aws-sdk-s3 1.150.0 → 1.169.0

data/lib/aws-sdk-s3/client.rb

@@ -32,6 +32,7 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/request_compression.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
+require 'aws-sdk-core/plugins/telemetry.rb'
 require 'aws-sdk-core/plugins/sign.rb'
 require 'aws-sdk-core/plugins/protocols/rest_xml.rb'
 require 'aws-sdk-s3/plugins/accelerate.rb'
@@ -56,8 +57,6 @@ require 'aws-sdk-s3/plugins/streaming_retry.rb'
 require 'aws-sdk-s3/plugins/url_encoded_keys.rb'
 require 'aws-sdk-core/plugins/event_stream_configuration.rb'
 
-Aws::Plugins::GlobalConfiguration.add_identifier(:s3)
-
 module Aws::S3
   # An API client for S3.  To construct a client, you need to configure a `:region` and `:credentials`.
   #
@@ -104,6 +103,7 @@ module Aws::S3
     add_plugin(Aws::Plugins::RequestCompression)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
+    add_plugin(Aws::Plugins::Telemetry)
     add_plugin(Aws::Plugins::Sign)
     add_plugin(Aws::Plugins::Protocols::RestXml)
     add_plugin(Aws::S3::Plugins::Accelerate)
@@ -131,6 +131,11 @@ module Aws::S3
 
     # @overload initialize(options)
     #   @param [Hash] options
+    #
+    #   @option options [Array<Seahorse::Client::Plugin>] :plugins ([]])
+    #     A list of plugins to apply to the client. Each plugin is either a
+    #     class name or an instance of a plugin class.
+    #
     #   @option options [required, Aws::CredentialProvider] :credentials
     #     Your AWS credentials. This can be an instance of any one of the
     #     following classes:
@@ -165,13 +170,15 @@ module Aws::S3
     #     locations will be searched for credentials:
     #
     #     * `Aws.config[:credentials]`
-    #     * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
-    #     * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
+    #     * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
+    #       `:account_id` options.
+    #     * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
+    #       ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
     #     * `~/.aws/credentials`
     #     * `~/.aws/config`
     #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
     #       are very aggressive. Construct and pass an instance of
-    #       `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
+    #       `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
     #       enable retries and extended timeouts. Instance profile credential
     #       fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
     #       to true.
@@ -200,6 +207,8 @@ module Aws::S3
     #
     #   @option options [String] :access_key_id
     #
+    #   @option options [String] :account_id
+    #
     #   @option options [Boolean] :active_endpoint_cache (false)
     #     When set to `true`, a thread polling for endpoints will be running in
     #     the background every 60 secs (default). Defaults to `false`.
@@ -271,7 +280,6 @@ module Aws::S3
     #         'https://example.com'
     #         'http://example.com:123'
     #
-    #
     #   @option options [Integer] :endpoint_cache_max_entries (1000)
     #     Used for the maximum size limit of the LRU cache storing endpoints data
     #     for endpoint discovery enabled operations. Defaults to 1000.
@@ -386,7 +394,6 @@ module Aws::S3
     #       throttling.  This is a provisional mode that may change behavior
     #       in the future.
     #
-    #
     #   @option options [Boolean] :s3_disable_multiregion_access_points (false)
     #     When set to `false` this will option will raise errors when multi-region
     #     access point ARNs are used.  Multi-region access points can potentially
@@ -411,6 +418,15 @@ module Aws::S3
     #
     #   @option options [String] :session_token
     #
+    #   @option options [Array] :sigv4a_signing_region_set
+    #     A list of regions that should be signed with SigV4a signing. When
+    #     not passed, a default `:sigv4a_signing_region_set` is searched for
+    #     in the following locations:
+    #
+    #     * `Aws.config[:sigv4a_signing_region_set]`
+    #     * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
+    #     * `~/.aws/config`
+    #
     #   @option options [Boolean] :stub_responses (false)
     #     Causes the client to return stubbed responses. By default
     #     fake responses are generated and returned. You can specify
@@ -420,6 +436,16 @@ module Aws::S3
     #     ** Please note ** When response stubbing is enabled, no HTTP
     #     requests are made, and retries are disabled.
     #
+    #   @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
+    #     Allows you to provide a telemetry provider, which is used to
+    #     emit telemetry data. By default, uses `NoOpTelemetryProvider` which
+    #     will not record or emit any telemetry data. The SDK supports the
+    #     following telemetry providers:
+    #
+    #     * OpenTelemetry (OTel) - To use the OTel provider, install and require the
+    #     `opentelemetry-sdk` gem and then, pass in an instance of a
+    #     `Aws::Telemetry::OTelProvider` for telemetry provider.
+    #
     #   @option options [Aws::TokenProvider] :token_provider
     #     A Bearer Token Provider. This can be an instance of any one of the
     #     following classes:
@@ -452,7 +478,9 @@ module Aws::S3
     #     sending the request.
     #
     #   @option options [Aws::S3::EndpointProvider] :endpoint_provider
-    #     The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::S3::EndpointParameters`
+    #     The endpoint provider used to resolve endpoints. Any object that responds to
+    #     `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to
+    #     `Aws::S3::EndpointParameters`.
     #
     #   @option options [Float] :http_continue_timeout (1)
     #     The number of seconds to wait for a 100-continue response before sending the
@@ -508,6 +536,12 @@ module Aws::S3
     #   @option options [String] :ssl_ca_store
     #     Sets the X509::Store to verify peer certificate.
     #
+    #   @option options [OpenSSL::X509::Certificate] :ssl_cert
+    #     Sets a client certificate when creating http connections.
+    #
+    #   @option options [OpenSSL::PKey] :ssl_key
+    #     Sets a client key when creating http connections.
+    #
     #   @option options [Float] :ssl_timeout
     #     Sets the SSL timeout in seconds
     #
@@ -532,12 +566,20 @@ module Aws::S3
     # for the part storage, you should call the [ListParts][1] API operation
     # and ensure that the parts list is empty.
     #
-    # <note markdown="1"> **Directory buckets** - For directory buckets, you must make requests
-    # for this API operation to the Zonal endpoint. These endpoints support
-    # virtual-hosted-style requests in the format
-    # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name `.
-    # Path-style requests are not supported. For more information, see
-    # [Regional and Zonal endpoints][2] in the *Amazon S3 User Guide*.
+    # <note markdown="1"> * **Directory buckets** - If multipart uploads in a directory bucket
+    #   are in progress, you can't delete the bucket until all the
+    #   in-progress multipart uploads are aborted or completed. To delete
+    #   these in-progress multipart uploads, use the `ListMultipartUploads`
+    #   operation to list the in-progress multipart uploads in the bucket
+    #   and use the `AbortMultupartUpload` operation to abort all the
+    #   in-progress multipart uploads.
+    #
+    # * **Directory buckets** - For directory buckets, you must make
+    #   requests for this API operation to the Zonal endpoint. These
+    #   endpoints support virtual-hosted-style requests in the format
+    #   `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
+    #   `. Path-style requests are not supported. For more information, see
+    #   [Regional and Zonal endpoints][2] in the *Amazon S3 User Guide*.
     #
     #  </note>
     #
@@ -762,9 +804,15 @@ module Aws::S3
     #     [Multipart Upload and Permissions][6] in the *Amazon S3 User
     #     Guide*.
     #
+    #     If you provide an [additional checksum value][7] in your
+    #     `MultipartUpload` requests and the object is encrypted with Key
+    #     Management Service, you must have permission to use the
+    #     `kms:Decrypt` action for the `CompleteMultipartUpload` request to
+    #     succeed.
+    #
     #   * **Directory bucket permissions** - To grant access to this API
     #     operation on a directory bucket, we recommend that you use the [
-    #     `CreateSession` ][7] API operation for session-based
+    #     `CreateSession` ][8] API operation for session-based
     #     authorization. Specifically, you grant the
     #     `s3express:CreateSession` permission to the directory bucket in a
     #     bucket policy or an IAM identity-based policy. Then, you make the
@@ -775,7 +823,11 @@ module Aws::S3
     #     token for use. Amazon Web Services CLI or SDKs create session and
     #     refresh the session token automatically to avoid service
     #     interruptions when a session expires. For more information about
-    #     authorization, see [ `CreateSession` ][7].
+    #     authorization, see [ `CreateSession` ][8].
+    #
+    #     If the object is encrypted with SSE-KMS, you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key.
     #
     # Special errors
     # : * Error Code: `EntityTooSmall`
@@ -816,15 +868,15 @@ module Aws::S3
     #
     # The following operations are related to `CompleteMultipartUpload`:
     #
-    # * [CreateMultipartUpload][8]
+    # * [CreateMultipartUpload][9]
     #
     # * [UploadPart][1]
     #
-    # * [AbortMultipartUpload][9]
+    # * [AbortMultipartUpload][10]
     #
-    # * [ListParts][10]
+    # * [ListParts][11]
     #
-    # * [ListMultipartUploads][11]
+    # * [ListMultipartUploads][12]
     #
     #
     #
@@ -834,11 +886,12 @@ module Aws::S3
     # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
     # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
     # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
-    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
-    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
-    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
-    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
+    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
+    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
+    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
     #
     # @option params [required, String] :bucket
     #   Name of the bucket to which the multipart upload was initiated.
@@ -896,9 +949,9 @@ module Aws::S3
     # @option params [String] :checksum_crc32
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This header
-    #   specifies the base64-encoded, 32-bit CRC32 checksum of the object. For
-    #   more information, see [Checking object integrity][1] in the *Amazon S3
-    #   User Guide*.
+    #   specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
+    #   For more information, see [Checking object integrity][1] in the
+    #   *Amazon S3 User Guide*.
     #
     #
     #
@@ -907,7 +960,7 @@ module Aws::S3
     # @option params [String] :checksum_crc32c
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This header
-    #   specifies the base64-encoded, 32-bit CRC32C checksum of the object.
+    #   specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
     #   For more information, see [Checking object integrity][1] in the
     #   *Amazon S3 User Guide*.
     #
@@ -959,6 +1012,26 @@ module Aws::S3
     #   you provide does not match the actual owner of the bucket, the request
     #   fails with the HTTP status code `403 Forbidden` (access denied).
     #
+    # @option params [String] :if_none_match
+    #   Uploads the object only if the object key name does not already exist
+    #   in the bucket specified. Otherwise, Amazon S3 returns a `412
+    #   Precondition Failed` error.
+    #
+    #   If a conflicting operation occurs during the upload S3 returns a `409
+    #   ConditionalRequestConflict` response. On a 409 failure you should
+    #   re-initiate the multipart upload with `CreateMultipartUpload` and
+    #   re-upload each part.
+    #
+    #   Expects the '*' (asterisk) character.
+    #
+    #   For more information about conditional requests, see [RFC 7232][1], or
+    #   [Conditional requests][2] in the *Amazon S3 User Guide*.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc7232
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-requests.html
+    #
     # @option params [String] :sse_customer_algorithm
     #   The server-side encryption (SSE) algorithm used to encrypt the object.
     #   This parameter is required only when the object was created using a
@@ -1074,6 +1147,7 @@ module Aws::S3
     #     checksum_sha256: "ChecksumSHA256",
     #     request_payer: "requester", # accepts requester
     #     expected_bucket_owner: "AccountId",
+    #     if_none_match: "IfNoneMatch",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
     #     sse_customer_key_md5: "SSECustomerKeyMD5",
@@ -1120,12 +1194,20 @@ module Aws::S3
     # between directory buckets, and between general purpose buckets and
     # directory buckets.
     #
-    # <note markdown="1"> <b>Directory buckets </b> - For directory buckets, you must make
-    # requests for this API operation to the Zonal endpoint. These endpoints
-    # support virtual-hosted-style requests in the format
-    # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name `.
-    # Path-style requests are not supported. For more information, see
-    # [Regional and Zonal endpoints][2] in the *Amazon S3 User Guide*.
+    # <note markdown="1"> * Amazon S3 supports copy operations using Multi-Region Access Points
+    #   only as a destination when using the Multi-Region Access Point ARN.
+    #
+    # * <b>Directory buckets </b> - For directory buckets, you must make
+    #   requests for this API operation to the Zonal endpoint. These
+    #   endpoints support virtual-hosted-style requests in the format
+    #   `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
+    #   `. Path-style requests are not supported. For more information, see
+    #   [Regional and Zonal endpoints][2] in the *Amazon S3 User Guide*.
+    #
+    # * VPC endpoints don't support cross-Region requests (including
+    #   copies). If you're using VPC endpoints, your source and destination
+    #   buckets should be in the same Amazon Web Services Region as your VPC
+    #   endpoint.
     #
     #  </note>
     #
@@ -1191,6 +1273,10 @@ module Aws::S3
     #       destination. The `s3express:SessionMode` condition key can't be
     #       set to `ReadOnly` on the copy destination bucket.
     #
+    #     If the object is encrypted with SSE-KMS, you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key.
+    #
     #     For example policies, see [Example bucket policies for S3 Express
     #     One Zone][6] and [Amazon Web Services Identity and Access
     #     Management (IAM) identity-based policies for S3 Express One
@@ -1201,8 +1287,7 @@ module Aws::S3
     # : When the request is an HTTP 1.1 request, the response is chunk
     #   encoded. When the request is not an HTTP 1.1 request, the response
     #   would not contain the `Content-Length`. You always need to read the
-    #   entire response body to check if the copy succeeds. to keep the
-    #   connection alive while we copy the data.
