuration can only
2011
+ # support 1 [customer managed key][2] per directory bucket for the
2012
+ # lifetime of the bucket. The [Amazon Web Services managed key][3]
2013
+ # (`aws/s3`) isn't supported.
1971
2014
  #
1972
2015
  #
1973
2016
  #
1974
2017
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2018
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2019
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1975
2020
  # @return [String]
1976
2021
  #
1977
2022
  # @!attribute [rw] ssekms_encryption_context
1978
- # Specifies the Amazon Web Services KMS Encryption Context to use for
1979
- # object encryption. The value of this header is a base64-encoded
1980
- # UTF-8 string holding JSON with the encryption context key-value
1981
- # pairs. This value must be explicitly added to specify encryption
1982
- # context for `CopyObject` requests.
2023
+ # Specifies the Amazon Web Services KMS Encryption Context as an
2024
+ # additional encryption context to use for the destination object
2025
+ # encryption. The value of this header is a base64-encoded UTF-8
2026
+ # string holding JSON with the encryption context key-value pairs.
1983
2027
  #
1984
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1985
- # directory bucket.
2028
+ # **General purpose buckets** - This value must be explicitly added to
2029
+ # specify encryption context for `CopyObject` requests if you want an
2030
+ # additional encryption context for your destination object. The
2031
+ # additional encryption context of the source object won't be copied
2032
+ # to the destination object. For more information, see [Encryption
2033
+ # context][1] in the *Amazon S3 User Guide*.
1986
2034
  #
1987
- # </note>
2035
+ # **Directory buckets** - You can optionally provide an explicit
2036
+ # encryption context value. The value must match the default
2037
+ # encryption context - the bucket Amazon Resource Name (ARN). An
2038
+ # additional encryption context value is not supported.
2039
+ #
2040
+ #
2041
+ #
2042
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
1988
2043
  # @return [String]
1989
2044
  #
1990
2045
  # @!attribute [rw] bucket_key_enabled
@@ -2001,14 +2056,19 @@ module Aws::S3
2001
2056
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
2002
2057
  # S3 User Guide*.
2003
2058
  #
2004
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
2005
- # directory bucket.
2059
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
2060
+ # copy SSE-KMS encrypted objects from general purpose buckets to
2061
+ # directory buckets, from directory buckets to general purpose
2062
+ # buckets, or between directory buckets, through [CopyObject][2]. In
2063
+ # this case, Amazon S3 makes a call to KMS every time a copy request
2064
+ # is made for a KMS-encrypted object.
2006
2065
  #
2007
2066
  # </note>
2008
2067
  #
2009
2068
  #
2010
2069
  #
2011
2070
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
2071
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2012
2072
  # @return [Boolean]
2013
2073
  #
2014
2074
  # @!attribute [rw] copy_source_sse_customer_algorithm
@@ -2225,7 +2285,7 @@ module Aws::S3
2225
2285
  # @return [Time]
2226
2286
  #
2227
2287
  # @!attribute [rw] checksum_crc32
2228
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
2288
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
2229
2289
  # only be present if it was uploaded with the object. For more
2230
2290
  # information, see [ Checking object integrity][1] in the *Amazon S3
2231
2291
  # User Guide*.
@@ -2236,7 +2296,7 @@ module Aws::S3
2236
2296
  # @return [String]
2237
2297
  #
2238
2298
  # @!attribute [rw] checksum_crc32c
2239
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
2299
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
2240
2300
  # only be present if it was uploaded with the object. For more
2241
2301
  # information, see [ Checking object integrity][1] in the *Amazon S3
2242
2302
  # User Guide*.
@@ -2292,7 +2352,7 @@ module Aws::S3
2292
2352
  # @return [Time]
2293
2353
  #
2294
2354
  # @!attribute [rw] checksum_crc32
2295
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
2355
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
2296
2356
  # only be present if it was uploaded with the object. When you use an
2297
2357
  # API operation on an object that was uploaded using multipart
2298
2358
  # uploads, this value may not be a direct checksum value of the full
@@ -2307,7 +2367,7 @@ module Aws::S3
2307
2367
  # @return [String]
2308
2368
  #
2309
2369
  # @!attribute [rw] checksum_crc32c
2310
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
2370
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
2311
2371
  # only be present if it was uploaded with the object. When you use an
2312
2372
  # API operation on an object that was uploaded using multipart
2313
2373
  # uploads, this value may not be a direct checksum value of the full
@@ -2620,11 +2680,6 @@ module Aws::S3
2620
2680
  # @!attribute [rw] server_side_encryption
2621
2681
  # The server-side encryption algorithm used when you store this object
2622
2682
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
2623
- #
2624
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
2625
- # managed keys (SSE-S3) (`AES256`) is supported.
2626
- #
2627
- # </note>
2628
2683
  # @return [String]
2629
2684
  #
2630
2685
  # @!attribute [rw] sse_customer_algorithm
@@ -2649,34 +2704,21 @@ module Aws::S3
2649
2704
  # @return [String]
2650
2705
  #
2651
2706
  # @!attribute [rw] ssekms_key_id
2652
- # If present, indicates the ID of the Key Management Service (KMS)
2653
- # symmetric encryption customer managed key that was used for the
2654
- # object.
2655
- #
2656
- # <note markdown="1"> This functionality is not supported for directory buckets.
2657
- #
2658
- # </note>
2707
+ # If present, indicates the ID of the KMS key that was used for object
2708
+ # encryption.
2659
2709
  # @return [String]
2660
2710
  #
2661
2711
  # @!attribute [rw] ssekms_encryption_context
2662
2712
  # If present, indicates the Amazon Web Services KMS Encryption Context
2663
2713
  # to use for object encryption. The value of this header is a
2664
- # base64-encoded UTF-8 string holding JSON with the encryption context
2665
- # key-value pairs.
2666
- #
2667
- # <note markdown="1"> This functionality is not supported for directory buckets.
2668
- #
2669
- # </note>
2714
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
2715
+ # encryption context as key-value pairs.
2670
2716
  # @return [String]
2671
2717
  #
2672
2718
  # @!attribute [rw] bucket_key_enabled
2673
2719
  # Indicates whether the multipart upload uses an S3 Bucket Key for
2674
2720
  # server-side encryption with Key Management Service (KMS) keys
2675
2721
  # (SSE-KMS).
2676
- #
2677
- # <note markdown="1"> This functionality is not supported for directory buckets.
2678
- #
2679
- # </note>
2680
2722
  # @return [Boolean]
2681
2723
  #
2682
2724
  # @!attribute [rw] request_charged
@@ -3088,10 +3130,53 @@ module Aws::S3
3088
3130
  # The server-side encryption algorithm used when you store this object
3089
3131
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3090
3132
  #
3091
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3092
- # managed keys (SSE-S3) (`AES256`) is supported.
3133
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3134
+ # two supported options for server-side encryption: server-side
3135
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3136
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3137
+ # recommend that the bucket's default encryption uses the desired
3138
+ # encryption configuration and you don't override the bucket
3139
+ # default encryption in your `CreateSession` requests or `PUT`
3140
+ # object requests. Then, new objects are automatically encrypted
3141
+ # with the desired encryption settings. For more information, see
3142
+ # [Protecting data with server-side encryption][1] in the *Amazon S3
3143
+ # User Guide*. For more information about the encryption overriding
3144
+ # behaviors in directory buckets, see [Specifying server-side
3145
+ # encryption with KMS for new object uploads][2].
3146
+ #
3147
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3148
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3149
+ # headers must match the encryption settings that are specified in
3150
+ # the `CreateSession` request. You can't override the values of the
3151
+ # encryption settings (`x-amz-server-side-encryption`,
3152
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3153
+ # `x-amz-server-side-encryption-context`, and
3154
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3155
+ # specified in the `CreateSession` request. You don't need to
3156
+ # explicitly specify these encryption settings values in Zonal
3157
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3158
+ # values from the `CreateSession` request to protect new objects in
3159
+ # the directory bucket.
3160
+ #
3161
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3162
+ # `CreateSession`, the session token refreshes automatically to
3163
+ # avoid service interruptions when a session expires. The CLI or the
3164
+ # Amazon Web Services SDKs use the bucket's default encryption
3165
+ # configuration for the `CreateSession` request. It's not supported
3166
+ # to override the encryption settings values in the `CreateSession`
3167
+ # request. So in the Zonal endpoint API calls (except
3168
+ # [CopyObject][3] and [UploadPartCopy][4]), the encryption request
3169
+ # headers must match the default encryption configuration of the
3170
+ # directory bucket.
3093
3171
  #
3094
- # </note>
3172
+ # </note>
3173
+ #
3174
+ #
3175
+ #
3176
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3177
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3178
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3179
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3095
3180
  # @return [String]
3096
3181
  #
3097
3182
  # @!attribute [rw] storage_class
@@ -3157,37 +3242,80 @@ module Aws::S3
3157
3242
  # @return [String]
3158
3243
  #
3159
3244
  # @!attribute [rw] ssekms_key_id
3160
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3161
- # encryption customer managed key to use for object encryption.
3245
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3246
+ # object encryption. If the KMS key doesn't exist in the same account
3247
+ # that's issuing the command, you must use the full Key ARN not the
3248
+ # Key ID.
3249
+ #
3250
+ # **General purpose buckets** - If you specify
3251
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
3252
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
3253
+ # KMS key to use. If you specify
3254
+ # `x-amz-server-side-encryption:aws:kms` or
3255
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3256
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3257
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3162
3258
  #
3163
- # <note markdown="1"> This functionality is not supported for directory buckets.
3259
+ # **Directory buckets** - If you specify
3260
+ # `x-amz-server-side-encryption` with `aws:kms`, the `
3261
+ # x-amz-server-side-encryption-aws-kms-key-id` header is implicitly
3262
+ # assigned the ID of the KMS symmetric encryption customer managed key
3263
+ # that's configured for your directory bucket's default encryption
3264
+ # setting. If you want to specify the `
3265
+ # x-amz-server-side-encryption-aws-kms-key-id` header explicitly, you
3266
+ # can only specify it with the ID (Key ID or Key ARN) of the KMS
3267
+ # customer managed key that's configured for your directory bucket's
3268
+ # default encryption setting. Otherwise, you get an HTTP `400 Bad
3269
+ # Request` error. Only use the key ID or key ARN. The key alias format
3270
+ # of the KMS key isn't supported. Your SSE-KMS configuration can only
3271
+ # support 1 [customer managed key][1] per directory bucket for the
3272
+ # lifetime of the bucket. The [Amazon Web Services managed key][2]
3273
+ # (`aws/s3`) isn't supported.
3164
3274
  #
3165
- # </note>
3275
+ #
3276
+ #
3277
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3278
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3166
3279
  # @return [String]
3167
3280
  #
3168
3281
  # @!attribute [rw] ssekms_encryption_context
3169
3282
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3170
- # object encryption. The value of this header is a base64-encoded
3171
- # UTF-8 string holding JSON with the encryption context key-value
3172
- # pairs.
3173
- #
3174
- # <note markdown="1"> This functionality is not supported for directory buckets.
3283
+ # object encryption. The value of this header is a Base64-encoded
3284
+ # string of a UTF-8 encoded JSON, which contains the encryption
3285
+ # context as key-value pairs.
3175
3286
  #
3176
- # </note>
3287
+ # **Directory buckets** - You can optionally provide an explicit
3288
+ # encryption context value. The value must match the default
3289
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3290
+ # additional encryption context value is not supported.