+    #   entire response body to check if the copy succeeds.
     #
     #   * If the copy is successful, you receive a response with information
     #     about the copied object.
@@ -1638,9 +1723,8 @@ module Aws::S3
     #
     # @option params [String] :server_side_encryption
     #   The server-side encryption algorithm used when storing this object in
-    #   Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
-    #   Unrecognized or unsupported values won’t write a destination object
-    #   and will receive a `400 Bad Request` response.
+    #   Amazon S3. Unrecognized or unsupported values won’t write a
+    #   destination object and will receive a `400 Bad Request` response.
     #
     #   Amazon S3 automatically encrypts all new objects that are copied to an
     #   S3 bucket. When copying an object, if you don't specify encryption
@@ -1648,35 +1732,72 @@ module Aws::S3
     #   object is set to the default encryption configuration of the
     #   destination bucket. By default, all buckets have a base level of
     #   encryption configuration that uses server-side encryption with Amazon
-    #   S3 managed keys (SSE-S3). If the destination bucket has a default
-    #   encryption configuration that uses server-side encryption with Key
-    #   Management Service (KMS) keys (SSE-KMS), dual-layer server-side
-    #   encryption with Amazon Web Services KMS keys (DSSE-KMS), or
-    #   server-side encryption with customer-provided encryption keys (SSE-C),
-    #   Amazon S3 uses the corresponding KMS key, or a customer-provided key
-    #   to encrypt the target object copy.
-    #
-    #   When you perform a `CopyObject` operation, if you want to use a
-    #   different type of encryption setting for the target object, you can
-    #   specify appropriate encryption-related headers to encrypt the target
-    #   object with an Amazon S3 managed key, a KMS key, or a
-    #   customer-provided key. If the encryption setting in your request is
-    #   different from the default encryption configuration of the destination
-    #   bucket, the encryption setting in your request takes precedence.
+    #   S3 managed keys (SSE-S3). If the destination bucket has a different
+    #   default encryption configuration, Amazon S3 uses the corresponding
+    #   encryption key to encrypt the target object copy.
     #
     #   With server-side encryption, Amazon S3 encrypts your data as it writes
     #   your data to disks in its data centers and decrypts the data when you
     #   access it. For more information about server-side encryption, see
     #   [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
     #
-    #   <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
-    #   managed keys (SSE-S3) (`AES256`) is supported.
-    #
-    #    </note>
+    #   <b>General purpose buckets </b>
+    #
+    #   * For general purpose buckets, there are the following supported
+    #     options for server-side encryption: server-side encryption with Key
+    #     Management Service (KMS) keys (SSE-KMS), dual-layer server-side
+    #     encryption with Amazon Web Services KMS keys (DSSE-KMS), and
+    #     server-side encryption with customer-provided encryption keys
+    #     (SSE-C). Amazon S3 uses the corresponding KMS key, or a
+    #     customer-provided key to encrypt the target object copy.
+    #
+    #   * When you perform a `CopyObject` operation, if you want to use a
+    #     different type of encryption setting for the target object, you can
+    #     specify appropriate encryption-related headers to encrypt the target
+    #     object with an Amazon S3 managed key, a KMS key, or a
+    #     customer-provided key. If the encryption setting in your request is
+    #     different from the default encryption configuration of the
+    #     destination bucket, the encryption setting in your request takes
+    #     precedence.
+    #
+    #   <b>Directory buckets </b>
+    #
+    #   * For directory buckets, there are only two supported options for
+    #     server-side encryption: server-side encryption with Amazon S3
+    #     managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
+    #     keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
+    #     encryption uses the desired encryption configuration and you don't
+    #     override the bucket default encryption in your `CreateSession`
+    #     requests or `PUT` object requests. Then, new objects are
+    #     automatically encrypted with the desired encryption settings. For
+    #     more information, see [Protecting data with server-side
+    #     encryption][2] in the *Amazon S3 User Guide*. For more information
+    #     about the encryption overriding behaviors in directory buckets, see
+    #     [Specifying server-side encryption with KMS for new object
+    #     uploads][3].
+    #
+    #   * To encrypt new object copies to a directory bucket with SSE-KMS, we
+    #     recommend you specify SSE-KMS as the directory bucket's default
+    #     encryption configuration with a KMS key (specifically, a [customer
+    #     managed key][4]). The [Amazon Web Services managed key][5]
+    #     (`aws/s3`) isn't supported. Your SSE-KMS configuration can only
+    #     support 1 [customer managed key][4] per directory bucket for the
+    #     lifetime of the bucket. After you specify a customer managed key for
+    #     SSE-KMS, you can't override the customer managed key for the
+    #     bucket's SSE-KMS configuration. Then, when you perform a
+    #     `CopyObject` operation and want to specify server-side encryption
+    #     settings for new object copies with SSE-KMS in the
+    #     encryption-related request headers, you must ensure the encryption
+    #     key is the same customer managed key that you specified for the
+    #     directory bucket's default encryption configuration.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    #   [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
     #
     # @option params [String] :storage_class
     #   If the `x-amz-storage-class` header is not used, the copied object
@@ -1773,33 +1894,56 @@ module Aws::S3
     #    </note>
     #
     # @option params [String] :ssekms_key_id
-    #   Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
-    #   encryption. All GET and PUT requests for an object protected by KMS
-    #   will fail if they're not made via SSL or using SigV4. For information
-    #   about configuring any of the officially supported Amazon Web Services
-    #   SDKs and Amazon Web Services CLI, see [Specifying the Signature
-    #   Version in Request Authentication][1] in the *Amazon S3 User Guide*.
-    #
-    #   <note markdown="1"> This functionality is not supported when the destination bucket is a
-    #   directory bucket.
+    #   Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
+    #   object encryption. All GET and PUT requests for an object protected by
+    #   KMS will fail if they're not made via SSL or using SigV4. For
+    #   information about configuring any of the officially supported Amazon
+    #   Web Services SDKs and Amazon Web Services CLI, see [Specifying the
+    #   Signature Version in Request Authentication][1] in the *Amazon S3 User
+    #   Guide*.
     #
-    #    </note>
+    #   **Directory buckets** - If you specify `x-amz-server-side-encryption`
+    #   with `aws:kms`, the ` x-amz-server-side-encryption-aws-kms-key-id`
+    #   header is implicitly assigned the ID of the KMS symmetric encryption
+    #   customer managed key that's configured for your directory bucket's
+    #   default encryption setting. If you want to specify the `
+    #   x-amz-server-side-encryption-aws-kms-key-id` header explicitly, you
+    #   can only specify it with the ID (Key ID or Key ARN) of the KMS
+    #   customer managed key that's configured for your directory bucket's
+    #   default encryption setting. Otherwise, you get an HTTP `400 Bad
+    #   Request` error. Only use the key ID or key ARN. The key alias format
+    #   of the KMS key isn't supported. Your SSE-KMS configuration can only
+    #   support 1 [customer managed key][2] per directory bucket for the
+    #   lifetime of the bucket. The [Amazon Web Services managed key][3]
+    #   (`aws/s3`) isn't supported.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
     #
     # @option params [String] :ssekms_encryption_context
-    #   Specifies the Amazon Web Services KMS Encryption Context to use for
-    #   object encryption. The value of this header is a base64-encoded UTF-8
-    #   string holding JSON with the encryption context key-value pairs. This
-    #   value must be explicitly added to specify encryption context for
-    #   `CopyObject` requests.
+    #   Specifies the Amazon Web Services KMS Encryption Context as an
+    #   additional encryption context to use for the destination object
+    #   encryption. The value of this header is a base64-encoded UTF-8 string
+    #   holding JSON with the encryption context key-value pairs.
     #
-    #   <note markdown="1"> This functionality is not supported when the destination bucket is a
-    #   directory bucket.
+    #   **General purpose buckets** - This value must be explicitly added to
+    #   specify encryption context for `CopyObject` requests if you want an
+    #   additional encryption context for your destination object. The
+    #   additional encryption context of the source object won't be copied to
+    #   the destination object. For more information, see [Encryption
+    #   context][1] in the *Amazon S3 User Guide*.
     #
-    #    </note>
+    #   **Directory buckets** - You can optionally provide an explicit
+    #   encryption context value. The value must match the default encryption
+    #   context - the bucket Amazon Resource Name (ARN). An additional
+    #   encryption context value is not supported.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
     #
     # @option params [Boolean] :bucket_key_enabled
     #   Specifies whether Amazon S3 should use an S3 Bucket Key for object
@@ -1814,14 +1958,19 @@ module Aws::S3
     #   For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
     #   User Guide*.
     #
-    #   <note markdown="1"> This functionality is not supported when the destination bucket is a
-    #   directory bucket.
+    #   <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
+    #   copy SSE-KMS encrypted objects from general purpose buckets to
+    #   directory buckets, from directory buckets to general purpose buckets,
+    #   or between directory buckets, through [CopyObject][2]. In this case,
+    #   Amazon S3 makes a call to KMS every time a copy request is made for a
+    #   KMS-encrypted object.
     #
     #    </note>
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
     #
     # @option params [String] :copy_source_sse_customer_algorithm
     #   Specifies the algorithm to use when decrypting the source object (for
@@ -2328,33 +2477,33 @@ module Aws::S3
     #   * {Types::CreateBucketOutput#location #location} => String
     #
     #
-    # @example Example: To create a bucket 
+    # @example Example: To create a bucket in a specific region
     #
-    #   # The following example creates a bucket.
+    #   # The following example creates a bucket. The request specifies an AWS region where to create the bucket.
     #
     #   resp = client.create_bucket({
     #     bucket: "examplebucket", 
+    #     create_bucket_configuration: {
+    #       location_constraint: "eu-west-1", 
+    #     }, 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     location: "/examplebucket", 
+    #     location: "http://examplebucket.<Region>.s3.amazonaws.com/", 
     #   }
     #
-    # @example Example: To create a bucket in a specific region
+    # @example Example: To create a bucket 
     #
-    #   # The following example creates a bucket. The request specifies an AWS region where to create the bucket.
+    #   # The following example creates a bucket.
     #
     #   resp = client.create_bucket({
     #     bucket: "examplebucket", 
-    #     create_bucket_configuration: {
-    #       location_constraint: "eu-west-1", 
-    #     }, 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     location: "http://examplebucket.<Region>.s3.amazonaws.com/", 
+    #     location: "/examplebucket", 
     #   }
     #
     # @example Request syntax with placeholder values
@@ -2443,24 +2592,23 @@ module Aws::S3
     #   Version 4)][5] in the *Amazon S3 User Guide*.
     #
     # Permissions
-    # : * **General purpose bucket permissions** - For information about the
-    #     permissions required to use the multipart upload API, see
-    #     [Multipart upload and permissions][6] in the *Amazon S3 User
-    #     Guide*.
-    #
-    #     To perform a multipart upload with encryption by using an Amazon
-    #     Web Services KMS key, the requester must have permission to the
-    #     `kms:Decrypt` and `kms:GenerateDataKey*` actions on the key. These
-    #     permissions are required because Amazon S3 must decrypt and read
-    #     data from the encrypted file parts before it completes the
-    #     multipart upload. For more information, see [Multipart upload API
-    #     and permissions][7] and [Protecting data using server-side
-    #     encryption with Amazon Web Services KMS][8] in the *Amazon S3 User
-    #     Guide*.
+    # : * **General purpose bucket permissions** - To perform a multipart
+    #     upload with encryption using an Key Management Service (KMS) KMS
+    #     key, the requester must have permission to the `kms:Decrypt` and
+    #     `kms:GenerateDataKey` actions on the key. The requester must also
+    #     have permissions for the `kms:GenerateDataKey` action for the
+    #     `CreateMultipartUpload` API. Then, the requester needs permissions
+    #     for the `kms:Decrypt` action on the `UploadPart` and
+    #     `UploadPartCopy` APIs. These permissions are required because
+    #     Amazon S3 must decrypt and read data from the encrypted file parts
+    #     before it completes the multipart upload. For more information,
+    #     see [Multipart upload API and permissions][6] and [Protecting data
+    #     using server-side encryption with Amazon Web Services KMS][7] in
+    #     the *Amazon S3 User Guide*.
     #
     #   * **Directory bucket permissions** - To grant access to this API
     #     operation on a directory bucket, we recommend that you use the [
-    #     `CreateSession` ][9] API operation for session-based
+    #     `CreateSession` ][8] API operation for session-based
     #     authorization. Specifically, you grant the
     #     `s3express:CreateSession` permission to the directory bucket in a
     #     bucket policy or an IAM identity-based policy. Then, you make the
@@ -2471,7 +2619,7 @@ module Aws::S3
     #     token for use. Amazon Web Services CLI or SDKs create session and
     #     refresh the session token automatically to avoid service
     #     interruptions when a session expires. For more information about
-    #     authorization, see [ `CreateSession` ][9].
+    #     authorization, see [ `CreateSession` ][8].