3177
3291
  # @return [String]
3178
3292
  #
3179
3293
  # @!attribute [rw] bucket_key_enabled
3180
3294
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3181
3295
  # encryption with server-side encryption using Key Management Service
3182
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3183
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3296
+ # (KMS) keys (SSE-KMS).
3184
3297
  #
3185
- # Specifying this header with an object action doesn’t affect
3186
- # bucket-level settings for S3 Bucket Key.
3298
+ # **General purpose buckets** - Setting this header to `true` causes
3299
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
3300
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
3301
+ # affect bucket-level settings for S3 Bucket Key.
3187
3302
  #
3188
- # <note markdown="1"> This functionality is not supported for directory buckets.
3303
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3304
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3305
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
3306
+ # objects from general purpose buckets to directory buckets, from
3307
+ # directory buckets to general purpose buckets, or between directory
3308
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
3309
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
3310
+ # case, Amazon S3 makes a call to KMS every time a copy request is
3311
+ # made for a KMS-encrypted object.
3189
3312
  #
3190
- # </note>
3313
+ #
3314
+ #
3315
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3316
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3317
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3318
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3191
3319
  # @return [Boolean]
3192
3320
  #
3193
3321
  # @!attribute [rw] request_payer
@@ -3297,16 +3425,45 @@ module Aws::S3
3297
3425
  include Aws::Structure
3298
3426
  end
3299
3427
 
3428
+ # @!attribute [rw] server_side_encryption
3429
+ # The server-side encryption algorithm used when you store objects in
3430
+ # the directory bucket.
3431
+ # @return [String]
3432
+ #
3433
+ # @!attribute [rw] ssekms_key_id
3434
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, this
3435
+ # header indicates the ID of the KMS symmetric encryption customer
3436
+ # managed key that was used for object encryption.
3437
+ # @return [String]
3438
+ #
3439
+ # @!attribute [rw] ssekms_encryption_context
3440
+ # If present, indicates the Amazon Web Services KMS Encryption Context
3441
+ # to use for object encryption. The value of this header is a
3442
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
3443
+ # encryption context as key-value pairs. This value is stored as
3444
+ # object metadata and automatically gets passed on to Amazon Web
3445
+ # Services KMS for future `GetObject` operations on this object.
3446
+ # @return [String]
3447
+ #
3448
+ # @!attribute [rw] bucket_key_enabled
3449
+ # Indicates whether to use an S3 Bucket Key for server-side encryption
3450
+ # with KMS keys (SSE-KMS).
3451
+ # @return [Boolean]
3452
+ #
3300
3453
  # @!attribute [rw] credentials
3301
3454
  # The established temporary security credentials for the created
3302
- # session..
3455
+ # session.
3303
3456
  # @return [Types::SessionCredentials]
3304
3457
  #
3305
3458
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionOutput AWS API Documentation
3306
3459
  #
3307
3460
  class CreateSessionOutput < Struct.new(
3461
+ :server_side_encryption,
3462
+ :ssekms_key_id,
3463
+ :ssekms_encryption_context,
3464
+ :bucket_key_enabled,
3308
3465
  :credentials)
3309
- SENSITIVE = []
3466
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3310
3467
  include Aws::Structure
3311
3468
  end
3312
3469
 
@@ -3314,27 +3471,114 @@ module Aws::S3
3314
3471
  # Specifies the mode of the session that will be created, either
3315
3472
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3316
3473
  # created. A `ReadWrite` session is capable of executing all the Zonal
3317
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3318
- # constrained to execute the following Zonal endpoint APIs:
3319
- # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3320
- # `ListParts`, and `ListMultipartUploads`.
3474
+ # endpoint API operations on a directory bucket. A `ReadOnly` session
3475
+ # is constrained to execute the following Zonal endpoint API
3476
+ # operations: `GetObject`, `HeadObject`, `ListObjectsV2`,
3477
+ # `GetObjectAttributes`, `ListParts`, and `ListMultipartUploads`.
3321
3478
  # @return [String]
3322
3479
  #
3323
3480
  # @!attribute [rw] bucket
3324
3481
  # The name of the bucket that you create a session for.
3325
3482
  # @return [String]
3326
3483
  #
3484
+ # @!attribute [rw] server_side_encryption
3485
+ # The server-side encryption algorithm to use when you store objects
3486
+ # in the directory bucket.
3487
+ #
3488
+ # For directory buckets, there are only two supported options for
3489
+ # server-side encryption: server-side encryption with Amazon S3
3490
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3491
+ # keys (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3492
+ # SSE-S3. For more information, see [Protecting data with server-side
3493
+ # encryption][1] in the *Amazon S3 User Guide*.
3494
+ #
3495
+ #
3496
+ #
3497
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3498
+ # @return [String]
3499
+ #
3500
+ # @!attribute [rw] ssekms_key_id
3501
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you
3502
+ # must specify the ` x-amz-server-side-encryption-aws-kms-key-id`
3503
+ # header with the ID (Key ID or Key ARN) of the KMS symmetric
3504
+ # encryption customer managed key to use. Otherwise, you get an HTTP
3505
+ # `400 Bad Request` error. Only use the key ID or key ARN. The key
3506
+ # alias format of the KMS key isn't supported. Also, if the KMS key
3507
+ # doesn't exist in the same account that't issuing the command, you
3508
+ # must use the full Key ARN not the Key ID.
3509
+ #
3510
+ # Your SSE-KMS configuration can only support 1 [customer managed
3511
+ # key][1] per directory bucket for the lifetime of the bucket. The
3512
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
3513
+ #
3514
+ #
3515
+ #
3516
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3517
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3518
+ # @return [String]
3519
+ #
3520
+ # @!attribute [rw] ssekms_encryption_context
3521
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3522
+ # additional encryption context to use for object encryption. The
3523
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
3524
+ # JSON, which contains the encryption context as key-value pairs. This
3525
+ # value is stored as object metadata and automatically gets passed on
3526
+ # to Amazon Web Services KMS for future `GetObject` operations on this
3527
+ # object.
3528
+ #
3529
+ # **General purpose buckets** - This value must be explicitly added
3530
+ # during `CopyObject` operations if you want an additional encryption
3531
+ # context for your object. For more information, see [Encryption
3532
+ # context][1] in the *Amazon S3 User Guide*.
3533
+ #
3534
+ # **Directory buckets** - You can optionally provide an explicit
3535
+ # encryption context value. The value must match the default
3536
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3537
+ # additional encryption context value is not supported.
3538
+ #
3539
+ #
3540
+ #
3541
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3542
+ # @return [String]
3543
+ #
3544
+ # @!attribute [rw] bucket_key_enabled
3545
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3546
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3547
+ #
3548
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in
3549
+ # a directory bucket and can’t be disabled. S3 Bucket Keys aren't
3550
+ # supported, when you copy SSE-KMS encrypted objects from general
3551
+ # purpose buckets to directory buckets, from directory buckets to
3552
+ # general purpose buckets, or between directory buckets, through
3553
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3554
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3
3555
+ # makes a call to KMS every time a copy request is made for a
3556
+ # KMS-encrypted object.
3557
+ #
3558
+ #
3559
+ #
3560
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3561
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3562
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3563
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3564
+ # @return [Boolean]
3565
+ #
3327
3566
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionRequest AWS API Documentation
3328
3567
  #
3329
3568
  class CreateSessionRequest < Struct.new(
3330
3569
  :session_mode,
3331
- :bucket)
3332
- SENSITIVE = []
3570
+ :bucket,
3571
+ :server_side_encryption,
3572
+ :ssekms_key_id,
3573
+ :ssekms_encryption_context,
3574
+ :bucket_key_enabled)
3575
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3333
3576
  include Aws::Structure
3334
3577
  end
3335
3578
 
3336
- # The container element for specifying the default Object Lock retention
3337
- # settings for new objects placed in the specified bucket.
3579
+ # The container element for optionally specifying the default Object
3580
+ # Lock retention settings for new objects placed in the specified
3581
+ # bucket.
3338
3582
  #
3339
3583
  # <note markdown="1"> * The `DefaultRetention` settings require both a mode and a period.
3340
3584
  #
@@ -3447,6 +3691,20 @@ module Aws::S3
3447
3691
  # @!attribute [rw] bucket
3448
3692
  # The name of the bucket containing the server-side encryption
3449
3693
  # configuration to delete.
3694
+ #
3695
+ # <b>Directory buckets </b> - When you use this operation with a
3696
+ # directory bucket, you must use path-style requests in the format
3697
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
3698
+ # Virtual-hosted-style requests aren't supported. Directory bucket
3699
+ # names must be unique in the chosen Availability Zone. Bucket names
3700
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
3701
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
3702
+ # about bucket naming restrictions, see [Directory bucket naming
3703
+ # rules][1] in the *Amazon S3 User Guide*
3704
+ #
3705
+ #
3706
+ #
3707
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
3450
3708
  # @return [String]
3451
3709
  #
3452
3710
  # @!attribute [rw] expected_bucket_owner
@@ -3454,6 +3712,12 @@ module Aws::S3
3454
3712
  # you provide does not match the actual owner of the bucket, the
3455
3713
  # request fails with the HTTP status code `403 Forbidden` (access
3456
3714
  # denied).
3715
+ #
3716
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
3717
+ # operation. If you specify this header, the request fails with the
3718
+ # HTTP status code `501 Not Implemented`.
3719
+ #
3720
+ # </note>
3457
3721
  # @return [String]
3458
3722
  #
3459
3723
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/DeleteBucketEncryptionRequest AWS API Documentation
@@ -4167,13 +4431,13 @@ module Aws::S3
4167
4431
  # For the `x-amz-checksum-algorithm ` header, replace ` algorithm `
4168
4432
  # with the supported algorithm from the following list:
4169
4433
  #
4170
- # * CRC32
4434
+ # * `CRC32`
4171
4435
  #
4172
- # * CRC32C
4436
+ # * `CRC32C`
4173
4437
  #
4174
- # * SHA1
4438
+ # * `SHA1`
4175
4439
  #
4176
- # * SHA256
4440
+ # * `SHA256`
4177
4441
  #
4178
4442
  # For more information, see [Checking object integrity][1] in the
4179
4443
  # *Amazon S3 User Guide*.
@@ -4390,6 +4654,14 @@ module Aws::S3
4390
4654
  # Specifies encryption-related information for an Amazon S3 bucket that
4391
4655
  # is a destination for replicated objects.
4392
4656
  #
4657
+ # <note markdown="1"> If you're specifying a customer managed KMS key, we recommend using a
4658
+ # fully qualified KMS key ARN. If you use a KMS key alias instead, then
4659
+ # KMS resolves the key within the requester’s account. This behavior can
4660
+ # result in data that's encrypted with a KMS key that belongs to the
4661
+ # requester, and not the bucket owner.
4662
+ #
4663
+ # </note>
4664
+ #
4393
4665
  # @!attribute [rw] replica_kms_key_id
4394
4666
  # Specifies the ID (Key ARN or Alias ARN) of the customer managed
4395
4667
  # Amazon Web Services KMS key stored in Amazon Web Services Key
@@ -5295,12 +5567,16 @@ module Aws::S3
5295
5567
  class EventBridgeConfiguration < Aws::EmptyStructure; end
5296
5568
 
5297
5569
  # Optional configuration to replicate existing source bucket objects.
5298
- # For more information, see [Replicating Existing Objects][1] in the
5570
+ #
5571
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing objects,
5572
+ # see [Replicating existing objects with S3 Batch Replication][1] in the
5299
5573
  # *Amazon S3 User Guide*.
5300
5574
  #
5575
+ # </note>
5576
+ #
5301
5577
  #
5302
5578
  #
5303
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
5579
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
5304
5580
  #
5305
5581
  # @!attribute [rw] status
5306
5582
  # Specifies whether Amazon S3 replicates existing source bucket
@@ -5564,6 +5840,20 @@ module Aws::S3
5564
5840
  # @!attribute [rw] bucket
5565
5841
  # The name of the bucket from which the server-side encryption
5566
5842
  # configuration is retrieved.
5843
+ #
5844
+ # <b>Directory buckets </b> - When you use this operation with a
5845
+ # directory bucket, you must use path-style requests in the format
5846
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
5847
+ # Virtual-hosted-style requests aren't supported. Directory bucket
5848
+ # names must be unique in the chosen Availability Zone. Bucket names
5849
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
5850
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
5851
+ # about bucket naming restrictions, see [Directory bucket naming
5852
+ # rules][1] in the *Amazon S3 User Guide*
5853
+ #
5854
+ #
5855
+ #
5856
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5567
5857
  # @return [String]
5568
5858
  #
5569
5859
  # @!attribute [rw] expected_bucket_owner
@@ -5571,6 +5861,12 @@ module Aws::S3
5571
5861
  # you provide does not match the actual owner of the bucket, the
5572
5862
  # request fails with the HTTP status code `403 Forbidden` (access
5573
5863
  # denied).
5864
+ #
5865
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
5866
+ # operation. If you specify this header, the request fails with the
5867
+ # HTTP status code `501 Not Implemented`.
5868
+ #
5869
+ # </note>
5574
5870
  # @return [String]
5575
5871
  #
5576
5872
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketEncryptionRequest AWS API Documentation
@@ -5654,10 +5950,29 @@ module Aws::S3
5654
5950
  # Container for a lifecycle rule.
5655
5951
  # @return [Array<Types::LifecycleRule>]
5656
5952
  #
5953
+ # @!attribute [rw] transition_default_minimum_object_size
5954
+ # Indicates which default minimum object size behavior is applied to
5955
+ # the lifecycle configuration.
5956
+ #
5957
+ # * `all_storage_classes_128K` - Objects smaller than 128 KB will not
5958
+ # transition to any storage class by default.
5959
+ #
5960
+ # * `varies_by_storage_class` - Objects smaller than 128 KB will
5961
+ # transition to Glacier Flexible Retrieval or Glacier Deep Archive
5962
+ # storage classes. By default, all other storage classes will
5963
+ # prevent transitions smaller than 128 KB.
5964
+ #
5965
+ # To customize the minimum object size for any transition you can add
5966
+ # a filter that specifies a custom `ObjectSizeGreaterThan` or
5967
+ # `ObjectSizeLessThan` in the body of your transition rule. Custom
5968
+ # filters always take precedence over the default transition behavior.
5969
+ # @return [String]
5970
+ #
5657
5971
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketLifecycleConfigurationOutput AWS API Documentation
5658
5972
  #
5659
5973
  class GetBucketLifecycleConfigurationOutput < Struct.new(
5660
- :rules)
5974
+ :rules,
5975
+ :transition_default_minimum_object_size)
5661
5976
  SENSITIVE = []
5662
5977
  include Aws::Structure
5663
5978
  end
@@ -6783,7 +7098,7 @@ module Aws::S3
6783
7098
  # @return [String]
6784
7099
  #
6785
7100
  # @!attribute [rw] checksum_crc32
6786
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
7101
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
6787
7102
  # only be present if it was uploaded with the object. For more
6788
7103
  # information, see [ Checking object integrity][1] in the *Amazon S3
6789
7104
  # User Guide*.
@@ -6794,7 +7109,7 @@ module Aws::S3
6794
7109
  # @return [String]
6795
7110
  #
6796
7111
  # @!attribute [rw] checksum_crc32c
6797
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
7112
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
6798
7113
  # only be present if it was uploaded with the object. For more
6799
7114
  # information, see [ Checking object integrity][1] in the *Amazon S3
6800
7115
  # User Guide*.
@@ -6892,12 +7207,7 @@ module Aws::S3
6892
7207
  #
6893
7208
  # @!attribute [rw] server_side_encryption
6894
7209
  # The server-side encryption algorithm used when you store this object
6895
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
6896
- #
6897
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
6898
- # managed keys (SSE-S3) (`AES256`) is supported.
6899
- #
6900
- # </note>
7210
+ # in Amazon S3.
6901
7211
  # @return [String]
6902
7212
  #
6903
7213
  # @!attribute [rw] metadata
@@ -6926,22 +7236,13 @@ module Aws::S3
6926
7236
  # @return [String]
6927
7237
  #
6928
7238
  # @!attribute [rw] ssekms_key_id
6929
- # If present, indicates the ID of the Key Management Service (KMS)
6930
- # symmetric encryption customer managed key that was used for the
6931
- # object.
6932
- #
6933
- # <note markdown="1"> This functionality is not supported for directory buckets.
6934
- #
6935
- # </note>
7239
+ # If present, indicates the ID of the KMS key that was used for object
7240
+ # encryption.
6936
7241
  # @return [String]
6937
7242
  #
6938
7243
  # @!attribute [rw] bucket_key_enabled
6939
7244
  # Indicates whether the object uses an S3 Bucket Key for server-side
6940
7245
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
6941
- #
6942
- # <note markdown="1"> This functionality is not supported for directory buckets.
6943
- #
6944
- # </note>
6945
7246
  # @return [Boolean]
6946
7247
  #
6947
7248
  # @!attribute [rw] storage_class
@@ -7381,6 +7682,15 @@ module Aws::S3
7381
7682
  #
7382
7683
  # @!attribute [rw] checksum_mode
7383
7684
  # To retrieve the checksum, this mode must be enabled.
7685
+ #
7686
+ # **General purpose buckets** - In addition, if you enable checksum
7687
+ # mode and the object is uploaded with a [checksum][1] and encrypted
7688
+ # with an Key Management Service (KMS) key, you must have permission
7689
+ # to use the `kms:Decrypt` action to retrieve the checksum.
7690
+ #
7691
+ #
7692
+ #
7693
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
7384
7694
  # @return [String]
7385
7695
  #
7386
7696
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetObjectRequest AWS API Documentation
@@ -7802,17 +8112,13 @@ module Aws::S3
7802
8112
  #
7803
8113
  # @!attribute [rw] bucket_region
7804
8114
  # The Region that the bucket is located.
7805
- #
7806
- # <note markdown="1"> This functionality is not supported for directory buckets.
7807
- #
7808
- # </note>
7809
8115
  # @return [String]
7810
8116
  #
7811
8117
  # @!attribute [rw] access_point_alias
7812
8118
  # Indicates whether the bucket name used in the request is an access
7813
8119
  # point alias.
7814
8120
  #
7815
- # <note markdown="1"> This functionality is not supported for directory buckets.
8121
+ # <note markdown="1"> For directory buckets, the value of this field is `false`.
7816
8122
  #
7817
8123
  # </note>
7818
8124
  # @return [Boolean]
@@ -7974,7 +8280,7 @@ module Aws::S3
7974
8280
  # @return [Integer]
7975
8281
  #
7976
8282
  # @!attribute [rw] checksum_crc32
7977
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
8283
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
7978
8284
  # only be present if it was uploaded with the object. When you use an
7979
8285
  # API operation on an object that was uploaded using multipart
7980
8286
  # uploads, this value may not be a direct checksum value of the full
@@ -7989,7 +8295,7 @@ module Aws::S3
7989
8295
  # @return [String]
7990
8296
  #
7991
8297
  # @!attribute [rw] checksum_crc32c
7992
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
8298
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
7993
8299
  # only be present if it was uploaded with the object. When you use an
7994
8300
  # API operation on an object that was uploaded using multipart
7995
8301
  # uploads, this value may not be a direct checksum value of the full
@@ -8101,11 +8407,6 @@ module Aws::S3
8101
8407
  # @!attribute [rw] server_side_encryption
8102
8408
  # The server-side encryption algorithm used when you store this object
8103
8409
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
8104
- #
8105
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
8106
- # managed keys (SSE-S3) (`AES256`) is supported.
8107
- #
8108
- # </note>
8109
8410
  # @return [String]
8110
8411
  #
8111
8412
  # @!attribute [rw] metadata
@@ -8134,22 +8435,13 @@ module Aws::S3
8134
8435
  # @return [String]
8135
8436
  #
8136
8437
  # @!attribute [rw] ssekms_key_id
8137
- # If present, indicates the ID of the Key Management Service (KMS)
8138
- # symmetric encryption customer managed key that was used for the
8139
- # object.
8140
- #
8141
- # <note markdown="1"> This functionality is not supported for directory buckets.
8142
- #
8143
- # </note>
8438
+ # If present, indicates the ID of the KMS key that was used for object
8439
+ # encryption.
8144
8440
  # @return [String]
8145
8441
  #
8146
8442
  # @!attribute [rw] bucket_key_enabled
8147
8443
  # Indicates whether the object uses an S3 Bucket Key for server-side
8148
8444
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
8149
- #
8150
- # <note markdown="1"> This functionality is not supported for directory buckets.
8151
- #
8152
- # </note>
8153
8445
  # @return [Boolean]
8154
8446
  #
8155
8447
  # @!attribute [rw] storage_class
@@ -8452,6 +8744,30 @@ module Aws::S3
8452
8744
  # Not Satisfiable` error.
8453
8745
  # @return [String]
8454
8746
  #
8747
+ # @!attribute [rw] response_cache_control
8748
+ # Sets the `Cache-Control` header of the response.
8749
+ # @return [String]
8750
+ #
8751
+ # @!attribute [rw] response_content_disposition
8752
+ # Sets the `Content-Disposition` header of the response.
8753
+ # @return [String]
8754
+ #
8755
+ # @!attribute [rw] response_content_encoding
8756
+ # Sets the `Content-Encoding` header of the response.
8757
+ # @return [String]
8758
+ #
8759
+ # @!attribute [rw] response_content_language
8760
+ # Sets the `Content-Language` header of the response.
8761
+ # @return [String]
8762
+ #
8763
+ # @!attribute [rw] response_content_type
8764
+ # Sets the `Content-Type` header of the response.
8765
+ # @return [String]
8766
+ #
8767
+ # @!attribute [rw] response_expires
8768
+ # Sets the `Expires` header of the response.
8769
+ # @return [Time]
8770
+ #
8455
8771
  # @!attribute [rw] version_id
8456
8772
  # Version ID used to reference a specific version of the object.
8457
8773
  #
@@ -8527,10 +8843,20 @@ module Aws::S3
8527
8843
  # @!attribute [rw] checksum_mode
8528
8844
  # To retrieve the checksum, this parameter must be enabled.
8529
8845
  #
8530
- # In addition, if you enable `ChecksumMode` and the object is
8531
- # encrypted with Amazon Web Services Key Management Service (Amazon
8532
- # Web Services KMS), you must have permission to use the `kms:Decrypt`
8533
- # action for the request to succeed.
8846
+ # **General purpose buckets** - If you enable checksum mode and the
8847
+ # object is uploaded with a [checksum][1] and encrypted with an Key
8848
+ # Management Service (KMS) key, you must have permission to use the
8849
+ # `kms:Decrypt` action to retrieve the checksum.
8850
+ #
8851
+ # **Directory buckets** - If you enable `ChecksumMode` and the object
8852
+ # is encrypted with Amazon Web Services Key Management Service (Amazon
8853
+ # Web Services KMS), you must also have the `kms:GenerateDataKey` and
8854
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
8855
+ # policies for the KMS key to retrieve the checksum of the object.