     #
     # Encryption
     # : * **General purpose buckets** - Server-side encryption is for data
@@ -2498,7 +2646,7 @@ module Aws::S3
     #     the destination bucket, the encryption setting in your request
     #     takes precedence. If you choose to provide your own encryption
     #     key, the request headers you provide in [UploadPart][1] and
-    #     [UploadPartCopy][10] requests must match the headers you used in
+    #     [UploadPartCopy][9] requests must match the headers you used in
     #     the `CreateMultipartUpload` request.
     #
     #     * Use KMS keys (SSE-KMS) that include the Amazon Web Services
@@ -2524,9 +2672,9 @@ module Aws::S3
     #         actions on the key. These permissions are required because
     #         Amazon S3 must decrypt and read data from the encrypted file
     #         parts before it completes the multipart upload. For more
-    #         information, see [Multipart upload API and permissions][7] and
+    #         information, see [Multipart upload API and permissions][6] and
     #         [Protecting data using server-side encryption with Amazon Web
-    #         Services KMS][8] in the *Amazon S3 User Guide*.
+    #         Services KMS][7] in the *Amazon S3 User Guide*.
     #
     #       * If your Identity and Access Management (IAM) user or role is
     #         in the same Amazon Web Services account as the KMS key, then
@@ -2541,13 +2689,13 @@ module Aws::S3
     #         For information about configuring any of the officially
     #         supported Amazon Web Services SDKs and Amazon Web Services
     #         CLI, see [Specifying the Signature Version in Request
-    #         Authentication][11] in the *Amazon S3 User Guide*.
+    #         Authentication][10] in the *Amazon S3 User Guide*.
     #
     #        </note>
     #
     #       For more information about server-side encryption with KMS keys
     #       (SSE-KMS), see [Protecting Data Using Server-Side Encryption
-    #       with KMS keys][8] in the *Amazon S3 User Guide*.
+    #       with KMS keys][7] in the *Amazon S3 User Guide*.
     #
     #     * Use customer-provided encryption keys (SSE-C) – If you want to
     #       manage your own encryption keys, provide all the following
@@ -2562,11 +2710,55 @@ module Aws::S3
     #       For more information about server-side encryption with
     #       customer-provided encryption keys (SSE-C), see [ Protecting data
     #       using server-side encryption with customer-provided encryption
-    #       keys (SSE-C)][12] in the *Amazon S3 User Guide*.
+    #       keys (SSE-C)][11] in the *Amazon S3 User Guide*.
+    #
+    #   * **Directory buckets** - For directory buckets, there are only two
+    #     supported options for server-side encryption: server-side
+    #     encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
+    #     server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
+    #     recommend that the bucket's default encryption uses the desired
+    #     encryption configuration and you don't override the bucket
+    #     default encryption in your `CreateSession` requests or `PUT`
+    #     object requests. Then, new objects are automatically encrypted
+    #     with the desired encryption settings. For more information, see
+    #     [Protecting data with server-side encryption][12] in the *Amazon
+    #     S3 User Guide*. For more information about the encryption
+    #     overriding behaviors in directory buckets, see [Specifying
+    #     server-side encryption with KMS for new object uploads][13].
+    #
+    #     In the Zonal endpoint API calls (except [CopyObject][14] and
+    #     [UploadPartCopy][9]) using the REST API, the encryption request
+    #     headers must match the encryption settings that are specified in
+    #     the `CreateSession` request. You can't override the values of the
+    #     encryption settings (`x-amz-server-side-encryption`,
+    #     `x-amz-server-side-encryption-aws-kms-key-id`,
+    #     `x-amz-server-side-encryption-context`, and
+    #     `x-amz-server-side-encryption-bucket-key-enabled`) that are
+    #     specified in the `CreateSession` request. You don't need to
+    #     explicitly specify these encryption settings values in Zonal
+    #     endpoint API calls, and Amazon S3 will use the encryption settings
+    #     values from the `CreateSession` request to protect new objects in
+    #     the directory bucket.
+    #
+    #     <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
+    #     `CreateSession`, the session token refreshes automatically to
+    #     avoid service interruptions when a session expires. The CLI or the
+    #     Amazon Web Services SDKs use the bucket's default encryption
+    #     configuration for the `CreateSession` request. It's not supported
+    #     to override the encryption settings values in the `CreateSession`
+    #     request. So in the Zonal endpoint API calls (except
+    #     [CopyObject][14] and [UploadPartCopy][9]), the encryption request
+    #     headers must match the default encryption configuration of the
+    #     directory bucket.
+    #
+    #      </note>
+    #
+    #     <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
+    #     operation and an `UploadPartCopy` operation, the request headers
+    #     you provide in the `CreateMultipartUpload` request must match the
+    #     default encryption configuration of the destination bucket.
     #
-    #   * **Directory buckets** -For directory buckets, only server-side
-    #     encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
-    #     supported.
+    #      </note>
     #
     # HTTP Host header syntax
     #
@@ -2577,13 +2769,13 @@ module Aws::S3
     #
     # * [UploadPart][1]
     #
-    # * [CompleteMultipartUpload][13]
+    # * [CompleteMultipartUpload][15]
     #
-    # * [AbortMultipartUpload][14]
+    # * [AbortMultipartUpload][16]
     #
-    # * [ListParts][15]
+    # * [ListParts][17]
     #
-    # * [ListMultipartUploads][16]
+    # * [ListMultipartUploads][18]
     #
     #
     #
@@ -2592,17 +2784,19 @@ module Aws::S3
     # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config
     # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
     # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
-    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions
-    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
-    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
-    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
-    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
-    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
-    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
-    # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
-    # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
-    # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
+    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
+    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
+    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
+    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
+    # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
+    # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
+    # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
+    # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
     #
     # @option params [String] :acl
     #   The canned ACL to apply to the object. Amazon S3 supports a set of
@@ -2965,10 +3159,52 @@ module Aws::S3
     #   The server-side encryption algorithm used when you store this object
     #   in Amazon S3 (for example, `AES256`, `aws:kms`).
     #
-    #   <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
-    #   managed keys (SSE-S3) (`AES256`) is supported.
+    #   * <b>Directory buckets </b> - For directory buckets, there are only
+    #     two supported options for server-side encryption: server-side
+    #     encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
+    #     server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
+    #     recommend that the bucket's default encryption uses the desired
+    #     encryption configuration and you don't override the bucket default
+    #     encryption in your `CreateSession` requests or `PUT` object
+    #     requests. Then, new objects are automatically encrypted with the
+    #     desired encryption settings. For more information, see [Protecting
+    #     data with server-side encryption][1] in the *Amazon S3 User Guide*.
+    #     For more information about the encryption overriding behaviors in
+    #     directory buckets, see [Specifying server-side encryption with KMS
+    #     for new object uploads][2].
+    #
+    #     In the Zonal endpoint API calls (except [CopyObject][3] and
+    #     [UploadPartCopy][4]) using the REST API, the encryption request
+    #     headers must match the encryption settings that are specified in the
+    #     `CreateSession` request. You can't override the values of the
+    #     encryption settings (`x-amz-server-side-encryption`,
+    #     `x-amz-server-side-encryption-aws-kms-key-id`,
+    #     `x-amz-server-side-encryption-context`, and
+    #     `x-amz-server-side-encryption-bucket-key-enabled`) that are
+    #     specified in the `CreateSession` request. You don't need to
+    #     explicitly specify these encryption settings values in Zonal
+    #     endpoint API calls, and Amazon S3 will use the encryption settings
+    #     values from the `CreateSession` request to protect new objects in
+    #     the directory bucket.
+    #
+    #     <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
+    #     `CreateSession`, the session token refreshes automatically to avoid
+    #     service interruptions when a session expires. The CLI or the Amazon
+    #     Web Services SDKs use the bucket's default encryption configuration
+    #     for the `CreateSession` request. It's not supported to override the
+    #     encryption settings values in the `CreateSession` request. So in the
+    #     Zonal endpoint API calls (except [CopyObject][3] and
+    #     [UploadPartCopy][4]), the encryption request headers must match the
+    #     default encryption configuration of the directory bucket.
+    #
+    #      </note>
     #
-    #    </note>
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
+    #   [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    #   [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
     #
     # @option params [String] :storage_class
     #   By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -3027,34 +3263,76 @@ module Aws::S3
     #    </note>
     #
     # @option params [String] :ssekms_key_id
-    #   Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
-    #   encryption customer managed key to use for object encryption.
-    #
-    #   <note markdown="1"> This functionality is not supported for directory buckets.
-    #
-    #    </note>
+    #   Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
+    #   object encryption. If the KMS key doesn't exist in the same account
+    #   that's issuing the command, you must use the full Key ARN not the Key
+    #   ID.
+    #
+    #   **General purpose buckets** - If you specify
+    #   `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
+    #   header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
+    #   to use. If you specify `x-amz-server-side-encryption:aws:kms` or
+    #   `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
+    #   `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
+    #   Amazon Web Services managed key (`aws/s3`) to protect the data.
+    #
+    #   **Directory buckets** - If you specify `x-amz-server-side-encryption`
+    #   with `aws:kms`, the ` x-amz-server-side-encryption-aws-kms-key-id`
+    #   header is implicitly assigned the ID of the KMS symmetric encryption
+    #   customer managed key that's configured for your directory bucket's
+    #   default encryption setting. If you want to specify the `
+    #   x-amz-server-side-encryption-aws-kms-key-id` header explicitly, you
+    #   can only specify it with the ID (Key ID or Key ARN) of the KMS
+    #   customer managed key that's configured for your directory bucket's
+    #   default encryption setting. Otherwise, you get an HTTP `400 Bad
+    #   Request` error. Only use the key ID or key ARN. The key alias format
+    #   of the KMS key isn't supported. Your SSE-KMS configuration can only
+    #   support 1 [customer managed key][1] per directory bucket for the
+    #   lifetime of the bucket. The [Amazon Web Services managed key][2]
+    #   (`aws/s3`) isn't supported.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
     #
     # @option params [String] :ssekms_encryption_context
     #   Specifies the Amazon Web Services KMS Encryption Context to use for
-    #   object encryption. The value of this header is a base64-encoded UTF-8
-    #   string holding JSON with the encryption context key-value pairs.
+    #   object encryption. The value of this header is a Base64-encoded string
+    #   of a UTF-8 encoded JSON, which contains the encryption context as
+    #   key-value pairs.
     #
-    #   <note markdown="1"> This functionality is not supported for directory buckets.
-    #
-    #    </note>
+    #   **Directory buckets** - You can optionally provide an explicit
+    #   encryption context value. The value must match the default encryption
+    #   context - the bucket Amazon Resource Name (ARN). An additional
+    #   encryption context value is not supported.
     #
     # @option params [Boolean] :bucket_key_enabled
     #   Specifies whether Amazon S3 should use an S3 Bucket Key for object
     #   encryption with server-side encryption using Key Management Service
-    #   (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
-    #   to use an S3 Bucket Key for object encryption with SSE-KMS.
+    #   (KMS) keys (SSE-KMS).
     #
-    #   Specifying this header with an object action doesn’t affect
+    #   **General purpose buckets** - Setting this header to `true` causes
+    #   Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
+    #   Also, specifying this header with a PUT action doesn't affect
     #   bucket-level settings for S3 Bucket Key.
     #
-    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #   **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
+    #   and `PUT` operations in a directory bucket and can’t be disabled. S3
+    #   Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
+    #   from general purpose buckets to directory buckets, from directory
+    #   buckets to general purpose buckets, or between directory buckets,
+    #   through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
+    #   Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
+    #   makes a call to KMS every time a copy request is made for a
+    #   KMS-encrypted object.
     #
-    #    </note>
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
+    #   [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
+    #   [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
     #
     # @option params [String] :request_payer
     #   Confirms that the requester knows that they will be charged for the
@@ -3215,9 +3493,10 @@ module Aws::S3
 
     # Creates a session that establishes temporary security credentials to
     # support fast authentication and authorization for the Zonal endpoint
-    # APIs on directory buckets. For more information about Zonal endpoint
-    # APIs that include the Availability Zone in the request endpoint, see
-    # [S3 Express One Zone APIs][1] in the *Amazon S3 User Guide*.
+    # API operations on directory buckets. For more information about Zonal
+    # endpoint API operations that include the Availability Zone in the
+    # request endpoint, see [S3 Express One Zone APIs][1] in the *Amazon S3
+    # User Guide*.