8856
+ #
8857
+ #
8858
+ #
8859
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
8534
8860
  # @return [String]
8535
8861
  #
8536
8862
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/HeadObjectRequest AWS API Documentation
@@ -8543,6 +8869,12 @@ module Aws::S3
8543
8869
  :if_unmodified_since,
8544
8870
  :key,
8545
8871
  :range,
8872
+ :response_cache_control,
8873
+ :response_content_disposition,
8874
+ :response_content_encoding,
8875
+ :response_content_language,
8876
+ :response_content_type,
8877
+ :response_expires,
8546
8878
  :version_id,
8547
8879
  :sse_customer_algorithm,
8548
8880
  :sse_customer_key,
@@ -8559,10 +8891,11 @@ module Aws::S3
8559
8891
  #
8560
8892
  # @!attribute [rw] suffix
8561
8893
  # A suffix that is appended to a request that is for a directory on
8562
- # the website endpoint (for example,if the suffix is index.html and
8563
- # you make a request to samplebucket/images/ the data that is returned
8564
- # will be for the object with the key name images/index.html) The
8565
- # suffix must not be empty and must not include a slash character.
8894
+ # the website endpoint. (For example, if the suffix is `index.html`
8895
+ # and you make a request to `samplebucket/images/`, the data that is
8896
+ # returned will be for the object with the key name
8897
+ # `images/index.html`.) The suffix must not be empty and must not
8898
+ # include a slash character.
8566
8899
  #
8567
8900
  # Replacement must be made for object keys containing special
8568
8901
  # characters (such as carriage returns) when using XML requests. For
@@ -9495,11 +9828,81 @@ module Aws::S3
9495
9828
  # The owner of the buckets listed.
9496
9829
  # @return [Types::Owner]
9497
9830
  #
9831
+ # @!attribute [rw] continuation_token
9832
+ # `ContinuationToken` is included in the response when there are more
9833
+ # buckets that can be listed with pagination. The next `ListBuckets`
9834
+ # request to Amazon S3 can be continued with this `ContinuationToken`.
9835
+ # `ContinuationToken` is obfuscated and is not a real bucket.
9836
+ # @return [String]
9837
+ #
9838
+ # @!attribute [rw] prefix
9839
+ # If `Prefix` was sent with the request, it is included in the
9840
+ # response.
9841
+ #
9842
+ # All bucket names in the response begin with the specified bucket
9843
+ # name prefix.
9844
+ # @return [String]
9845
+ #
9498
9846
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ListBucketsOutput AWS API Documentation
9499
9847
  #
9500
9848
  class ListBucketsOutput < Struct.new(
9501
9849
  :buckets,
9502
- :owner)
9850
+ :owner,
9851
+ :continuation_token,
9852
+ :prefix)
9853
+ SENSITIVE = []
9854
+ include Aws::Structure
9855
+ end
9856
+
9857
+ # @!attribute [rw] max_buckets
9858
+ # Maximum number of buckets to be returned in response. When the
9859
+ # number is more than the count of buckets that are owned by an Amazon
9860
+ # Web Services account, return all the buckets in response.
9861
+ # @return [Integer]
9862
+ #
9863
+ # @!attribute [rw] continuation_token
9864
+ # `ContinuationToken` indicates to Amazon S3 that the list is being
9865
+ # continued on this bucket with a token. `ContinuationToken` is
9866
+ # obfuscated and is not a real key. You can use this
9867
+ # `ContinuationToken` for pagination of the list results.
9868
+ #
9869
+ # Length Constraints: Minimum length of 0. Maximum length of 1024.
9870
+ #
9871
+ # Required: No.
9872
+ # @return [String]
9873
+ #
9874
+ # @!attribute [rw] prefix
9875
+ # Limits the response to bucket names that begin with the specified
9876
+ # bucket name prefix.
9877
+ # @return [String]
9878
+ #
9879
+ # @!attribute [rw] bucket_region
9880
+ # Limits the response to buckets that are located in the specified
9881
+ # Amazon Web Services Region. The Amazon Web Services Region must be
9882
+ # expressed according to the Amazon Web Services Region code, such as
9883
+ # `us-west-2` for the US West (Oregon) Region. For a list of the valid
9884
+ # values for all of the Amazon Web Services Regions, see [Regions and
9885
+ # Endpoints][1].
9886
+ #
9887
+ # <note markdown="1"> Requests made to a Regional endpoint that is different from the
9888
+ # `bucket-region` parameter are not supported. For example, if you
9889
+ # want to limit the response to your buckets in Region `us-west-2`,
9890
+ # the request must be made to an endpoint in Region `us-west-2`.
9891
+ #
9892
+ # </note>
9893
+ #
9894
+ #
9895
+ #
9896
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
9897
+ # @return [String]
9898
+ #
9899
+ # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ListBucketsRequest AWS API Documentation
9900
+ #
9901
+ class ListBucketsRequest < Struct.new(
9902
+ :max_buckets,
9903
+ :continuation_token,
9904
+ :prefix,
9905
+ :bucket_region)
9503
9906
  SENSITIVE = []
9504
9907
  include Aws::Structure
9505
9908
  end
@@ -9525,9 +9928,10 @@ module Aws::S3
9525
9928
 
9526
9929
  # @!attribute [rw] continuation_token
9527
9930
  # `ContinuationToken` indicates to Amazon S3 that the list is being
9528
- # continued on this bucket with a token. `ContinuationToken` is
9529
- # obfuscated and is not a real key. You can use this
9530
- # `ContinuationToken` for pagination of the list results.
9931
+ # continued on buckets in this account with a token.
9932
+ # `ContinuationToken` is obfuscated and is not a real bucket name. You
9933
+ # can use this `ContinuationToken` for the pagination of the list
9934
+ # results.
9531
9935
  # @return [String]
9532
9936
  #
9533
9937
  # @!attribute [rw] max_directory_buckets
@@ -9737,12 +10141,26 @@ module Aws::S3
9737
10141
  # @return [String]
9738
10142
  #
9739
10143
  # @!attribute [rw] encoding_type
9740
- # Requests Amazon S3 to encode the object keys in the response and
9741
- # specifies the encoding method to use. An object key can contain any
9742
- # Unicode character; however, the XML 1.0 parser cannot parse some
9743
- # characters, such as characters with an ASCII value from 0 to 10. For
9744
- # characters that are not supported in XML 1.0, you can add this
9745
- # parameter to request that Amazon S3 encode the keys in the response.
10144
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10145
+ # the response. Responses are encoded only in UTF-8. An object key can
10146
+ # contain any Unicode character. However, the XML 1.0 parser can't
10147
+ # parse certain characters, such as characters with an ASCII value
10148
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10149
+ # can add this parameter to request that Amazon S3 encode the keys in
10150
+ # the response. For more information about characters to avoid in
10151
+ # object key names, see [Object key naming guidelines][2].
10152
+ #
10153
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10154
+ # in an object's key name will be percent-encoded according to UTF-8
10155
+ # code values. For example, the object `test_file(3).png` will appear
10156
+ # as `test_file%283%29.png`.
10157
+ #
10158
+ # </note>
10159
+ #
10160
+ #
10161
+ #
10162
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10163
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
9746
10164
  # @return [String]
9747
10165
  #
9748
10166
  # @!attribute [rw] key_marker
@@ -9967,12 +10385,26 @@ module Aws::S3
9967
10385
  # @return [String]
9968
10386
  #
9969
10387
  # @!attribute [rw] encoding_type
9970
- # Requests Amazon S3 to encode the object keys in the response and
9971
- # specifies the encoding method to use. An object key can contain any
9972
- # Unicode character; however, the XML 1.0 parser cannot parse some
9973
- # characters, such as characters with an ASCII value from 0 to 10. For
9974
- # characters that are not supported in XML 1.0, you can add this
9975
- # parameter to request that Amazon S3 encode the keys in the response.
10388
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10389
+ # the response. Responses are encoded only in UTF-8. An object key can
10390
+ # contain any Unicode character. However, the XML 1.0 parser can't
10391
+ # parse certain characters, such as characters with an ASCII value
10392
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10393
+ # can add this parameter to request that Amazon S3 encode the keys in
10394
+ # the response. For more information about characters to avoid in
10395
+ # object key names, see [Object key naming guidelines][2].
10396
+ #
10397
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10398
+ # in an object's key name will be percent-encoded according to UTF-8
10399
+ # code values. For example, the object `test_file(3).png` will appear
10400
+ # as `test_file%283%29.png`.
10401
+ #
10402
+ # </note>
10403
+ #
10404
+ #
10405
+ #
10406
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10407
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
9976
10408
  # @return [String]
9977
10409
  #
9978
10410
  # @!attribute [rw] key_marker
@@ -10119,10 +10551,26 @@ module Aws::S3
10119
10551
  # @return [Array<Types::CommonPrefix>]
10120
10552
  #
10121
10553
  # @!attribute [rw] encoding_type
10122
- # Encoding type used by Amazon S3 to encode object keys in the
10123
- # response. If using `url`, non-ASCII characters used in an object's
10124
- # key name will be URL encoded. For example, the object
10125
- # test\_file(3).png will appear as test\_file%283%29.png.
10554
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10555
+ # the response. Responses are encoded only in UTF-8. An object key can
10556
+ # contain any Unicode character. However, the XML 1.0 parser can't
10557
+ # parse certain characters, such as characters with an ASCII value
10558
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10559
+ # can add this parameter to request that Amazon S3 encode the keys in
10560
+ # the response. For more information about characters to avoid in
10561
+ # object key names, see [Object key naming guidelines][2].
10562
+ #
10563
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10564
+ # in an object's key name will be percent-encoded according to UTF-8
10565
+ # code values. For example, the object `test_file(3).png` will appear
10566
+ # as `test_file%283%29.png`.
10567
+ #
10568
+ # </note>
10569
+ #
10570
+ #
10571
+ #
10572
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10573
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
10126
10574
  # @return [String]
10127
10575
  #
10128
10576
  # @!attribute [rw] request_charged
@@ -10202,12 +10650,26 @@ module Aws::S3
10202
10650
  # @return [String]
10203
10651
  #
10204
10652
  # @!attribute [rw] encoding_type
10205
- # Requests Amazon S3 to encode the object keys in the response and
10206
- # specifies the encoding method to use. An object key can contain any
10207
- # Unicode character; however, the XML 1.0 parser cannot parse some
10208
- # characters, such as characters with an ASCII value from 0 to 10. For
10209
- # characters that are not supported in XML 1.0, you can add this
10210
- # parameter to request that Amazon S3 encode the keys in the response.
10653
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10654
+ # the response. Responses are encoded only in UTF-8. An object key can
10655
+ # contain any Unicode character. However, the XML 1.0 parser can't
10656
+ # parse certain characters, such as characters with an ASCII value
10657
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10658
+ # can add this parameter to request that Amazon S3 encode the keys in
10659
+ # the response. For more information about characters to avoid in
10660
+ # object key names, see [Object key naming guidelines][2].
10661
+ #
10662
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10663
+ # in an object's key name will be percent-encoded according to UTF-8
10664
+ # code values. For example, the object `test_file(3).png` will appear
10665
+ # as `test_file%283%29.png`.
10666
+ #
10667
+ # </note>
10668
+ #
10669
+ #
10670
+ #
10671
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10672
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
10211
10673
  # @return [String]
10212
10674
  #
10213
10675
  # @!attribute [rw] marker
@@ -10475,10 +10937,26 @@ module Aws::S3
10475
10937
  # @return [String]
10476
10938
  #
10477
10939
  # @!attribute [rw] encoding_type
10478
- # Encoding type used by Amazon S3 to encode object keys in the
10479
- # response. If using `url`, non-ASCII characters used in an object's
10480
- # key name will be URL encoded. For example, the object
10481
- # test\_file(3).png will appear as test\_file%283%29.png.
10940
+ # Encoding type used by Amazon S3 to encode the [object keys][1] in
10941
+ # the response. Responses are encoded only in UTF-8. An object key can
10942
+ # contain any Unicode character. However, the XML 1.0 parser can't
10943
+ # parse certain characters, such as characters with an ASCII value
10944
+ # from 0 to 10. For characters that aren't supported in XML 1.0, you
10945
+ # can add this parameter to request that Amazon S3 encode the keys in
10946
+ # the response. For more information about characters to avoid in
10947
+ # object key names, see [Object key naming guidelines][2].
10948
+ #
10949
+ # <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
10950
+ # in an object's key name will be percent-encoded according to UTF-8
10951
+ # code values. For example, the object `test_file(3).png` will appear
10952
+ # as `test_file%283%29.png`.
10953
+ #
10954
+ # </note>
10955
+ #
10956
+ #
10957
+ #
10958
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
10959
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
10482
10960
  # @return [String]
10483
10961
  #
10484
10962
  # @!attribute [rw] max_keys
@@ -11173,10 +11651,10 @@ module Aws::S3
11173
11651
  # @return [Integer]
11174
11652
  #
11175
11653
  # @!attribute [rw] newer_noncurrent_versions
11176
- # Specifies how many newer noncurrent versions must exist before
11177
- # Amazon S3 can perform the associated action on a given version. If
11178
- # there are this many more recent noncurrent versions, Amazon S3 will
11179
- # take the associated action. For more information about noncurrent
11654
+ # Specifies how many noncurrent versions Amazon S3 will retain. You
11655
+ # can specify up to 100 noncurrent versions to retain. Amazon S3 will
11656
+ # permanently delete any additional noncurrent versions beyond the
11657
+ # specified number to retain. For more information about noncurrent
11180
11658
  # versions, see [Lifecycle configuration elements][1] in the *Amazon
11181
11659
  # S3 User Guide*.
11182
11660
  #
@@ -11220,12 +11698,12 @@ module Aws::S3
11220
11698
  # @return [String]
11221
11699
  #
11222
11700
  # @!attribute [rw] newer_noncurrent_versions
11223
- # Specifies how many newer noncurrent versions must exist before
11224
- # Amazon S3 can perform the associated action on a given version. If
11225
- # there are this many more recent noncurrent versions, Amazon S3 will
11226
- # take the associated action. For more information about noncurrent
11227
- # versions, see [Lifecycle configuration elements][1] in the *Amazon
11228
- # S3 User Guide*.
11701
+ # Specifies how many noncurrent versions Amazon S3 will retain in the
11702
+ # same storage class before transitioning objects. You can specify up
11703
+ # to 100 noncurrent versions to retain. Amazon S3 will transition any
11704
+ # additional noncurrent versions beyond the specified number to
11705
+ # retain. For more information about noncurrent versions, see
11706
+ # [Lifecycle configuration elements][1] in the *Amazon S3 User Guide*.
11229
11707
  #
11230
11708
  #
11231
11709
  #
@@ -11556,7 +12034,7 @@ module Aws::S3
11556
12034
  # @!attribute [rw] checksum_crc32
11557
12035
  # This header can be used as a data integrity check to verify that the
11558
12036
  # data received is the same data that was originally sent. This header
11559
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
12037
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
11560
12038
  # For more information, see [Checking object integrity][1] in the
11561
12039
  # *Amazon S3 User Guide*.
11562
12040
  #
@@ -11566,7 +12044,7 @@ module Aws::S3
11566
12044
  # @return [String]
11567
12045
  #
11568
12046
  # @!attribute [rw] checksum_crc32c
11569
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
12047
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
11570
12048
  # only be present if it was uploaded with the object. When you use an
11571
12049
  # API operation on an object that was uploaded using multipart
11572
12050
  # uploads, this value may not be a direct checksum value of the full
@@ -11856,7 +12334,7 @@ module Aws::S3
11856
12334
  # @!attribute [rw] checksum_crc32
11857
12335
  # This header can be used as a data integrity check to verify that the
11858
12336
  # data received is the same data that was originally sent. This header
11859
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
12337
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
11860
12338
  # For more information, see [Checking object integrity][1] in the
11861
12339
  # *Amazon S3 User Guide*.
11862
12340
  #
@@ -11866,7 +12344,7 @@ module Aws::S3
11866
12344
  # @return [String]
11867
12345
  #
11868
12346
  # @!attribute [rw] checksum_crc32c
11869
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
12347
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
11870
12348
  # only be present if it was uploaded with the object. When you use an
11871
12349
  # API operation on an object that was uploaded using multipart
11872
12350
  # uploads, this value may not be a direct checksum value of the full
@@ -11932,7 +12410,15 @@ module Aws::S3
11932
12410
  #
11933
12411
  # @!attribute [rw] partition_date_source
11934
12412
  # Specifies the partition date source for the partitioned prefix.
11935
- # PartitionDateSource can be EventTime or DeliveryTime.
12413
+ # `PartitionDateSource` can be `EventTime` or `DeliveryTime`.
12414
+ #
12415
+ # For `DeliveryTime`, the time in the log file names corresponds to
12416
+ # the delivery time for the log files.
12417
+ #
12418
+ # For `EventTime`, The logs delivered are for a specific day only. The
12419
+ # year, month, and day correspond to the day on which the event
12420
+ # occurred, and the hour, minutes and seconds are set to 00 in the
12421
+ # key.
11936
12422
  # @return [String]
11937
12423
  #
11938
12424
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PartitionedPrefix AWS API Documentation
@@ -12045,8 +12531,9 @@ module Aws::S3
12045
12531
  # @!attribute [rw] restrict_public_buckets
12046
12532
  # Specifies whether Amazon S3 should restrict public bucket policies
12047
12533
  # for this bucket. Setting this element to `TRUE` restricts access to
12048
- # this bucket to only Amazon Web Service principals and authorized
12049
- # users within this account if the bucket has a public policy.
12534
+ # this bucket to only Amazon Web Services service principals and
12535
+ # authorized users within this account if the bucket has a public
12536
+ # policy.
12050
12537
  #
12051
12538
  # Enabling this setting doesn't affect previously stored bucket
12052
12539
  # policies, except that public and cross-account access within any
@@ -12301,18 +12788,21 @@ module Aws::S3
12301
12788
 
12302
12789
  # @!attribute [rw] bucket
12303
12790
  # Specifies default encryption for a bucket using server-side
12304
- # encryption with different key options. By default, all buckets have
12305
- # a default encryption configuration that uses server-side encryption
12306
- # with Amazon S3 managed keys (SSE-S3). You can optionally configure
12307
- # default encryption for a bucket by using server-side encryption with
12308
- # an Amazon Web Services KMS key (SSE-KMS) or a customer-provided key
12309
- # (SSE-C). For information about the bucket default encryption
12310
- # feature, see [Amazon S3 Bucket Default Encryption][1] in the *Amazon
12311
- # S3 User Guide*.
12791
+ # encryption with different key options.
12792
+ #
12793
+ # <b>Directory buckets </b> - When you use this operation with a
12794
+ # directory bucket, you must use path-style requests in the format
12795
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
12796
+ # Virtual-hosted-style requests aren't supported. Directory bucket
12797
+ # names must be unique in the chosen Availability Zone. Bucket names
12798
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
12799
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
12800
+ # about bucket naming restrictions, see [Directory bucket naming
12801
+ # rules][1] in the *Amazon S3 User Guide*
12312
12802
  #
12313
12803
  #
12314
12804
  #
12315
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12805
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12316
12806
  # @return [String]
12317
12807
  #
12318
12808
  # @!attribute [rw] content_md5
@@ -12322,6 +12812,10 @@ module Aws::S3
12322
12812
  # For requests made using the Amazon Web Services Command Line
12323
12813
  # Interface (CLI) or Amazon Web Services SDKs, this field is
12324
12814
  # calculated automatically.
12815
+ #
12816
+ # <note markdown="1"> This functionality is not supported for directory buckets.
12817
+ #
12818
+ # </note>
12325
12819
  # @return [String]
12326
12820
  #
12327
12821
  # @!attribute [rw] checksum_algorithm
@@ -12336,6 +12830,12 @@ module Aws::S3
12336
12830
  # If you provide an individual checksum, Amazon S3 ignores any
12337
12831
  # provided `ChecksumAlgorithm` parameter.
12338
12832
  #
12833
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs,
12834
+ # `CRC32` is the default checksum algorithm that's used for
12835
+ # performance.
12836
+ #
12837
+ # </note>
12838
+ #
12339
12839
  #
12340
12840
  #
12341
12841
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12350,6 +12850,12 @@ module Aws::S3
12350
12850
  # you provide does not match the actual owner of the bucket, the
12351
12851
  # request fails with the HTTP status code `403 Forbidden` (access
12352
12852
  # denied).
12853
+ #
12854
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
12855
+ # operation. If you specify this header, the request fails with the
12856
+ # HTTP status code `501 Not Implemented`.
12857
+ #
12858
+ # </note>
12353
12859
  # @return [String]
12354
12860
  #
12355
12861
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketEncryptionRequest AWS API Documentation
@@ -12418,6 +12924,32 @@ module Aws::S3
12418
12924
  include Aws::Structure
12419
12925
  end
12420
12926
 
12927
+ # @!attribute [rw] transition_default_minimum_object_size
12928
+ # Indicates which default minimum object size behavior is applied to
12929
+ # the lifecycle configuration.
12930
+ #
12931
+ # * `all_storage_classes_128K` - Objects smaller than 128 KB will not
12932
+ # transition to any storage class by default.
12933
+ #
12934
+ # * `varies_by_storage_class` - Objects smaller than 128 KB will
12935
+ # transition to Glacier Flexible Retrieval or Glacier Deep Archive
12936
+ # storage classes. By default, all other storage classes will
12937
+ # prevent transitions smaller than 128 KB.
12938
+ #
12939
+ # To customize the minimum object size for any transition you can add
12940
+ # a filter that specifies a custom `ObjectSizeGreaterThan` or
12941
+ # `ObjectSizeLessThan` in the body of your transition rule. Custom
12942
+ # filters always take precedence over the default transition behavior.
12943
+ # @return [String]
12944
+ #
12945
+ # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketLifecycleConfigurationOutput AWS API Documentation
12946
+ #
12947
+ class PutBucketLifecycleConfigurationOutput < Struct.new(
12948
+ :transition_default_minimum_object_size)
12949
+ SENSITIVE = []
12950
+ include Aws::Structure
12951
+ end
12952
+
12421
12953
  # @!attribute [rw] bucket
12422
12954
  # The name of the bucket for which to set the configuration.
12423
12955
  # @return [String]
@@ -12450,13 +12982,32 @@ module Aws::S3
12450
12982
  # denied).
12451
12983
  # @return [String]
12452
12984
  #
12985
+ # @!attribute [rw] transition_default_minimum_object_size
12986
+ # Indicates which default minimum object size behavior is applied to
12987
+ # the lifecycle configuration.
12988
+ #
12989
+ # * `all_storage_classes_128K` - Objects smaller than 128 KB will not
12990
+ # transition to any storage class by default.
12991
+ #
12992
+ # * `varies_by_storage_class` - Objects smaller than 128 KB will
12993
+ # transition to Glacier Flexible Retrieval or Glacier Deep Archive
12994
+ # storage classes. By default, all other storage classes will
12995
+ # prevent transitions smaller than 128 KB.