     #
     # To make Zonal endpoint API requests on a directory bucket, use the
     # `CreateSession` API operation. Specifically, you grant
@@ -3226,13 +3505,13 @@ module Aws::S3
     # the `CreateSession` API request on the bucket, which returns temporary
     # security credentials that include the access key ID, secret access
     # key, session token, and expiration. These credentials have associated
-    # permissions to access the Zonal endpoint APIs. After the session is
-    # created, you don’t need to use other policies to grant permissions to
-    # each Zonal endpoint API individually. Instead, in your Zonal endpoint
-    # API requests, you sign your requests by applying the temporary
-    # security credentials of the session to the request headers and
-    # following the SigV4 protocol for authentication. You also apply the
-    # session token to the `x-amz-s3session-token` request header for
+    # permissions to access the Zonal endpoint API operations. After the
+    # session is created, you don’t need to use other policies to grant
+    # permissions to each Zonal endpoint API individually. Instead, in your
+    # Zonal endpoint API requests, you sign your requests by applying the
+    # temporary security credentials of the session to the request headers
+    # and following the SigV4 protocol for authentication. You also apply
+    # the session token to the `x-amz-s3session-token` request header for
     # authorization. Temporary security credentials are scoped to the bucket
     # and expire after 5 minutes. After the expiration time, any calls that
     # you make with those credentials will fail. You must use IAM
@@ -3255,16 +3534,16 @@ module Aws::S3
     #   [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
     #
     # * <b> <code>CopyObject</code> API operation</b> - Unlike other Zonal
-    #   endpoint APIs, the `CopyObject` API operation doesn't use the
-    #   temporary security credentials returned from the `CreateSession` API
-    #   operation for authentication and authorization. For information
+    #   endpoint API operations, the `CopyObject` API operation doesn't use
+    #   the temporary security credentials returned from the `CreateSession`
+    #   API operation for authentication and authorization. For information
     #   about authentication and authorization of the `CopyObject` API
     #   operation on directory buckets, see [CopyObject][4].
     #
     # * <b> <code>HeadBucket</code> API operation</b> - Unlike other Zonal
-    #   endpoint APIs, the `HeadBucket` API operation doesn't use the
-    #   temporary security credentials returned from the `CreateSession` API
-    #   operation for authentication and authorization. For information
+    #   endpoint API operations, the `HeadBucket` API operation doesn't use
+    #   the temporary security credentials returned from the `CreateSession`
+    #   API operation for authentication and authorization. For information
     #   about authentication and authorization of the `HeadBucket` API
     #   operation on directory buckets, see [HeadBucket][5].
     #
@@ -3283,9 +3562,71 @@ module Aws::S3
     #   Identity and Access Management (IAM) identity-based policies for S3
     #   Express One Zone][8] in the *Amazon S3 User Guide*.
     #
-    #   To grant cross-account access to Zonal endpoint APIs, the bucket
-    #   policy should also grant both accounts the `s3express:CreateSession`
-    #   permission.
+    #   To grant cross-account access to Zonal endpoint API operations, the
+    #   bucket policy should also grant both accounts the
+    #   `s3express:CreateSession` permission.
+    #
+    #   If you want to encrypt objects with SSE-KMS, you must also have the
+    #   `kms:GenerateDataKey` and the `kms:Decrypt` permissions in IAM
+    #   identity-based policies and KMS key policies for the target KMS key.
+    #
+    # Encryption
+    #
+    # : For directory buckets, there are only two supported options for
+    #   server-side encryption: server-side encryption with Amazon S3
+    #   managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
+    #   keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
+    #   encryption uses the desired encryption configuration and you don't
+    #   override the bucket default encryption in your `CreateSession`
+    #   requests or `PUT` object requests. Then, new objects are
+    #   automatically encrypted with the desired encryption settings. For
+    #   more information, see [Protecting data with server-side
+    #   encryption][9] in the *Amazon S3 User Guide*. For more information
+    #   about the encryption overriding behaviors in directory buckets, see
+    #   [Specifying server-side encryption with KMS for new object
+    #   uploads][10].
+    #
+    #   For [Zonal endpoint (object-level) API operations][11] except
+    #   [CopyObject][4] and [UploadPartCopy][12], you authenticate and
+    #   authorize requests through [CreateSession][13] for low latency. To
+    #   encrypt new objects in a directory bucket with SSE-KMS, you must
+    #   specify SSE-KMS as the directory bucket's default encryption
+    #   configuration with a KMS key (specifically, a [customer managed
+    #   key][14]). Then, when a session is created for Zonal endpoint API
+    #   operations, new objects are automatically encrypted and decrypted
+    #   with SSE-KMS and S3 Bucket Keys during the session.
+    #
+    #   <note markdown="1"> Only 1 [customer managed key][14] is supported per directory bucket
+    #   for the lifetime of the bucket. The [Amazon Web Services managed
+    #   key][15] (`aws/s3`) isn't supported. After you specify SSE-KMS as
+    #   your bucket's default encryption configuration with a customer
+    #   managed key, you can't change the customer managed key for the
+    #   bucket's SSE-KMS configuration.
+    #
+    #    </note>
+    #
+    #   In the Zonal endpoint API calls (except [CopyObject][4] and
+    #   [UploadPartCopy][12]) using the REST API, you can't override the
+    #   values of the encryption settings (`x-amz-server-side-encryption`,
+    #   `x-amz-server-side-encryption-aws-kms-key-id`,
+    #   `x-amz-server-side-encryption-context`, and
+    #   `x-amz-server-side-encryption-bucket-key-enabled`) from the
+    #   `CreateSession` request. You don't need to explicitly specify these
+    #   encryption settings values in Zonal endpoint API calls, and Amazon
+    #   S3 will use the encryption settings values from the `CreateSession`
+    #   request to protect new objects in the directory bucket.
+    #
+    #   <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
+    #   `CreateSession`, the session token refreshes automatically to avoid
+    #   service interruptions when a session expires. The CLI or the Amazon
+    #   Web Services SDKs use the bucket's default encryption configuration
+    #   for the `CreateSession` request. It's not supported to override the
+    #   encryption settings values in the `CreateSession` request. Also, in
+    #   the Zonal endpoint API calls (except [CopyObject][4] and
+    #   [UploadPartCopy][12]), it's not supported to override the values of
+    #   the encryption settings from the `CreateSession` request.
+    #
+    #    </note>
     #
     # HTTP Host header syntax
     #
@@ -3302,21 +3643,110 @@ module Aws::S3
     # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters
     # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
     # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
+    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations
+    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
+    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
+    # [14]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [15]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
     #
     # @option params [String] :session_mode
     #   Specifies the mode of the session that will be created, either
     #   `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
     #   created. A `ReadWrite` session is capable of executing all the Zonal
-    #   endpoint APIs on a directory bucket. A `ReadOnly` session is
-    #   constrained to execute the following Zonal endpoint APIs: `GetObject`,
-    #   `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`, `ListParts`, and
-    #   `ListMultipartUploads`.
+    #   endpoint API operations on a directory bucket. A `ReadOnly` session is
+    #   constrained to execute the following Zonal endpoint API operations:
+    #   `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
+    #   `ListParts`, and `ListMultipartUploads`.
     #
     # @option params [required, String] :bucket
     #   The name of the bucket that you create a session for.
     #
+    # @option params [String] :server_side_encryption
+    #   The server-side encryption algorithm to use when you store objects in
+    #   the directory bucket.
+    #
+    #   For directory buckets, there are only two supported options for
+    #   server-side encryption: server-side encryption with Amazon S3 managed
+    #   keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys
+    #   (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
+    #   SSE-S3. For more information, see [Protecting data with server-side
+    #   encryption][1] in the *Amazon S3 User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    #
+    # @option params [String] :ssekms_key_id
+    #   If you specify `x-amz-server-side-encryption` with `aws:kms`, you must
+    #   specify the ` x-amz-server-side-encryption-aws-kms-key-id` header with
+    #   the ID (Key ID or Key ARN) of the KMS symmetric encryption customer
+    #   managed key to use. Otherwise, you get an HTTP `400 Bad Request`
+    #   error. Only use the key ID or key ARN. The key alias format of the KMS
+    #   key isn't supported. Also, if the KMS key doesn't exist in the same
+    #   account that't issuing the command, you must use the full Key ARN not
+    #   the Key ID.
+    #
+    #   Your SSE-KMS configuration can only support 1 [customer managed
+    #   key][1] per directory bucket for the lifetime of the bucket. The
+    #   [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    #
+    # @option params [String] :ssekms_encryption_context
+    #   Specifies the Amazon Web Services KMS Encryption Context as an
+    #   additional encryption context to use for object encryption. The value
+    #   of this header is a Base64-encoded string of a UTF-8 encoded JSON,
+    #   which contains the encryption context as key-value pairs. This value
+    #   is stored as object metadata and automatically gets passed on to
+    #   Amazon Web Services KMS for future `GetObject` operations on this
+    #   object.
+    #
+    #   **General purpose buckets** - This value must be explicitly added
+    #   during `CopyObject` operations if you want an additional encryption
+    #   context for your object. For more information, see [Encryption
+    #   context][1] in the *Amazon S3 User Guide*.
+    #
+    #   **Directory buckets** - You can optionally provide an explicit
+    #   encryption context value. The value must match the default encryption
+    #   context - the bucket Amazon Resource Name (ARN). An additional
+    #   encryption context value is not supported.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
+    #
+    # @option params [Boolean] :bucket_key_enabled
+    #   Specifies whether Amazon S3 should use an S3 Bucket Key for object
+    #   encryption with server-side encryption using KMS keys (SSE-KMS).
+    #
+    #   S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a
+    #   directory bucket and can’t be disabled. S3 Bucket Keys aren't
+    #   supported, when you copy SSE-KMS encrypted objects from general
+    #   purpose buckets to directory buckets, from directory buckets to
+    #   general purpose buckets, or between directory buckets, through
+    #   [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
+    #   Operations][3], or [the import jobs][4]. In this case, Amazon S3 makes
+    #   a call to KMS every time a copy request is made for a KMS-encrypted
+    #   object.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
+    #   [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
+    #   [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
+    #
     # @return [Types::CreateSessionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
+    #   * {Types::CreateSessionOutput#server_side_encryption #server_side_encryption} => String
+    #   * {Types::CreateSessionOutput#ssekms_key_id #ssekms_key_id} => String
+    #   * {Types::CreateSessionOutput#ssekms_encryption_context #ssekms_encryption_context} => String
+    #   * {Types::CreateSessionOutput#bucket_key_enabled #bucket_key_enabled} => Boolean
     #   * {Types::CreateSessionOutput#credentials #credentials} => Types::SessionCredentials
     #
     # @example Request syntax with placeholder values
@@ -3324,10 +3754,18 @@ module Aws::S3
     #   resp = client.create_session({
     #     session_mode: "ReadOnly", # accepts ReadOnly, ReadWrite
     #     bucket: "BucketName", # required
+    #     server_side_encryption: "AES256", # accepts AES256, aws:kms, aws:kms:dsse
+    #     ssekms_key_id: "SSEKMSKeyId",
+    #     ssekms_encryption_context: "SSEKMSEncryptionContext",
+    #     bucket_key_enabled: false,
     #   })
     #
     # @example Response structure
     #
+    #   resp.server_side_encryption #=> String, one of "AES256", "aws:kms", "aws:kms:dsse"
+    #   resp.ssekms_key_id #=> String
+    #   resp.ssekms_encryption_context #=> String
+    #   resp.bucket_key_enabled #=> Boolean
     #   resp.credentials.access_key_id #=> String
     #   resp.credentials.secret_access_key #=> String
     #   resp.credentials.session_token #=> String
@@ -3573,47 +4011,92 @@ module Aws::S3
       req.send_request(options)
     end
 
-    # <note markdown="1"> This operation is not supported by directory buckets.
+    # This implementation of the DELETE action resets the default encryption
+    # for the bucket as server-side encryption with Amazon S3 managed keys
+    # (SSE-S3).
+    #
+    # <note markdown="1"> * **General purpose buckets** - For information about the bucket
+    #   default encryption feature, see [Amazon S3 Bucket Default
+    #   Encryption][1] in the *Amazon S3 User Guide*.
+    #
+    # * **Directory buckets** - For directory buckets, there are only two
+    #   supported options for server-side encryption: SSE-S3 and SSE-KMS.
+    #   For information about the default encryption configuration in
+    #   directory buckets, see [Setting default server-side encryption
+    #   behavior for directory buckets][2].
     #
     #  </note>
     #
-    # This implementation of the DELETE action resets the default encryption
-    # for the bucket as server-side encryption with Amazon S3 managed keys
-    # (SSE-S3). For information about the bucket default encryption feature,
-    # see [Amazon S3 Bucket Default Encryption][1] in the *Amazon S3 User
-    # Guide*.
+    # Permissions
+    # : * **General purpose bucket permissions** - The
+    #     `s3:PutEncryptionConfiguration` permission is required in a
+    #     policy. The bucket owner has this permission by default. The
+    #     bucket owner can grant this permission to others. For more
+    #     information about permissions, see [Permissions Related to Bucket
+    #     Operations][3] and [Managing Access Permissions to Your Amazon S3
+    #     Resources][4].
     #
-    # To use this operation, you must have permissions to perform the
-    # `s3:PutEncryptionConfiguration` action. The bucket owner has this
-    # permission by default. The bucket owner can grant this permission to
-    # others. For more information about permissions, see [Permissions
-    # Related to Bucket Subresource Operations][2] and [Managing Access
-    # Permissions to your Amazon S3 Resources][3] in the *Amazon S3 User
-    # Guide*.
+    #   * **Directory bucket permissions** - To grant access to this API
+    #     operation, you must have the
+    #     `s3express:PutEncryptionConfiguration` permission in an IAM
+    #     identity-based policy instead of a bucket policy. Cross-account
+    #     access to this API operation isn't supported. This operation can
+    #     only be performed by the Amazon Web Services account that owns the
+    #     resource. For more information about directory bucket policies and
+    #     permissions, see [Amazon Web Services Identity and Access
+    #     Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
+    #     User Guide*.
+    #
+    # HTTP Host header syntax
+    #
+    # : <b>Directory buckets </b> - The HTTP Host header syntax is
+    #   `s3express-control.region.amazonaws.com`.