12996
+ #
12997
+ # To customize the minimum object size for any transition you can add
12998
+ # a filter that specifies a custom `ObjectSizeGreaterThan` or
12999
+ # `ObjectSizeLessThan` in the body of your transition rule. Custom
13000
+ # filters always take precedence over the default transition behavior.
13001
+ # @return [String]
13002
+ #
12453
13003
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketLifecycleConfigurationRequest AWS API Documentation
12454
13004
  #
12455
13005
  class PutBucketLifecycleConfigurationRequest < Struct.new(
12456
13006
  :bucket,
12457
13007
  :checksum_algorithm,
12458
13008
  :lifecycle_configuration,
12459
- :expected_bucket_owner)
13009
+ :expected_bucket_owner,
13010
+ :transition_default_minimum_object_size)
12460
13011
  SENSITIVE = []
12461
13012
  include Aws::Structure
12462
13013
  end
@@ -12755,13 +13306,13 @@ module Aws::S3
12755
13306
  # For the `x-amz-checksum-algorithm ` header, replace ` algorithm `
12756
13307
  # with the supported algorithm from the following list:
12757
13308
  #
12758
- # * CRC32
13309
+ # * `CRC32`
12759
13310
  #
12760
- # * CRC32C
13311
+ # * `CRC32C`
12761
13312
  #
12762
- # * SHA1
13313
+ # * `SHA1`
12763
13314
  #
12764
- # * SHA256
13315
+ # * `SHA256`
12765
13316
  #
12766
13317
  # For more information, see [Checking object integrity][1] in the
12767
13318
  # *Amazon S3 User Guide*.
@@ -13557,7 +14108,7 @@ module Aws::S3
13557
14108
  # @return [String]
13558
14109
  #
13559
14110
  # @!attribute [rw] checksum_crc32
13560
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
14111
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
13561
14112
  # only be present if it was uploaded with the object. When you use an
13562
14113
  # API operation on an object that was uploaded using multipart
13563
14114
  # uploads, this value may not be a direct checksum value of the full
@@ -13572,7 +14123,7 @@ module Aws::S3
13572
14123
  # @return [String]
13573
14124
  #
13574
14125
  # @!attribute [rw] checksum_crc32c
13575
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
14126
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
13576
14127
  # only be present if it was uploaded with the object. When you use an
13577
14128
  # API operation on an object that was uploaded using multipart
13578
14129
  # uploads, this value may not be a direct checksum value of the full
@@ -13618,12 +14169,7 @@ module Aws::S3
13618
14169
  #
13619
14170
  # @!attribute [rw] server_side_encryption
13620
14171
  # The server-side encryption algorithm used when you store this object
13621
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
13622
- #
13623
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
13624
- # managed keys (SSE-S3) (`AES256`) is supported.
13625
- #
13626
- # </note>
14172
+ # in Amazon S3.
13627
14173
  # @return [String]
13628
14174
  #
13629
14175
  # @!attribute [rw] version_id
@@ -13671,37 +14217,23 @@ module Aws::S3
13671
14217
  # @return [String]
13672
14218
  #
13673
14219
  # @!attribute [rw] ssekms_key_id
13674
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
13675
- # `aws:kms:dsse`, this header indicates the ID of the Key Management
13676
- # Service (KMS) symmetric encryption customer managed key that was
13677
- # used for the object.
13678
- #
13679
- # <note markdown="1"> This functionality is not supported for directory buckets.
13680
- #
13681
- # </note>
14220
+ # If present, indicates the ID of the KMS key that was used for object
14221
+ # encryption.
13682
14222
  # @return [String]
13683
14223
  #
13684
14224
  # @!attribute [rw] ssekms_encryption_context
13685
14225
  # If present, indicates the Amazon Web Services KMS Encryption Context
13686
14226
  # to use for object encryption. The value of this header is a
13687
- # base64-encoded UTF-8 string holding JSON with the encryption context
13688
- # key-value pairs. This value is stored as object metadata and
13689
- # automatically gets passed on to Amazon Web Services KMS for future
13690
- # `GetObject` or `CopyObject` operations on this object.
13691
- #
13692
- # <note markdown="1"> This functionality is not supported for directory buckets.
13693
- #
13694
- # </note>
14227
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
14228
+ # encryption context as key-value pairs. This value is stored as
14229
+ # object metadata and automatically gets passed on to Amazon Web
14230
+ # Services KMS for future `GetObject` operations on this object.
13695
14231
  # @return [String]
13696
14232
  #
13697
14233
  # @!attribute [rw] bucket_key_enabled
13698
14234
  # Indicates whether the uploaded object uses an S3 Bucket Key for
13699
14235
  # server-side encryption with Key Management Service (KMS) keys
13700
14236
  # (SSE-KMS).
13701
- #
13702
- # <note markdown="1"> This functionality is not supported for directory buckets.
13703
- #
13704
- # </note>
13705
14237
  # @return [Boolean]
13706
14238
  #
13707
14239
  # @!attribute [rw] request_charged
@@ -13878,10 +14410,11 @@ module Aws::S3
13878
14410
  # information about REST request authentication, see [REST
13879
14411
  # Authentication][1].
13880
14412
  #
13881
- # <note markdown="1"> The `Content-MD5` header is required for any request to upload an
13882
- # object with a retention period configured using Amazon S3 Object
13883
- # Lock. For more information about Amazon S3 Object Lock, see [Amazon
13884
- # S3 Object Lock Overview][2] in the *Amazon S3 User Guide*.
14413
+ # <note markdown="1"> The `Content-MD5` or `x-amz-sdk-checksum-algorithm` header is
14414
+ # required for any request to upload an object with a retention period
14415
+ # configured using Amazon S3 Object Lock. For more information, see
14416
+ # [Uploading objects to an Object Lock enabled bucket ][2] in the
14417
+ # *Amazon S3 User Guide*.
13885
14418
  #
13886
14419
  # </note>
13887
14420
  #
@@ -13892,7 +14425,7 @@ module Aws::S3
13892
14425
  #
13893
14426
  #
13894
14427
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
13895
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html
14428
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-put-object
13896
14429
  # @return [String]
13897
14430
  #
13898
14431
  # @!attribute [rw] content_type
@@ -13916,13 +14449,13 @@ module Aws::S3
13916
14449
  # For the `x-amz-checksum-algorithm ` header, replace ` algorithm `
13917
14450
  # with the supported algorithm from the following list:
13918
14451
  #
13919
- # * CRC32
14452
+ # * `CRC32`
13920
14453
  #
13921
- # * CRC32C
14454
+ # * `CRC32C`
13922
14455
  #
13923
- # * SHA1
14456
+ # * `SHA1`
13924
14457
  #
13925
- # * SHA256
14458
+ # * `SHA256`
13926
14459
  #
13927
14460
  # For more information, see [Checking object integrity][1] in the
13928
14461
  # *Amazon S3 User Guide*.
@@ -13934,21 +14467,28 @@ module Aws::S3
13934
14467
  # algorithm that matches the provided value in
13935
14468
  # `x-amz-checksum-algorithm `.
13936
14469
  #
13937
- # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs,
13938
- # `CRC32` is the default checksum algorithm that's used for
13939
- # performance.
14470
+ # <note markdown="1"> The `Content-MD5` or `x-amz-sdk-checksum-algorithm` header is
14471
+ # required for any request to upload an object with a retention period
14472
+ # configured using Amazon S3 Object Lock. For more information, see
14473
+ # [Uploading objects to an Object Lock enabled bucket ][2] in the
14474
+ # *Amazon S3 User Guide*.
13940
14475
  #
13941
14476
  # </note>
13942
14477
  #
14478
+ # For directory buckets, when you use Amazon Web Services SDKs,
14479
+ # `CRC32` is the default checksum algorithm that's used for
14480
+ # performance.
14481
+ #
13943
14482
  #
13944
14483
  #
13945
14484
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
14485
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-put-object
13946
14486
  # @return [String]
13947
14487
  #
13948
14488
  # @!attribute [rw] checksum_crc32
13949
14489
  # This header can be used as a data integrity check to verify that the
13950
14490
  # data received is the same data that was originally sent. This header
13951
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
14491
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
13952
14492
  # For more information, see [Checking object integrity][1] in the
13953
14493
  # *Amazon S3 User Guide*.
13954
14494
  #
@@ -13960,7 +14500,7 @@ module Aws::S3
13960
14500
  # @!attribute [rw] checksum_crc32c
13961
14501
  # This header can be used as a data integrity check to verify that the
13962
14502
  # data received is the same data that was originally sent. This header
13963
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object.
14503
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
13964
14504
  # For more information, see [Checking object integrity][1] in the
13965
14505
  # *Amazon S3 User Guide*.
13966
14506
  #
@@ -14003,6 +14543,26 @@ module Aws::S3
14003
14543
  # [1]: https://www.rfc-editor.org/rfc/rfc7234#section-5.3
14004
14544
  # @return [Time]
14005
14545
  #
14546
+ # @!attribute [rw] if_none_match
14547
+ # Uploads the object only if the object key name does not already
14548
+ # exist in the bucket specified. Otherwise, Amazon S3 returns a `412
14549
+ # Precondition Failed` error.
14550
+ #
14551
+ # If a conflicting operation occurs during the upload S3 returns a
14552
+ # `409 ConditionalRequestConflict` response. On a 409 failure you
14553
+ # should retry the upload.
14554
+ #
14555
+ # Expects the '*' (asterisk) character.
14556
+ #
14557
+ # For more information about conditional requests, see [RFC 7232][1],
14558
+ # or [Conditional requests][2] in the *Amazon S3 User Guide*.
14559
+ #
14560
+ #
14561
+ #
14562
+ # [1]: https://tools.ietf.org/html/rfc7232
14563
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-requests.html
14564
+ # @return [String]
14565
+ #
14006
14566
  # @!attribute [rw] grant_full_control
14007
14567
  # Gives the grantee READ, READ\_ACP, and WRITE\_ACP permissions on the
14008
14568
  # object.
@@ -14057,25 +14617,66 @@ module Aws::S3
14057
14617
  # this object in Amazon S3 (for example, `AES256`, `aws:kms`,
14058
14618
  # `aws:kms:dsse`).
14059
14619
  #
14060
- # <b>General purpose buckets </b> - You have four mutually exclusive
14061
- # options to protect data using server-side encryption in Amazon S3,
14062
- # depending on how you choose to manage the encryption keys.
14063
- # Specifically, the encryption key options are Amazon S3 managed keys
14064
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
14065
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
14066
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14067
- # default. You can optionally tell Amazon S3 to encrypt data at rest
14068
- # by using server-side encryption with other key options. For more
14069
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
14070
- # User Guide*.
14620
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
14621
+ # options to protect data using server-side encryption in Amazon S3,
14622
+ # depending on how you choose to manage the encryption keys.
14623
+ # Specifically, the encryption key options are Amazon S3 managed
14624
+ # keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS),
14625
+ # and customer-provided keys (SSE-C). Amazon S3 encrypts data with
14626
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14627
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
14628
+ # by using server-side encryption with other key options. For more
14629
+ # information, see [Using Server-Side Encryption][1] in the *Amazon
14630
+ # S3 User Guide*.
14631
+ #
14632
+ # * <b>Directory buckets </b> - For directory buckets, there are only
14633
+ # two supported options for server-side encryption: server-side
14634
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
14635
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
14636
+ # recommend that the bucket's default encryption uses the desired
14637
+ # encryption configuration and you don't override the bucket
14638
+ # default encryption in your `CreateSession` requests or `PUT`
14639
+ # object requests. Then, new objects are automatically encrypted
14640
+ # with the desired encryption settings. For more information, see
14641
+ # [Protecting data with server-side encryption][2] in the *Amazon S3
14642
+ # User Guide*. For more information about the encryption overriding
14643
+ # behaviors in directory buckets, see [Specifying server-side
14644
+ # encryption with KMS for new object uploads][3].