     #
     # The following operations are related to `DeleteBucketEncryption`:
     #
-    # * [PutBucketEncryption][4]
+    # * [PutBucketEncryption][6]
     #
-    # * [GetBucketEncryption][5]
+    # * [GetBucketEncryption][7]
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
-    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
-    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
+    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
     #
     # @option params [required, String] :bucket
     #   The name of the bucket containing the server-side encryption
     #   configuration to delete.
     #
+    #   <b>Directory buckets </b> - When you use this operation with a
+    #   directory bucket, you must use path-style requests in the format
+    #   `https://s3express-control.region_code.amazonaws.com/bucket-name `.
+    #   Virtual-hosted-style requests aren't supported. Directory bucket
+    #   names must be unique in the chosen Availability Zone. Bucket names
+    #   must also follow the format ` bucket_base_name--az_id--x-s3` (for
+    #   example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
+    #   bucket naming restrictions, see [Directory bucket naming rules][1] in
+    #   the *Amazon S3 User Guide*
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
+    #
     # @option params [String] :expected_bucket_owner
     #   The account ID of the expected bucket owner. If the account ID that
     #   you provide does not match the actual owner of the bucket, the request
     #   fails with the HTTP status code `403 Forbidden` (access denied).
     #
+    #   <note markdown="1"> For directory buckets, this header is not supported in this API
+    #   operation. If you specify this header, the request fails with the HTTP
+    #   status code `501 Not Implemented`.
+    #
+    #    </note>
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     # @example Request syntax with placeholder values
@@ -4271,67 +4754,33 @@ module Aws::S3
     end
 
     # Removes an object from a bucket. The behavior depends on the bucket's
-    # versioning state:
-    #
-    # * If bucket versioning is not enabled, the operation permanently
-    #   deletes the object.
-    #
-    # * If bucket versioning is enabled, the operation inserts a delete
-    #   marker, which becomes the current version of the object. To
-    #   permanently delete an object in a versioned bucket, you must include
-    #   the object’s `versionId` in the request. For more information about
-    #   versioning-enabled buckets, see [Deleting object versions from a
-    #   versioning-enabled bucket][1].
-    #
-    # * If bucket versioning is suspended, the operation removes the object
-    #   that has a null `versionId`, if there is one, and inserts a delete
-    #   marker that becomes the current version of the object. If there
-    #   isn't an object with a null `versionId`, and all versions of the
-    #   object have a `versionId`, Amazon S3 does not remove the object and
-    #   only inserts a delete marker. To permanently delete an object that
-    #   has a `versionId`, you must include the object’s `versionId` in the
-    #   request. For more information about versioning-suspended buckets,
-    #   see [Deleting objects from versioning-suspended buckets][2].
-    #
-    # <note markdown="1"> * **Directory buckets** - S3 Versioning isn't enabled and supported
-    #   for directory buckets. For this API operation, only the `null` value
-    #   of the version ID is supported by directory buckets. You can only
-    #   specify `null` to the `versionId` query parameter in the request.
-    #
-    # * **Directory buckets** - For directory buckets, you must make
-    #   requests for this API operation to the Zonal endpoint. These
-    #   endpoints support virtual-hosted-style requests in the format
-    #   `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
-    #   `. Path-style requests are not supported. For more information, see
-    #   [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
-    #
-    #  </note>
+    # versioning state. For more information, see [Best practices to
+    # consider before deleting an object][1].
     #
     # To remove a specific version, you must use the `versionId` query
     # parameter. Using this query parameter permanently deletes the version.
     # If the object deleted is a delete marker, Amazon S3 sets the response
-    # header `x-amz-delete-marker` to true.
-    #
-    # If the object you want to delete is in a bucket where the bucket
-    # versioning configuration is MFA Delete enabled, you must include the
-    # `x-amz-mfa` request header in the DELETE `versionId` request. Requests
-    # that include `x-amz-mfa` must use HTTPS. For more information about
-    # MFA Delete, see [Using MFA Delete][4] in the *Amazon S3 User Guide*.
-    # To see sample requests that use versioning, see [Sample Request][5].
-    #
-    # <note markdown="1"> **Directory buckets** - MFA delete is not supported by directory
-    # buckets.
+    # header `x-amz-delete-marker` to true. If the object you want to delete
+    # is in a bucket where the bucket versioning configuration is MFA delete
+    # enabled, you must include the `x-amz-mfa` request header in the DELETE
+    # `versionId` request. Requests that include `x-amz-mfa` must use HTTPS.
+    # For more information about MFA delete and to see example requests, see
+    # [Using MFA delete][2] and [Sample request][3] in the *Amazon S3 User
+    # Guide*.
     #
-    #  </note>
+    # <note markdown="1"> * S3 Versioning isn't enabled and supported for directory buckets.
+    #   For this API operation, only the `null` value of the version ID is
+    #   supported by directory buckets. You can only specify `null` to the
+    #   `versionId` query parameter in the request.
     #
-    # You can delete objects by explicitly calling DELETE Object or calling
-    # ([PutBucketLifecycle][6]) to enable Amazon S3 to remove them for you.
-    # If you want to block users or accounts from removing or deleting
-    # objects from your bucket, you must deny them the `s3:DeleteObject`,
-    # `s3:DeleteObjectVersion`, and `s3:PutLifeCycleConfiguration` actions.
+    # * For directory buckets, you must make requests for this API operation
+    #   to the Zonal endpoint. These endpoints support virtual-hosted-style
+    #   requests in the format
+    #   `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
+    #   `. Path-style requests are not supported. For more information, see
+    #   [Regional and Zonal endpoints][4] in the *Amazon S3 User Guide*.
     #
-    # <note markdown="1"> **Directory buckets** - S3 Lifecycle is not supported by directory
-    # buckets.
+    # * MFA delete is not supported by directory buckets.
     #
     #  </note>
     #
@@ -4343,24 +4792,23 @@ module Aws::S3
     #     * <b> <code>s3:DeleteObject</code> </b> - To delete an object from
     #       a bucket, you must always have the `s3:DeleteObject` permission.
     #
+    #       <note markdown="1"> You can also use PutBucketLifecycle to delete objects in Amazon
+    #       S3.
+    #
+    #        </note>
+    #
     #     * <b> <code>s3:DeleteObjectVersion</code> </b> - To delete a
     #       specific version of an object from a versioning-enabled bucket,
     #       you must have the `s3:DeleteObjectVersion` permission.
     #
-    #   * **Directory bucket permissions** - To grant access to this API
-    #     operation on a directory bucket, we recommend that you use the [
-    #     `CreateSession` ][7] API operation for session-based
-    #     authorization. Specifically, you grant the
-    #     `s3express:CreateSession` permission to the directory bucket in a
-    #     bucket policy or an IAM identity-based policy. Then, you make the
-    #     `CreateSession` API call on the bucket to obtain a session token.
-    #     With the session token in your request header, you can make API
-    #     requests to this operation. After the session token expires, you
-    #     make another `CreateSession` API call to generate a new session
-    #     token for use. Amazon Web Services CLI or SDKs create session and
-    #     refresh the session token automatically to avoid service
-    #     interruptions when a session expires. For more information about
-    #     authorization, see [ `CreateSession` ][7].
+    #     * If you want to block users or accounts from removing or deleting
+    #       objects from your bucket, you must deny them the
+    #       `s3:DeleteObject`, `s3:DeleteObjectVersion`, and
+    #       `s3:PutLifeCycleConfiguration` permissions.
+    #
+    #   * **Directory buckets permissions** - To grant access to this API
+    #     operation on a directory bucket, we recommend that you use the
+    #     CreateSession API operation for session-based authorization.
     #
     # HTTP Host header syntax
     #
@@ -4369,20 +4817,17 @@ module Aws::S3
     #
     # The following action is related to `DeleteObject`:
     #
-    # * [PutObject][8]
+    # * [PutObject][5]
     #
     # ^
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjectVersions.html
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjectsfromVersioningSuspendedBuckets.html
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
-    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
-    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html#ExampleVersionObjectDelete
-    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
-    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html#DeletingObjects-best-practices
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html#ExampleVersionObjectDelete
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html
     #
     # @option params [required, String] :bucket
     #   The bucket name of the bucket containing the object.
@@ -4487,6 +4932,15 @@ module Aws::S3
     #   * {Types::DeleteObjectOutput#request_charged #request_charged} => String
     #
     #
+    # @example Example: To delete an object (from a non-versioned bucket)
+    #
+    #   # The following example deletes an object from a non-versioned bucket.
+    #
+    #   resp = client.delete_object({
+    #     bucket: "ExampleBucket", 
+    #     key: "HappyFace.jpg", 
+    #   })
+    #
     # @example Example: To delete an object
     #
     #   # The following example deletes an object from an S3 bucket.
@@ -4500,15 +4954,6 @@ module Aws::S3
     #   {
     #   }
     #
-    # @example Example: To delete an object (from a non-versioned bucket)
-    #
-    #   # The following example deletes an object from a non-versioned bucket.
-    #
-    #   resp = client.delete_object({
-    #     bucket: "ExampleBucket", 
-    #     key: "HappyFace.jpg", 
-    #   })
-    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.delete_object({
@@ -4607,35 +5052,35 @@ module Aws::S3
     #   * {Types::DeleteObjectTaggingOutput#version_id #version_id} => String
     #
     #
-    # @example Example: To remove tag set from an object version
+    # @example Example: To remove tag set from an object
     #
-    #   # The following example removes tag set associated with the specified object version. The request specifies both the
-    #   # object key and object version.
+    #   # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
+    #   # operation removes tag set from the latest object version.
     #
     #   resp = client.delete_object_tagging({
     #     bucket: "examplebucket", 
     #     key: "HappyFace.jpg", 
-    #     version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI", 
+    #     version_id: "null", 
     #   }
     #
-    # @example Example: To remove tag set from an object
+    # @example Example: To remove tag set from an object version
     #
-    #   # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
-    #   # operation removes tag set from the latest object version.
+    #   # The following example removes tag set associated with the specified object version. The request specifies both the
+    #   # object key and object version.
     #
     #   resp = client.delete_object_tagging({
     #     bucket: "examplebucket", 
     #     key: "HappyFace.jpg", 
+    #     version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     version_id: "null", 
+    #     version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI", 
     #   }
     #
     # @example Request syntax with placeholder values
@@ -4717,7 +5162,7 @@ module Aws::S3
     #       permission.
     #
     #     * <b> <code>s3:DeleteObjectVersion</code> </b> - To delete a
-    #       specific version of an object from a versiong-enabled bucket,
+    #       specific version of an object from a versioning-enabled bucket,
     #       you must specify the `s3:DeleteObjectVersion` permission.
     #
     #   * **Directory bucket permissions** - To grant access to this API
@@ -4887,13 +5332,13 @@ module Aws::S3
     #   For the `x-amz-checksum-algorithm ` header, replace ` algorithm ` with
     #   the supported algorithm from the following list:
     #
-    #   * CRC32
+    #   * `CRC32`
     #
-    #   * CRC32C
+    #   * `CRC32C`
     #
-    #   * SHA1
+    #   * `SHA1`
     #
-    #   * SHA256
+    #   * `SHA256`
     #
     #   For more information, see [Checking object integrity][1] in the
     #   *Amazon S3 User Guide*.
@@ -4918,22 +5363,20 @@ module Aws::S3
     #   * {Types::DeleteObjectsOutput#errors #errors} => Array&lt;Types::Error&gt;
     #
     #
-    # @example Example: To delete multiple object versions from a versioned bucket
+    # @example Example: To delete multiple objects from a versioned bucket
     #
-    #   # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
-    #   # versions and returns the key and versions of deleted objects in the response.
+    #   # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
+    #   # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
     #
     #   resp = client.delete_objects({
     #     bucket: "examplebucket", 
     #     delete: {
     #       objects: [
     #         {
-    #           key: "HappyFace.jpg", 
-    #           version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b", 
+    #           key: "objectkey1", 
     #         }, 
     #         {
-    #           key: "HappyFace.jpg", 
-    #           version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd", 
+    #           key: "objectkey2", 
     #         }, 
     #       ], 
     #       quiet: false, 
@@ -4944,30 +5387,34 @@ module Aws::S3
     #   {
     #     deleted: [
     #       {
-    #         key: "HappyFace.jpg", 
-    #         version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd", 
+    #         delete_marker: true, 
+    #         delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F", 
+    #         key: "objectkey1", 
     #       }, 
     #       {
-    #         key: "HappyFace.jpg", 
-    #         version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b", 
+    #         delete_marker: true, 
+    #         delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt", 
+    #         key: "objectkey2", 
     #       }, 
     #     ], 
     #   }
     #
-    # @example Example: To delete multiple objects from a versioned bucket
+    # @example Example: To delete multiple object versions from a versioned bucket
     #
-    #   # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
-    #   # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
+    #   # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
+    #   # versions and returns the key and versions of deleted objects in the response.
     #
     #   resp = client.delete_objects({
     #     bucket: "examplebucket", 
     #     delete: {
     #       objects: [
     #         {
-    #           key: "objectkey1", 
+    #           key: "HappyFace.jpg", 
+    #           version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b", 
     #         }, 
     #         {
-    #           key: "objectkey2", 
+    #           key: "HappyFace.jpg", 
+    #           version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd", 
     #         }, 
     #       ], 
     #       quiet: false, 
@@ -4978,14 +5425,12 @@ module Aws::S3
     #   {
     #     deleted: [
     #       {
-    #         delete_marker: true, 
-    #         delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F", 
-    #         key: "objectkey1", 
+    #         key: "HappyFace.jpg", 
+    #         version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd", 
     #       }, 
     #       {
-    #         delete_marker: true, 
-    #         delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt", 
-    #         key: "objectkey2", 
+    #         key: "HappyFace.jpg", 
+    #         version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b", 
     #       }, 
     #     ], 
     #   }
@@ -5488,46 +5933,92 @@ module Aws::S3
       req.send_request(options)
     end
 
-    # <note markdown="1"> This operation is not supported by directory buckets.