14645
+ #
14646
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
14647
+ # [UploadPartCopy][5]) using the REST API, the encryption request
14648
+ # headers must match the encryption settings that are specified in
14649
+ # the `CreateSession` request. You can't override the values of the
14650
+ # encryption settings (`x-amz-server-side-encryption`,
14651
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
14652
+ # `x-amz-server-side-encryption-context`, and
14653
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
14654
+ # specified in the `CreateSession` request. You don't need to
14655
+ # explicitly specify these encryption settings values in Zonal
14656
+ # endpoint API calls, and Amazon S3 will use the encryption settings
14657
+ # values from the `CreateSession` request to protect new objects in
14658
+ # the directory bucket.
14659
+ #
14660
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
14661
+ # `CreateSession`, the session token refreshes automatically to
14662
+ # avoid service interruptions when a session expires. The CLI or the
14663
+ # Amazon Web Services SDKs use the bucket's default encryption
14664
+ # configuration for the `CreateSession` request. It's not supported
14665
+ # to override the encryption settings values in the `CreateSession`
14666
+ # request. So in the Zonal endpoint API calls (except
14667
+ # [CopyObject][4] and [UploadPartCopy][5]), the encryption request
14668
+ # headers must match the default encryption configuration of the
14669
+ # directory bucket.
14071
14670
  #
14072
- # <b>Directory buckets </b> - For directory buckets, only the
14073
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
14074
- # (`AES256`) value is supported.
14671
+ # </note>
14075
14672
  #
14076
14673
  #
14077
14674
  #
14078
14675
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
14676
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
14677
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
14678
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14679
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14079
14680
  # @return [String]
14080
14681
  #
14081
14682
  # @!attribute [rw] storage_class
@@ -14161,48 +14762,92 @@ module Aws::S3
14161
14762
  # @return [String]
14162
14763
  #
14163
14764
  # @!attribute [rw] ssekms_key_id
14164
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
14165
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or
14166
- # Key Alias) of the Key Management Service (KMS) symmetric encryption
14167
- # customer managed key that was used for the object. If you specify
14765
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
14766
+ # object encryption. If the KMS key doesn't exist in the same account
14767
+ # that's issuing the command, you must use the full Key ARN not the
14768
+ # Key ID.
14769
+ #
14770
+ # **General purpose buckets** - If you specify
14771
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
14772
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
14773
+ # KMS key to use. If you specify
14168
14774
  # `x-amz-server-side-encryption:aws:kms` or
14169
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
14170
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14171
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If
14172
- # the KMS key does not exist in the same account that's issuing the
14173
- # command, you must use the full ARN and not just the ID.
14775
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
14776
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14777
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
14174
14778
  #
14175
- # <note markdown="1"> This functionality is not supported for directory buckets.
14779
+ # **Directory buckets** - If you specify
14780
+ # `x-amz-server-side-encryption` with `aws:kms`, the `
14781
+ # x-amz-server-side-encryption-aws-kms-key-id` header is implicitly
14782
+ # assigned the ID of the KMS symmetric encryption customer managed key
14783
+ # that's configured for your directory bucket's default encryption
14784
+ # setting. If you want to specify the `
14785
+ # x-amz-server-side-encryption-aws-kms-key-id` header explicitly, you
14786
+ # can only specify it with the ID (Key ID or Key ARN) of the KMS
14787
+ # customer managed key that's configured for your directory bucket's
14788
+ # default encryption setting. Otherwise, you get an HTTP `400 Bad
14789
+ # Request` error. Only use the key ID or key ARN. The key alias format
14790
+ # of the KMS key isn't supported. Your SSE-KMS configuration can only
14791
+ # support 1 [customer managed key][1] per directory bucket for the
14792
+ # lifetime of the bucket. The [Amazon Web Services managed key][2]
14793
+ # (`aws/s3`) isn't supported.
14176
14794
  #
14177
- # </note>
14795
+ #
14796
+ #
14797
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
14798
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
14178
14799
  # @return [String]
14179
14800
  #
14180
14801
  # @!attribute [rw] ssekms_encryption_context
14181
- # Specifies the Amazon Web Services KMS Encryption Context to use for
14182
- # object encryption. The value of this header is a base64-encoded
14183
- # UTF-8 string holding JSON with the encryption context key-value
14184
- # pairs. This value is stored as object metadata and automatically
14185
- # gets passed on to Amazon Web Services KMS for future `GetObject` or
14186
- # `CopyObject` operations on this object. This value must be
14187
- # explicitly added during `CopyObject` operations.
14802
+ # Specifies the Amazon Web Services KMS Encryption Context as an
14803
+ # additional encryption context to use for object encryption. The
14804
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
14805
+ # JSON, which contains the encryption context as key-value pairs. This
14806
+ # value is stored as object metadata and automatically gets passed on
14807
+ # to Amazon Web Services KMS for future `GetObject` operations on this
14808
+ # object.
14188
14809
  #
14189
- # <note markdown="1"> This functionality is not supported for directory buckets.
14810
+ # **General purpose buckets** - This value must be explicitly added
14811
+ # during `CopyObject` operations if you want an additional encryption
14812
+ # context for your object. For more information, see [Encryption
14813
+ # context][1] in the *Amazon S3 User Guide*.
14190
14814
  #
14191
- # </note>
14815
+ # **Directory buckets** - You can optionally provide an explicit
14816
+ # encryption context value. The value must match the default
14817
+ # encryption context - the bucket Amazon Resource Name (ARN). An
14818
+ # additional encryption context value is not supported.
14819
+ #
14820
+ #
14821
+ #
14822
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
14192
14823
  # @return [String]
14193
14824
  #
14194
14825
  # @!attribute [rw] bucket_key_enabled
14195
14826
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
14196
14827
  # encryption with server-side encryption using Key Management Service
14197
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
14198
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
14828
+ # (KMS) keys (SSE-KMS).
14199
14829
  #
14200
- # Specifying this header with a PUT action doesn’t affect bucket-level
14201
- # settings for S3 Bucket Key.
14830
+ # **General purpose buckets** - Setting this header to `true` causes
14831
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
14832
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
14833
+ # affect bucket-level settings for S3 Bucket Key.
14202
14834
  #
14203
- # <note markdown="1"> This functionality is not supported for directory buckets.
14835
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
14836
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
14837
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
14838
+ # objects from general purpose buckets to directory buckets, from
14839
+ # directory buckets to general purpose buckets, or between directory
14840
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
14841
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
14842
+ # case, Amazon S3 makes a call to KMS every time a copy request is
14843
+ # made for a KMS-encrypted object.
14204
14844
  #
14205
- # </note>
14845
+ #
14846
+ #
14847
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14848
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14849
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
14850
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
14206
14851
  # @return [Boolean]
14207
14852
  #
14208
14853
  # @!attribute [rw] request_payer
@@ -14289,6 +14934,7 @@ module Aws::S3
14289
14934
  :checksum_sha1,
14290
14935
  :checksum_sha256,
14291
14936
  :expires,
14937
+ :if_none_match,
14292
14938
  :grant_full_control,
14293
14939
  :grant_read,
14294
14940
  :grant_read_acp,
@@ -14699,7 +15345,15 @@ module Aws::S3
14699
15345
  # The container for the records event.
14700
15346
  #
14701
15347
  # @!attribute [rw] payload
14702
- # The byte array of partial, one or more result records.
15348
+ # The byte array of partial, one or more result records. S3 Select
15349
+ # doesn't guarantee that a record will be self-contained in one
15350
+ # record frame. To ensure continuous streaming of data, S3 Select
15351
+ # might split the same record across multiple record frames instead of
15352
+ # aggregating the results in memory. Some S3 clients (for example, the
15353
+ # SDK for Java) handle this behavior by creating a `ByteStream` out of
15354
+ # the response by default. Other clients might not handle this
15355
+ # behavior by default. In those cases, you must aggregate the results
15356
+ # on the client side and parse the response.
14703
15357
  # @return [String]
14704
15358
  #
14705
15359
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/RecordsEvent AWS API Documentation
@@ -14907,12 +15561,16 @@ module Aws::S3
14907
15561
  #
14908
15562
  # @!attribute [rw] existing_object_replication
14909
15563
  # Optional configuration to replicate existing source bucket objects.
14910
- # For more information, see [Replicating Existing Objects][1] in the
14911
- # *Amazon S3 User Guide*.
15564
+ #
15565
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing
15566
+ # objects, see [Replicating existing objects with S3 Batch
15567
+ # Replication][1] in the *Amazon S3 User Guide*.
15568
+ #
15569
+ # </note>
14912
15570
  #
14913
15571
  #
14914
15572
  #
14915
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
15573
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
14916
15574
  # @return [Types::ExistingObjectReplication]
14917
15575
  #
14918
15576
  # @!attribute [rw] destination
@@ -15740,27 +16398,51 @@ module Aws::S3
15740
16398
 
15741
16399
  # Describes the default server-side encryption to apply to new objects
15742
16400
  # in the bucket. If a PUT Object request doesn't specify any
15743
- # server-side encryption, this default encryption will be applied. If
15744
- # you don't specify a customer managed key at configuration, Amazon S3
15745
- # automatically creates an Amazon Web Services KMS key in your Amazon
15746
- # Web Services account the first time that you add an object encrypted
15747
- # with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for
15748
- # SSE-KMS. For more information, see [PUT Bucket encryption][1] in the
15749
- # *Amazon S3 API Reference*.
16401
+ # server-side encryption, this default encryption will be applied. For
16402
+ # more information, see [PutBucketEncryption][1].
16403
+ #
16404
+ # <note markdown="1"> * **General purpose buckets** - If you don't specify a customer
16405
+ # managed key at configuration, Amazon S3 automatically creates an
16406
+ # Amazon Web Services KMS key (`aws/s3`) in your Amazon Web Services
16407
+ # account the first time that you add an object encrypted with SSE-KMS
16408
+ # to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
16409
+ #
16410
+ # * **Directory buckets** - Your SSE-KMS configuration can only support
16411
+ # 1 [customer managed key][2] per directory bucket for the lifetime of
16412
+ # the bucket. The [Amazon Web Services managed key][3] (`aws/s3`)
16413
+ # isn't supported.
16414
+ #
16415
+ # * **Directory buckets** - For directory buckets, there are only two
16416
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
16417
+ #
16418
+ # </note>
15750
16419
  #
15751
16420
  #
15752
16421
  #
15753
16422
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html
16423
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16424
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
15754
16425
  #
15755
16426
  # @!attribute [rw] sse_algorithm
15756
16427
  # Server-side encryption algorithm to use for the default encryption.
16428
+ #
16429
+ # <note markdown="1"> For directory buckets, there are only two supported values for
16430
+ # server-side encryption: `AES256` and `aws:kms`.
16431
+ #
16432
+ # </note>
15757
16433
  # @return [String]
15758
16434
  #
15759
16435
  # @!attribute [rw] kms_master_key_id
15760
- # Amazon Web Services Key Management Service (KMS) customer Amazon Web
15761
- # Services KMS key ID to use for the default encryption. This
15762
- # parameter is allowed if and only if `SSEAlgorithm` is set to
15763
- # `aws:kms` or `aws:kms:dsse`.
16436
+ # Amazon Web Services Key Management Service (KMS) customer managed
16437
+ # key ID to use for the default encryption.