+    # Returns the default encryption configuration for an Amazon S3 bucket.
+    # By default, all buckets have a default encryption configuration that
+    # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
+    #
+    # <note markdown="1"> * **General purpose buckets** - For information about the bucket
+    #   default encryption feature, see [Amazon S3 Bucket Default
+    #   Encryption][1] in the *Amazon S3 User Guide*.
+    #
+    # * **Directory buckets** - For directory buckets, there are only two
+    #   supported options for server-side encryption: SSE-S3 and SSE-KMS.
+    #   For information about the default encryption configuration in
+    #   directory buckets, see [Setting default server-side encryption
+    #   behavior for directory buckets][2].
     #
     #  </note>
     #
-    # Returns the default encryption configuration for an Amazon S3 bucket.
-    # By default, all buckets have a default encryption configuration that
-    # uses server-side encryption with Amazon S3 managed keys (SSE-S3). For
-    # information about the bucket default encryption feature, see [Amazon
-    # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
+    # Permissions
+    # : * **General purpose bucket permissions** - The
+    #     `s3:GetEncryptionConfiguration` permission is required in a
+    #     policy. The bucket owner has this permission by default. The
+    #     bucket owner can grant this permission to others. For more
+    #     information about permissions, see [Permissions Related to Bucket
+    #     Operations][3] and [Managing Access Permissions to Your Amazon S3
+    #     Resources][4].
     #
-    # To use this operation, you must have permission to perform the
-    # `s3:GetEncryptionConfiguration` action. The bucket owner has this
-    # permission by default. The bucket owner can grant this permission to
-    # others. For more information about permissions, see [Permissions
-    # Related to Bucket Subresource Operations][2] and [Managing Access
-    # Permissions to Your Amazon S3 Resources][3].
+    #   * **Directory bucket permissions** - To grant access to this API
+    #     operation, you must have the
+    #     `s3express:GetEncryptionConfiguration` permission in an IAM
+    #     identity-based policy instead of a bucket policy. Cross-account
+    #     access to this API operation isn't supported. This operation can
+    #     only be performed by the Amazon Web Services account that owns the
+    #     resource. For more information about directory bucket policies and
+    #     permissions, see [Amazon Web Services Identity and Access
+    #     Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
+    #     User Guide*.
+    #
+    # HTTP Host header syntax
+    #
+    # : <b>Directory buckets </b> - The HTTP Host header syntax is
+    #   `s3express-control.region.amazonaws.com`.
     #
     # The following operations are related to `GetBucketEncryption`:
     #
-    # * [PutBucketEncryption][4]
+    # * [PutBucketEncryption][6]
     #
-    # * [DeleteBucketEncryption][5]
+    # * [DeleteBucketEncryption][7]
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
-    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
-    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
+    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
     #
     # @option params [required, String] :bucket
     #   The name of the bucket from which the server-side encryption
     #   configuration is retrieved.
     #
+    #   <b>Directory buckets </b> - When you use this operation with a
+    #   directory bucket, you must use path-style requests in the format
+    #   `https://s3express-control.region_code.amazonaws.com/bucket-name `.
+    #   Virtual-hosted-style requests aren't supported. Directory bucket
+    #   names must be unique in the chosen Availability Zone. Bucket names
+    #   must also follow the format ` bucket_base_name--az_id--x-s3` (for
+    #   example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
+    #   bucket naming restrictions, see [Directory bucket naming rules][1] in
+    #   the *Amazon S3 User Guide*
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
+    #
     # @option params [String] :expected_bucket_owner
     #   The account ID of the expected bucket owner. If the account ID that
     #   you provide does not match the actual owner of the bucket, the request
     #   fails with the HTTP status code `403 Forbidden` (access denied).
     #
+    #   <note markdown="1"> For directory buckets, this header is not supported in this API
+    #   operation. If you specify this header, the request fails with the HTTP
+    #   status code `501 Not Implemented`.
+    #
+    #    </note>
+    #
     # @return [Types::GetBucketEncryptionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GetBucketEncryptionOutput#server_side_encryption_configuration #server_side_encryption_configuration} => Types::ServerSideEncryptionConfiguration
@@ -5908,6 +6399,7 @@ module Aws::S3
     # @return [Types::GetBucketLifecycleConfigurationOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GetBucketLifecycleConfigurationOutput#rules #rules} => Array&lt;Types::LifecycleRule&gt;
+    #   * {Types::GetBucketLifecycleConfigurationOutput#transition_default_minimum_object_size #transition_default_minimum_object_size} => String
     #
     #
     # @example Example: To get lifecycle configuration on a bucket
@@ -5973,6 +6465,7 @@ module Aws::S3
     #   resp.rules[0].noncurrent_version_expiration.noncurrent_days #=> Integer
     #   resp.rules[0].noncurrent_version_expiration.newer_noncurrent_versions #=> Integer
     #   resp.rules[0].abort_incomplete_multipart_upload.days_after_initiation #=> Integer
+    #   resp.transition_default_minimum_object_size #=> String, one of "varies_by_storage_class", "all_storage_classes_128K"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketLifecycleConfiguration AWS API Documentation
     #
@@ -7267,6 +7760,10 @@ module Aws::S3
     #     interruptions when a session expires. For more information about
     #     authorization, see [ `CreateSession` ][4].
     #
+    #     If the object is encrypted using SSE-KMS, you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key.
+    #
     # Storage classes
     #
     # : If the object you are retrieving is stored in the S3 Glacier
@@ -7295,6 +7792,11 @@ module Aws::S3
     #   `GetObject` requests for the object that uses these types of keys,
     #   you’ll get an HTTP `400 Bad Request` error.
     #
+    #   **Directory buckets** - For directory buckets, there are only two
+    #   supported options for server-side encryption: SSE-S3 and SSE-KMS.
+    #   SSE-C isn't supported. For more information, see [Protecting data
+    #   with server-side encryption][7] in the *Amazon S3 User Guide*.
+    #
     # Overriding response header values through the request
     #
     # : There are times when you want to override certain response header
@@ -7342,9 +7844,9 @@ module Aws::S3
     #
     # The following operations are related to `GetObject`:
     #
-    # * [ListBuckets][7]
+    # * [ListBuckets][8]
     #
-    # * [GetObjectAcl][8]
+    # * [GetObjectAcl][9]
     #
     #
     #
@@ -7354,8 +7856,9 @@ module Aws::S3
     # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
     # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
     # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
-    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
     #
     # @option params [String, IO] :response_target
     #   Where to write response data, file path, or IO object.
@@ -7652,6 +8155,15 @@ module Aws::S3
     # @option params [String] :checksum_mode
     #   To retrieve the checksum, this mode must be enabled.
     #
+    #   **General purpose buckets** - In addition, if you enable checksum mode
+    #   and the object is uploaded with a [checksum][1] and encrypted with an
+    #   Key Management Service (KMS) key, you must have permission to use the
+    #   `kms:Decrypt` action to retrieve the checksum.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
+    #
     # @return [Types::GetObjectOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GetObjectOutput#body #body} => IO
@@ -8048,7 +8560,7 @@ module Aws::S3
     # Permissions
     # : * **General purpose bucket permissions** - To use
     #     `GetObjectAttributes`, you must have READ access to the object.
-    #     The permissions that you need to use this operation with depend on
+    #     The permissions that you need to use this operation depend on
     #     whether the bucket is versioned. If the bucket is versioned, you
     #     need both the `s3:GetObjectVersion` and
     #     `s3:GetObjectVersionAttributes` permissions for this operation. If
@@ -8082,6 +8594,10 @@ module Aws::S3
     #     interruptions when a session expires. For more information about
     #     authorization, see [ `CreateSession` ][3].
     #
+    #     If the object is encrypted with SSE-KMS, you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key.
+    #
     # Encryption
     # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
     #   should not be sent for `HEAD` requests if your object uses
@@ -8115,9 +8631,19 @@ module Aws::S3
     #   Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
     #   Guide*.
     #
-    #   <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
-    #   server-side encryption with Amazon S3 managed keys (SSE-S3)
-    #   (`AES256`) is supported.
+    #   <note markdown="1"> **Directory bucket permissions** - For directory buckets, there are
+    #   only two supported options for server-side encryption: server-side
+    #   encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
+    #   server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
+    #   recommend that the bucket's default encryption uses the desired
+    #   encryption configuration and you don't override the bucket default
+    #   encryption in your `CreateSession` requests or `PUT` object
+    #   requests. Then, new objects are automatically encrypted with the
+    #   desired encryption settings. For more information, see [Protecting
+    #   data with server-side encryption][5] in the *Amazon S3 User Guide*.
+    #   For more information about the encryption overriding behaviors in
+    #   directory buckets, see [Specifying server-side encryption with KMS
+    #   for new object uploads][6].
     #
     #    </note>
     #
@@ -8141,7 +8667,7 @@ module Aws::S3
     #     * `If-Unmodified-Since` condition evaluates to `false`.
     #
     #     For more information about conditional requests, see [RFC
-    #     7232][5].
+    #     7232][7].
     #
     #   * If both of the `If-None-Match` and `If-Modified-Since` headers are
     #     present in the request as follows, then Amazon S3 returns the HTTP
@@ -8152,7 +8678,7 @@ module Aws::S3
     #     * `If-Modified-Since` condition evaluates to `true`.
     #
     #     For more information about conditional requests, see [RFC
-    #     7232][5].
+    #     7232][7].
     #
     # HTTP Host header syntax
     #
@@ -8161,21 +8687,21 @@ module Aws::S3
     #
     # The following actions are related to `GetObjectAttributes`:
     #
-    # * [GetObject][6]
+    # * [GetObject][8]
     #
-    # * [GetObjectAcl][7]
+    # * [GetObjectAcl][9]
     #
-    # * [GetObjectLegalHold][8]
+    # * [GetObjectLegalHold][10]
     #
-    # * [GetObjectLockConfiguration][9]
+    # * [GetObjectLockConfiguration][11]
     #
-    # * [GetObjectRetention][10]
+    # * [GetObjectRetention][12]
     #
-    # * [GetObjectTagging][11]
+    # * [GetObjectTagging][13]
     #
-    # * [HeadObject][12]
+    # * [HeadObject][14]
     #
-    # * [ListParts][13]
+    # * [ListParts][15]
     #
     #
     #
@@ -8183,15 +8709,17 @@ module Aws::S3
     # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
     # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
     # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
-    # [5]: https://tools.ietf.org/html/rfc7232
-    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
-    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
-    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
-    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
-    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
-    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
-    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
+    # [7]: https://tools.ietf.org/html/rfc7232
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
+    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
+    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
+    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
+    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
+    # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
+    # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
     #
     # @option params [required, String] :bucket
     #   The name of the bucket that contains the object.
@@ -8986,29 +9514,24 @@ module Aws::S3
     # have permission to access it. The action returns a `200 OK` if the
     # bucket exists and you have permission to access it.
     #
-    # If the bucket does not exist or you do not have permission to access
+    # <note markdown="1"> If the bucket does not exist or you do not have permission to access
     # it, the `HEAD` request returns a generic `400 Bad Request`, `403
     # Forbidden` or `404 Not Found` code. A message body is not included, so
     # you cannot determine the exception beyond these HTTP response codes.
     #
-    # <note markdown="1"> <b>Directory buckets </b> - You must make requests for this API
-    # operation to the Zonal endpoint. These endpoints support
-    # virtual-hosted-style requests in the format
-    # `https://bucket_name.s3express-az_id.region.amazonaws.com`. Path-style
-    # requests are not supported. For more information, see [Regional and
-    # Zonal endpoints][1] in the *Amazon S3 User Guide*.
-    #
     #  </note>
     #
     # Authentication and authorization
     #
-    # : All `HeadBucket` requests must be authenticated and signed by using
-    #   IAM credentials (access key ID and secret access key for the IAM
-    #   identities). All headers with the `x-amz-` prefix, including
+    # : **General purpose buckets** - Request to public buckets that grant
+    #   the s3:ListBucket permission publicly do not need to be signed. All
+    #   other `HeadBucket` requests must be authenticated and signed by
+    #   using IAM credentials (access key ID and secret access key for the
+    #   IAM identities). All headers with the `x-amz-` prefix, including
     #   `x-amz-copy-source`, must be signed. For more information, see [REST
-    #   Authentication][2].
+    #   Authentication][1].