16438
+ #
16439
+ # <note markdown="1"> * **General purpose buckets** - This parameter is allowed if and
16440
+ # only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`.
16441
+ #
16442
+ # * **Directory buckets** - This parameter is allowed if and only if
16443
+ # `SSEAlgorithm` is set to `aws:kms`.
16444
+ #
16445
+ # </note>
15764
16446
  #
15765
16447
  # You can specify the key ID, key alias, or the Amazon Resource Name
15766
16448
  # (ARN) of the KMS key.
@@ -15772,22 +16454,36 @@ module Aws::S3
15772
16454
  #
15773
16455
  # * Key Alias: `alias/alias-name`
15774
16456
  #
15775
- # If you use a key ID, you can run into a LogDestination undeliverable
15776
- # error when creating a VPC flow log.
15777
- #
15778
16457
  # If you are using encryption with cross-account or Amazon Web
15779
- # Services service operations you must use a fully qualified KMS key
16458
+ # Services service operations, you must use a fully qualified KMS key
15780
16459
  # ARN. For more information, see [Using encryption for cross-account
15781
16460
  # operations][1].
15782
16461
  #
16462
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16463
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16464
+ # If you use a KMS key alias instead, then KMS resolves the key
16465
+ # within the requester’s account. This behavior can result in data
16466
+ # that's encrypted with a KMS key that belongs to the requester,
16467
+ # and not the bucket owner. Also, if you use a key ID, you can run
16468
+ # into a LogDestination undeliverable error when creating a VPC flow
16469
+ # log.
16470
+ #
16471
+ # * **Directory buckets** - When you specify an [KMS customer managed
16472
+ # key][2] for encryption in your directory bucket, only use the key
16473
+ # ID or key ARN. The key alias format of the KMS key isn't
16474
+ # supported.
16475
+ #
16476
+ # </note>
16477
+ #
15783
16478
  # Amazon S3 only supports symmetric encryption KMS keys. For more
15784
- # information, see [Asymmetric keys in Amazon Web Services KMS][2] in
16479
+ # information, see [Asymmetric keys in Amazon Web Services KMS][3] in
15785
16480
  # the *Amazon Web Services Key Management Service Developer Guide*.
15786
16481
  #
15787
16482
  #
15788
16483
  #
15789
16484
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy
15790
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
16485
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16486
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
15791
16487
  # @return [String]
15792
16488
  #
15793
16489
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionByDefault AWS API Documentation
@@ -15816,6 +16512,23 @@ module Aws::S3
15816
16512
 
15817
16513
  # Specifies the default server-side encryption configuration.
15818
16514
  #
16515
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16516
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16517
+ # If you use a KMS key alias instead, then KMS resolves the key within
16518
+ # the requester’s account. This behavior can result in data that's
16519
+ # encrypted with a KMS key that belongs to the requester, and not the
16520
+ # bucket owner.
16521
+ #
16522
+ # * **Directory buckets** - When you specify an [KMS customer managed
16523
+ # key][1] for encryption in your directory bucket, only use the key ID
16524
+ # or key ARN. The key alias format of the KMS key isn't supported.
16525
+ #
16526
+ # </note>
16527
+ #
16528
+ #
16529
+ #
16530
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16531
+ #
15819
16532
  # @!attribute [rw] apply_server_side_encryption_by_default
15820
16533
  # Specifies the default server-side encryption to apply to new objects
15821
16534
  # in the bucket. If a PUT Object request doesn't specify any
@@ -15827,14 +16540,31 @@ module Aws::S3
15827
16540
  # server-side encryption using KMS (SSE-KMS) for new objects in the
15828
16541
  # bucket. Existing objects are not affected. Setting the
15829
16542
  # `BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3
15830
- # Bucket Key. By default, S3 Bucket Key is not enabled.
16543
+ # Bucket Key.
15831
16544
  #
15832
- # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
15833
- # S3 User Guide*.
16545
+ # <note markdown="1"> * **General purpose buckets** - By default, S3 Bucket Key is not
16546
+ # enabled. For more information, see [Amazon S3 Bucket Keys][1] in
16547
+ # the *Amazon S3 User Guide*.
16548
+ #
16549
+ # * **Directory buckets** - S3 Bucket Keys are always enabled for
16550
+ # `GET` and `PUT` operations in a directory bucket and can’t be
16551
+ # disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS
16552
+ # encrypted objects from general purpose buckets to directory
16553
+ # buckets, from directory buckets to general purpose buckets, or
16554
+ # between directory buckets, through [CopyObject][2],
16555
+ # [UploadPartCopy][3], [the Copy operation in Batch Operations][4],
16556
+ # or [the import jobs][5]. In this case, Amazon S3 makes a call to
16557
+ # KMS every time a copy request is made for a KMS-encrypted object.
16558
+ #
16559
+ # </note>
15834
16560
  #
15835
16561
  #
15836
16562
  #
15837
16563
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
16564
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16565
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16566
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16567
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
15838
16568
  # @return [Boolean]
15839
16569
  #
15840
16570
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionRule AWS API Documentation
@@ -15849,8 +16579,8 @@ module Aws::S3
15849
16579
  # The established temporary security credentials of the session.
15850
16580
  #
15851
16581
  # <note markdown="1"> **Directory buckets** - These session credentials are only supported
15852
- # for the authentication and authorization of Zonal endpoint APIs on
15853
- # directory buckets.
16582
+ # for the authentication and authorization of Zonal endpoint API
16583
+ # operations on directory buckets.
15854
16584
  #
15855
16585
  # </note>
15856
16586
  #
@@ -16284,11 +17014,6 @@ module Aws::S3
16284
17014
  # @!attribute [rw] server_side_encryption
16285
17015
  # The server-side encryption algorithm used when you store this object
16286
17016
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16287
- #
16288
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16289
- # managed keys (SSE-S3) (`AES256`) is supported.
16290
- #
16291
- # </note>
16292
17017
  # @return [String]
16293
17018
  #
16294
17019
  # @!attribute [rw] sse_customer_algorithm
@@ -16313,23 +17038,14 @@ module Aws::S3
16313
17038
  # @return [String]
16314
17039
  #
16315
17040
  # @!attribute [rw] ssekms_key_id
16316
- # If present, indicates the ID of the Key Management Service (KMS)
16317
- # symmetric encryption customer managed key that was used for the
16318
- # object.
16319
- #
16320
- # <note markdown="1"> This functionality is not supported for directory buckets.
16321
- #
16322
- # </note>
17041
+ # If present, indicates the ID of the KMS key that was used for object
17042
+ # encryption.
16323
17043
  # @return [String]
16324
17044
  #
16325
17045
  # @!attribute [rw] bucket_key_enabled
16326
17046
  # Indicates whether the multipart upload uses an S3 Bucket Key for
16327
17047
  # server-side encryption with Key Management Service (KMS) keys
16328
17048
  # (SSE-KMS).
16329
- #
16330
- # <note markdown="1"> This functionality is not supported for directory buckets.
16331
- #
16332
- # </note>
16333
17049
  # @return [Boolean]
16334
17050
  #
16335
17051
  # @!attribute [rw] request_charged
@@ -16680,11 +17396,6 @@ module Aws::S3
16680
17396
  # @!attribute [rw] server_side_encryption
16681
17397
  # The server-side encryption algorithm used when you store this object
16682
17398
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16683
- #
16684
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16685
- # managed keys (SSE-S3) (`AES256`) is supported.
16686
- #
16687
- # </note>
16688
17399
  # @return [String]
16689
17400
  #
16690
17401
  # @!attribute [rw] etag
@@ -16692,7 +17403,7 @@ module Aws::S3
16692
17403
  # @return [String]
16693
17404
  #
16694
17405
  # @!attribute [rw] checksum_crc32
16695
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
17406
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
16696
17407
  # only be present if it was uploaded with the object. When you use an
16697
17408
  # API operation on an object that was uploaded using multipart
16698
17409
  # uploads, this value may not be a direct checksum value of the full
@@ -16707,7 +17418,7 @@ module Aws::S3
16707
17418
  # @return [String]
16708
17419
  #
16709
17420
  # @!attribute [rw] checksum_crc32c
16710
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
17421
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
16711
17422
  # only be present if it was uploaded with the object. When you use an
16712
17423
  # API operation on an object that was uploaded using multipart
16713
17424
  # uploads, this value may not be a direct checksum value of the full
@@ -16773,23 +17484,14 @@ module Aws::S3
16773
17484
  # @return [String]
16774
17485
  #
16775
17486
  # @!attribute [rw] ssekms_key_id
16776
- # If present, indicates the ID of the Key Management Service (KMS)
16777
- # symmetric encryption customer managed key that was used for the
16778
- # object.
16779
- #
16780
- # <note markdown="1"> This functionality is not supported for directory buckets.
16781
- #
16782
- # </note>
17487
+ # If present, indicates the ID of the KMS key that was used for object
17488
+ # encryption.
16783
17489
  # @return [String]
16784
17490
  #
16785
17491
  # @!attribute [rw] bucket_key_enabled
16786
17492
  # Indicates whether the multipart upload uses an S3 Bucket Key for
16787
17493
  # server-side encryption with Key Management Service (KMS) keys
16788
17494
  # (SSE-KMS).
16789
- #
16790
- # <note markdown="1"> This functionality is not supported for directory buckets.
16791
- #
16792
- # </note>
16793
17495
  # @return [Boolean]
16794
17496
  #
16795
17497
  # @!attribute [rw] request_charged
@@ -16906,7 +17608,7 @@ module Aws::S3
16906
17608
  # @!attribute [rw] checksum_crc32
16907
17609
  # This header can be used as a data integrity check to verify that the
16908
17610
  # data received is the same data that was originally sent. This header
16909
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
17611
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
16910
17612
  # For more information, see [Checking object integrity][1] in the
16911
17613
  # *Amazon S3 User Guide*.
16912
17614
  #
@@ -16918,7 +17620,7 @@ module Aws::S3
16918
17620
  # @!attribute [rw] checksum_crc32c
16919
17621
  # This header can be used as a data integrity check to verify that the
16920
17622
  # data received is the same data that was originally sent. This header
16921
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object.
17623
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
16922
17624
  # For more information, see [Checking object integrity][1] in the
16923
17625
  # *Amazon S3 User Guide*.
16924
17626
  #
@@ -17208,7 +17910,7 @@ module Aws::S3
17208
17910
  # @!attribute [rw] checksum_crc32
17209
17911
  # This header can be used as a data integrity check to verify that the
17210
17912
  # data received is the same data that was originally sent. This
17211
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object
17913
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object
17212
17914
  # returned by the Object Lambda function. This may not match the
17213
17915
  # checksum for the object stored in Amazon S3. Amazon S3 will perform
17214
17916
  # validation of the checksum values only when the original `GetObject`
@@ -17229,7 +17931,7 @@ module Aws::S3
17229
17931
  # @!attribute [rw] checksum_crc32c
17230
17932
  # This header can be used as a data integrity check to verify that the
17231
17933
  # data received is the same data that was originally sent. This
17232
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object
17934
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object
17233
17935
  # returned by the Object Lambda function. This may not match the
17234
17936
  # checksum for the object stored in Amazon S3. Amazon S3 will perform
17235
17937
  # validation of the checksum values only when the original `GetObject`
@@ -17492,3 +18194,6 @@ module Aws::S3
17492
18194
 
17493
18195
  end
17494
18196
  end
18197
+
18198
+ require "aws-sdk-s3/customizations/types/list_object_versions_output"
18199
+ require "aws-sdk-s3/customizations/types/permanent_redirect"