     #
-    #   **Directory bucket** - You must use IAM credentials to authenticate
+    #   **Directory buckets** - You must use IAM credentials to authenticate
     #   and authorize your access to the `HeadBucket` API operation, instead
     #   of using the temporary security credentials through the
     #   `CreateSession` API operation.
@@ -9024,7 +9547,7 @@ module Aws::S3
     #     you must have permissions to perform the `s3:ListBucket` action.
     #     The bucket owner has this permission by default and can grant this
     #     permission to others. For more information about permissions, see
-    #     [Managing access permissions to your Amazon S3 resources][3] in
+    #     [Managing access permissions to your Amazon S3 resources][2] in
     #     the *Amazon S3 User Guide*.
     #
     #   * **Directory bucket permissions** - You must have the <b>
@@ -9035,9 +9558,9 @@ module Aws::S3
     #     `ReadOnly` on the bucket.
     #
     #     For more information about example bucket policies, see [Example
-    #     bucket policies for S3 Express One Zone][4] and [Amazon Web
+    #     bucket policies for S3 Express One Zone][3] and [Amazon Web
     #     Services Identity and Access Management (IAM) identity-based
-    #     policies for S3 Express One Zone][5] in the *Amazon S3 User
+    #     policies for S3 Express One Zone][4] in the *Amazon S3 User
     #     Guide*.
     #
     # HTTP Host header syntax
@@ -9045,13 +9568,21 @@ module Aws::S3
     # : <b>Directory buckets </b> - The HTTP Host header syntax is `
     #   Bucket_name.s3express-az_id.region.amazonaws.com`.
     #
+    #   <note markdown="1"> You must make requests for this API operation to the Zonal endpoint.
+    #   These endpoints support virtual-hosted-style requests in the format
+    #   `https://bucket_name.s3express-az_id.region.amazonaws.com`.
+    #   Path-style requests are not supported. For more information, see
+    #   [Regional and Zonal endpoints][5] in the *Amazon S3 User Guide*.
+    #
+    #    </note>
     #
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
-    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
-    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
     #
     # @option params [required, String] :bucket
     #   The bucket name.
@@ -9159,7 +9690,7 @@ module Aws::S3
     # returning the object itself. This operation is useful if you're
     # interested only in an object's metadata.
     #
-    # A `HEAD` request has the same options as a `GET` operation on an
+    # <note markdown="1"> A `HEAD` request has the same options as a `GET` operation on an
     # object. The response is identical to the `GET` response except that
     # there is no response body. Because of this, if the `HEAD` request
     # generates an error, it returns a generic code, such as `400 Bad
@@ -9167,18 +9698,11 @@ module Aws::S3
     # `412 Precondition Failed`, or `304 Not Modified`. It's not possible
     # to retrieve the exact exception of these error codes.
     #
+    #  </note>
+    #
     # Request headers are limited to 8 KB in size. For more information, see
     # [Common Request Headers][1].
     #
-    # <note markdown="1"> **Directory buckets** - For directory buckets, you must make requests
-    # for this API operation to the Zonal endpoint. These endpoints support
-    # virtual-hosted-style requests in the format
-    # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name `.
-    # Path-style requests are not supported. For more information, see
-    # [Regional and Zonal endpoints][2] in the *Amazon S3 User Guide*.
-    #
-    #  </note>
-    #
     # Permissions
     #
     # :
@@ -9187,7 +9711,11 @@ module Aws::S3
     #     have the `s3:GetObject` permission. You need the relevant read
     #     object (or version) permission for this operation. For more
     #     information, see [Actions, resources, and condition keys for
-    #     Amazon S3][3] in the *Amazon S3 User Guide*.
+    #     Amazon S3][2] in the *Amazon S3 User Guide*. For more information
+    #     about the permissions to S3 API operations by S3 resource types,
+    #     see [Required permissions for Amazon S3 API
+    #     operations](/AmazonS3/latest/userguide/using-with-s3-policy-actions.html)
+    #     in the *Amazon S3 User Guide*.
     #
     #     If the object you request doesn't exist, the error that Amazon S3
     #     returns depends on whether you also have the `s3:ListBucket`
@@ -9201,7 +9729,7 @@ module Aws::S3
     #
     #   * **Directory bucket permissions** - To grant access to this API
     #     operation on a directory bucket, we recommend that you use the [
-    #     `CreateSession` ][4] API operation for session-based
+    #     `CreateSession` ][3] API operation for session-based
     #     authorization. Specifically, you grant the
     #     `s3express:CreateSession` permission to the directory bucket in a
     #     bucket policy or an IAM identity-based policy. Then, you make the
@@ -9212,7 +9740,14 @@ module Aws::S3
     #     token for use. Amazon Web Services CLI or SDKs create session and
     #     refresh the session token automatically to avoid service
     #     interruptions when a session expires. For more information about
-    #     authorization, see [ `CreateSession` ][4].
+    #     authorization, see [ `CreateSession` ][3].
+    #
+    #     If you enable `x-amz-checksum-mode` in the request and the object
+    #     is encrypted with Amazon Web Services Key Management Service
+    #     (Amazon Web Services KMS), you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key to
+    #     retrieve the checksum of the object.
     #
     # Encryption
     # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
@@ -9244,12 +9779,13 @@ module Aws::S3
     #   * `x-amz-server-side-encryption-customer-key-MD5`
     #
     #   For more information about SSE-C, see [Server-Side Encryption (Using
-    #   Customer-Provided Encryption Keys)][5] in the *Amazon S3 User
+    #   Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
     #   Guide*.
     #
-    #   <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
-    #   server-side encryption with Amazon S3 managed keys (SSE-S3)
-    #   (`AES256`) is supported.
+    #   <note markdown="1"> <b>Directory bucket </b> - For directory buckets, there are only two
+    #   supported options for server-side encryption: SSE-S3 and SSE-KMS.
+    #   SSE-C isn't supported. For more information, see [Protecting data
+    #   with server-side encryption][5] in the *Amazon S3 User Guide*.
     #
     #    </note>
     #
@@ -9278,21 +9814,31 @@ module Aws::S3
     # : <b>Directory buckets </b> - The HTTP Host header syntax is `
     #   Bucket_name.s3express-az_id.region.amazonaws.com`.
     #
+    #   <note markdown="1"> For directory buckets, you must make requests for this API operation
+    #   to the Zonal endpoint. These endpoints support virtual-hosted-style
+    #   requests in the format
+    #   `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
+    #   `. Path-style requests are not supported. For more information, see
+    #   [Regional and Zonal endpoints][6] in the *Amazon S3 User Guide*.
+    #
+    #    </note>
+    #
     # The following actions are related to `HeadObject`:
     #
-    # * [GetObject][6]
+    # * [GetObject][7]
     #
-    # * [GetObjectAttributes][7]
+    # * [GetObjectAttributes][8]
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders.html
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
-    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
-    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
-    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
     #
     # @option params [required, String] :bucket
     #   The name of the bucket that contains the object.
@@ -9423,6 +9969,24 @@ module Aws::S3
     #   the Range is not satisfiable, S3 returns a `416 - Requested Range Not
     #   Satisfiable` error.
     #
+    # @option params [String] :response_cache_control
+    #   Sets the `Cache-Control` header of the response.
+    #
+    # @option params [String] :response_content_disposition
+    #   Sets the `Content-Disposition` header of the response.
+    #
+    # @option params [String] :response_content_encoding
+    #   Sets the `Content-Encoding` header of the response.
+    #
+    # @option params [String] :response_content_language
+    #   Sets the `Content-Language` header of the response.
+    #
+    # @option params [String] :response_content_type
+    #   Sets the `Content-Type` header of the response.
+    #
+    # @option params [Time,DateTime,Date,Integer,String] :response_expires
+    #   Sets the `Expires` header of the response.
+    #
     # @option params [String] :version_id
     #   Version ID used to reference a specific version of the object.
     #
@@ -9490,10 +10054,20 @@ module Aws::S3
     # @option params [String] :checksum_mode
     #   To retrieve the checksum, this parameter must be enabled.
     #
-    #   In addition, if you enable `ChecksumMode` and the object is encrypted
-    #   with Amazon Web Services Key Management Service (Amazon Web Services
-    #   KMS), you must have permission to use the `kms:Decrypt` action for the
-    #   request to succeed.
+    #   **General purpose buckets** - If you enable checksum mode and the
+    #   object is uploaded with a [checksum][1] and encrypted with an Key
+    #   Management Service (KMS) key, you must have permission to use the
+    #   `kms:Decrypt` action to retrieve the checksum.
+    #
+    #   **Directory buckets** - If you enable `ChecksumMode` and the object is
+    #   encrypted with Amazon Web Services Key Management Service (Amazon Web
+    #   Services KMS), you must also have the `kms:GenerateDataKey` and
+    #   `kms:Decrypt` permissions in IAM identity-based policies and KMS key
+    #   policies for the KMS key to retrieve the checksum of the object.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
     #
     # @return [Types::HeadObjectOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -9565,6 +10139,12 @@ module Aws::S3
     #     if_unmodified_since: Time.now,
     #     key: "ObjectKey", # required
     #     range: "Range",
+    #     response_cache_control: "ResponseCacheControl",
+    #     response_content_disposition: "ResponseContentDisposition",
+    #     response_content_encoding: "ResponseContentEncoding",
+    #     response_content_language: "ResponseContentLanguage",
+    #     response_content_type: "ResponseContentType",
+    #     response_expires: Time.now,
     #     version_id: "ObjectVersionId",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
@@ -10041,10 +10621,52 @@ module Aws::S3
     #
     # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-buckets-s3.html
     #
+    # @option params [Integer] :max_buckets
+    #   Maximum number of buckets to be returned in response. When the number
+    #   is more than the count of buckets that are owned by an Amazon Web
+    #   Services account, return all the buckets in response.
+    #
+    # @option params [String] :continuation_token
+    #   `ContinuationToken` indicates to Amazon S3 that the list is being
+    #   continued on this bucket with a token. `ContinuationToken` is
+    #   obfuscated and is not a real key. You can use this `ContinuationToken`
+    #   for pagination of the list results.
+    #
+    #   Length Constraints: Minimum length of 0. Maximum length of 1024.
+    #
+    #   Required: No.
+    #
+    # @option params [String] :prefix
+    #   Limits the response to bucket names that begin with the specified
+    #   bucket name prefix.
+    #
+    # @option params [String] :bucket_region
+    #   Limits the response to buckets that are located in the specified
+    #   Amazon Web Services Region. The Amazon Web Services Region must be
+    #   expressed according to the Amazon Web Services Region code, such as
+    #   `us-west-2` for the US West (Oregon) Region. For a list of the valid
+    #   values for all of the Amazon Web Services Regions, see [Regions and
+    #   Endpoints][1].
+    #
+    #   <note markdown="1"> Requests made to a Regional endpoint that is different from the
+    #   `bucket-region` parameter are not supported. For example, if you want
+    #   to limit the response to your buckets in Region `us-west-2`, the
+    #   request must be made to an endpoint in Region `us-west-2`.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
+    #
     # @return [Types::ListBucketsOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ListBucketsOutput#buckets #buckets} => Array&lt;Types::Bucket&gt;
     #   * {Types::ListBucketsOutput#owner #owner} => Types::Owner
+    #   * {Types::ListBucketsOutput#continuation_token #continuation_token} => String
+    #   * {Types::ListBucketsOutput#prefix #prefix} => String
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
     #
     #
     # @example Example: To list all buckets
@@ -10076,13 +10698,25 @@ module Aws::S3
     #     }, 
     #   }
     #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_buckets({
+    #     max_buckets: 1,
+    #     continuation_token: "Token",
+    #     prefix: "Prefix",
+    #     bucket_region: "BucketRegion",
+    #   })
+    #
     # @example Response structure
     #
     #   resp.buckets #=> Array
     #   resp.buckets[0].name #=> String
     #   resp.buckets[0].creation_date #=> Time
+    #   resp.buckets[0].bucket_region #=> String
     #   resp.owner.display_name #=> String
     #   resp.owner.id #=> String
+    #   resp.continuation_token #=> String
+    #   resp.prefix #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ListBuckets AWS API Documentation
     #
@@ -10131,9 +10765,9 @@ module Aws::S3
     #
     # @option params [String] :continuation_token
     #   `ContinuationToken` indicates to Amazon S3 that the list is being
-    #   continued on this bucket with a token. `ContinuationToken` is
-    #   obfuscated and is not a real key. You can use this `ContinuationToken`
-    #   for pagination of the list results.
+    #   continued on buckets in this account with a token. `ContinuationToken`
+    #   is obfuscated and is not a real bucket name. You can use this
+    #   `ContinuationToken` for the pagination of the list results.
     #
     # @option params [Integer] :max_directory_buckets
     #   Maximum number of buckets to be returned in response. When the number
@@ -10159,6 +10793,7 @@ module Aws::S3
     #   resp.buckets #=> Array
     #   resp.buckets[0].name #=> String
     #   resp.buckets[0].creation_date #=> Time
+    #   resp.buckets[0].bucket_region #=> String
     #   resp.continuation_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ListDirectoryBuckets AWS API Documentation
@@ -10177,7 +10812,11 @@ module Aws::S3
     #
     # <note markdown="1"> **Directory buckets** - If multipart uploads in a directory bucket are
     # in progress, you can't delete the bucket until all the in-progress
-    # multipart uploads are aborted or completed.
+    # multipart uploads are aborted or completed. To delete these
+    # in-progress multipart uploads, use the `ListMultipartUploads`
+    # operation to list the in-progress multipart uploads in the bucket and
+    # use the `AbortMultupartUpload` operation to abort all the in-progress
+    # multipart uploads.
     #
     #  </note>
     #
@@ -10343,12 +10982,26 @@ module Aws::S3
     #    </note>
     #
     # @option params [String] :encoding_type
-    #   Requests Amazon S3 to encode the object keys in the response and
-    #   specifies the encoding method to use. An object key can contain any
-    #   Unicode character; however, the XML 1.0 parser cannot parse some
-    #   characters, such as characters with an ASCII value from 0 to 10. For
-    #   characters that are not supported in XML 1.0, you can add this
-    #   parameter to request that Amazon S3 encode the keys in the response.
+    #   Encoding type used by Amazon S3 to encode the [object keys][1] in the
+    #   response. Responses are encoded only in UTF-8. An object key can
+    #   contain any Unicode character. However, the XML 1.0 parser can't
+    #   parse certain characters, such as characters with an ASCII value from
+    #   0 to 10. For characters that aren't supported in XML 1.0, you can add
+    #   this parameter to request that Amazon S3 encode the keys in the
+    #   response. For more information about characters to avoid in object key
+    #   names, see [Object key naming guidelines][2].
+    #
+    #   <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
+    #   in an object's key name will be percent-encoded according to UTF-8
+    #   code values. For example, the object `test_file(3).png` will appear as
+    #   `test_file%283%29.png`.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
     #
     # @option params [String] :key_marker
     #   Specifies the multipart upload after which listing should begin.
@@ -10640,12 +11293,26 @@ module Aws::S3
     #   the response.
     #
     # @option params [String] :encoding_type
-    #   Requests Amazon S3 to encode the object keys in the response and
-    #   specifies the encoding method to use. An object key can contain any
-    #   Unicode character; however, the XML 1.0 parser cannot parse some
-    #   characters, such as characters with an ASCII value from 0 to 10. For
-    #   characters that are not supported in XML 1.0, you can add this
-    #   parameter to request that Amazon S3 encode the keys in the response.
+    #   Encoding type used by Amazon S3 to encode the [object keys][1] in the
+    #   response. Responses are encoded only in UTF-8. An object key can
+    #   contain any Unicode character. However, the XML 1.0 parser can't
+    #   parse certain characters, such as characters with an ASCII value from
+    #   0 to 10. For characters that aren't supported in XML 1.0, you can add
+    #   this parameter to request that Amazon S3 encode the keys in the
+    #   response. For more information about characters to avoid in object key
+    #   names, see [Object key naming guidelines][2].
+    #
+    #   <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
+    #   in an object's key name will be percent-encoded according to UTF-8
+    #   code values. For example, the object `test_file(3).png` will appear as
+    #   `test_file%283%29.png`.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
     #
     # @option params [String] :key_marker
     #   Specifies the key to start with when listing objects in a bucket.
@@ -10899,12 +11566,26 @@ module Aws::S3
     #   A delimiter is a character that you use to group keys.
     #
     # @option params [String] :encoding_type
-    #   Requests Amazon S3 to encode the object keys in the response and
-    #   specifies the encoding method to use. An object key can contain any
-    #   Unicode character; however, the XML 1.0 parser cannot parse some
-    #   characters, such as characters with an ASCII value from 0 to 10. For
-    #   characters that are not supported in XML 1.0, you can add this
-    #   parameter to request that Amazon S3 encode the keys in the response.
+    #   Encoding type used by Amazon S3 to encode the [object keys][1] in the
+    #   response. Responses are encoded only in UTF-8. An object key can
+    #   contain any Unicode character. However, the XML 1.0 parser can't
+    #   parse certain characters, such as characters with an ASCII value from
+    #   0 to 10. For characters that aren't supported in XML 1.0, you can add
+    #   this parameter to request that Amazon S3 encode the keys in the
+    #   response. For more information about characters to avoid in object key
+    #   names, see [Object key naming guidelines][2].
+    #
+    #   <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
+    #   in an object's key name will be percent-encoded according to UTF-8
+    #   code values. For example, the object `test_file(3).png` will appear as
+    #   `test_file%283%29.png`.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
     #
     # @option params [String] :marker
     #   Marker is where you want Amazon S3 to start listing from. Amazon S3
@@ -11046,12 +11727,20 @@ module Aws::S3
     # programmatically][1] in the *Amazon S3 User Guide*. To get a list of
     # your buckets, see [ListBuckets][2].
     #
-    # <note markdown="1"> **Directory buckets** - For directory buckets, you must make requests
-    # for this API operation to the Zonal endpoint. These endpoints support
-    # virtual-hosted-style requests in the format
-    # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name `.
-    # Path-style requests are not supported. For more information, see
-    # [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
+    # <note markdown="1"> * **General purpose bucket** - For general purpose buckets,
+    #   `ListObjectsV2` doesn't return prefixes that are related only to
+    #   in-progress multipart uploads.
+    #
+    # * **Directory buckets** - For directory buckets, `ListObjectsV2`
+    #   response includes the prefixes that are related only to in-progress
+    #   multipart uploads.
+    #
+    # * **Directory buckets** - For directory buckets, you must make
+    #   requests for this API operation to the Zonal endpoint. These
+    #   endpoints support virtual-hosted-style requests in the format
+    #   `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
+    #   `. Path-style requests are not supported. For more information, see
+    #   [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
     #
     #  </note>
     #
@@ -11180,10 +11869,26 @@ module Aws::S3
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html
     #
     # @option params [String] :encoding_type
-    #   Encoding type used by Amazon S3 to encode object keys in the response.
-    #   If using `url`, non-ASCII characters used in an object's key name
-    #   will be URL encoded. For example, the object test\_file(3).png will
-    #   appear as test\_file%283%29.png.
+    #   Encoding type used by Amazon S3 to encode the [object keys][1] in the
+    #   response. Responses are encoded only in UTF-8. An object key can
+    #   contain any Unicode character. However, the XML 1.0 parser can't
+    #   parse certain characters, such as characters with an ASCII value from
+    #   0 to 10. For characters that aren't supported in XML 1.0, you can add
+    #   this parameter to request that Amazon S3 encode the keys in the
+    #   response. For more information about characters to avoid in object key
+    #   names, see [Object key naming guidelines][2].
+    #
+    #   <note markdown="1"> When using the URL encoding type, non-ASCII characters that are used
+    #   in an object's key name will be percent-encoded according to UTF-8
+    #   code values. For example, the object `test_file(3).png` will appear as
+    #   `test_file%283%29.png`.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines
     #
     # @option params [Integer] :max_keys
     #   Sets the maximum number of keys returned in the response. By default,
@@ -12383,66 +13088,156 @@ module Aws::S3
       req.send_request(options)
     end
 
-    # <note markdown="1"> This operation is not supported by directory buckets.
+    # This operation configures default encryption and Amazon S3 Bucket Keys
+    # for an existing bucket.
     #
-    #  </note>
+    # <note markdown="1"> <b>Directory buckets </b> - For directory buckets, you must make
+    # requests for this API operation to the Regional endpoint. These
+    # endpoints support path-style requests in the format
+    # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
+    # Virtual-hosted-style requests aren't supported. For more information,
+    # see [Regional and Zonal endpoints][1] in the *Amazon S3 User Guide*.
     #
-    # This action uses the `encryption` subresource to configure default
-    # encryption and Amazon S3 Bucket Keys for an existing bucket.
+    #  </note>
     #
     # By default, all buckets have a default encryption configuration that
-    # uses server-side encryption with Amazon S3 managed keys (SSE-S3). You
-    # can optionally configure default encryption for a bucket by using
-    # server-side encryption with Key Management Service (KMS) keys
-    # (SSE-KMS) or dual-layer server-side encryption with Amazon Web
-    # Services KMS keys (DSSE-KMS). If you specify default encryption by
-    # using SSE-KMS, you can also configure [Amazon S3 Bucket Keys][1]. If
-    # you use PutBucketEncryption to set your [default bucket encryption][2]
-    # to SSE-KMS, you should verify that your KMS key ID is correct. Amazon
-    # S3 does not validate the KMS key ID provided in PutBucketEncryption
-    # requests.
-    #
-    # This action requires Amazon Web Services Signature Version 4. For more
-    # information, see [ Authenticating Requests (Amazon Web Services
-    # Signature Version 4)][3].
+    # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
+    #
+    # <note markdown="1"> * **General purpose buckets**
+    #
+    #   * You can optionally configure default encryption for a bucket by
+    #     using server-side encryption with Key Management Service (KMS)
+    #     keys (SSE-KMS) or dual-layer server-side encryption with Amazon
+    #     Web Services KMS keys (DSSE-KMS). If you specify default
+    #     encryption by using SSE-KMS, you can also configure [Amazon S3
+    #     Bucket Keys][2]. For information about the bucket default
+    #     encryption feature, see [Amazon S3 Bucket Default Encryption][3]
+    #     in the *Amazon S3 User Guide*.
+    #
+    #   * If you use PutBucketEncryption to set your [default bucket
+    #     encryption][3] to SSE-KMS, you should verify that your KMS key ID
+    #     is correct. Amazon S3 doesn't validate the KMS key ID provided in
+    #     PutBucketEncryption requests.
+    #
+    # * <b>Directory buckets </b> - You can optionally configure default
+    #   encryption for a bucket by using server-side encryption with Key
+    #   Management Service (KMS) keys (SSE-KMS).
+    #
+    #   * We recommend that the bucket's default encryption uses the
+    #     desired encryption configuration and you don't override the
+    #     bucket default encryption in your `CreateSession` requests or
+    #     `PUT` object requests. Then, new objects are automatically
+    #     encrypted with the desired encryption settings. For more
+    #     information about the encryption overriding behaviors in directory
+    #     buckets, see [Specifying server-side encryption with KMS for new
+    #     object uploads][4].
+    #
+    #   * Your SSE-KMS configuration can only support 1 [customer managed
+    #     key][5] per directory bucket for the lifetime of the bucket. The
+    #     [Amazon Web Services managed key][6] (`aws/s3`) isn't supported.
+    #
+    #   * S3 Bucket Keys are always enabled for `GET` and `PUT` operations
+    #     in a directory bucket and can’t be disabled. S3 Bucket Keys
+    #     aren't supported, when you copy SSE-KMS encrypted objects from
+    #     general purpose buckets to directory buckets, from directory
+    #     buckets to general purpose buckets, or between directory buckets,
+    #     through [CopyObject][7], [UploadPartCopy][8], [the Copy operation
+    #     in Batch Operations][9], or [the import jobs][10]. In this case,
+    #     Amazon S3 makes a call to KMS every time a copy request is made
+    #     for a KMS-encrypted object.
+    #
+    #   * When you specify an [KMS customer managed key][5] for encryption
+    #     in your directory bucket, only use the key ID or key ARN. The key
+    #     alias format of the KMS key isn't supported.
+    #
+    #   * For directory buckets, if you use PutBucketEncryption to set your
+    #     [default bucket encryption][3] to SSE-KMS, Amazon S3 validates the
+    #     KMS key ID provided in PutBucketEncryption requests.
+    #
+    #  </note>
+    #
+    # If you're specifying a customer managed KMS key, we recommend using a
+    # fully qualified KMS key ARN. If you use a KMS key alias instead, then
+    # KMS resolves the key within the requester’s account. This behavior can
+    # result in data that's encrypted with a KMS key that belongs to the
+    # requester, and not the bucket owner.
+    #
+    #  Also, this action requires Amazon Web Services Signature Version 4.
+    # For more information, see [ Authenticating Requests (Amazon Web
+    # Services Signature Version 4)][11].
+    #
+    # Permissions
+    # : * **General purpose bucket permissions** - The
+    #     `s3:PutEncryptionConfiguration` permission is required in a
+    #     policy. The bucket owner has this permission by default. The
+    #     bucket owner can grant this permission to others. For more
+    #     information about permissions, see [Permissions Related to Bucket
+    #     Operations][12] and [Managing Access Permissions to Your Amazon S3
+    #     Resources][13] in the *Amazon S3 User Guide*.
+    #
+    #   * **Directory bucket permissions** - To grant access to this API
+    #     operation, you must have the
+    #     `s3express:PutEncryptionConfiguration` permission in an IAM
+    #     identity-based policy instead of a bucket policy. Cross-account
+    #     access to this API operation isn't supported. This operation can
+    #     only be performed by the Amazon Web Services account that owns the
+    #     resource. For more information about directory bucket policies and
+    #     permissions, see [Amazon Web Services Identity and Access
+    #     Management (IAM) for S3 Express One Zone][14] in the *Amazon S3
+    #     User Guide*.
+    #
+    #     To set a directory bucket default encryption with SSE-KMS, you
+    #     must also have the `kms:GenerateDataKey` and the `kms:Decrypt`
+    #     permissions in IAM identity-based policies and KMS key policies
+    #     for the target KMS key.
+    #
+    # HTTP Host header syntax
     #
-    # To use this operation, you must have permission to perform the
-    # `s3:PutEncryptionConfiguration` action. The bucket owner has this
-    # permission by default. The bucket owner can grant this permission to
-    # others. For more information about permissions, see [Permissions
-    # Related to Bucket Subresource Operations][4] and [Managing Access
-    # Permissions to Your Amazon S3 Resources][5] in the *Amazon S3 User
-    # Guide*.
+    # : <b>Directory buckets </b> - The HTTP Host header syntax is
+    #   `s3express-control.region.amazonaws.com`.
     #
     # The following operations are related to `PutBucketEncryption`:
     #
-    # * [GetBucketEncryption][6]
+    # * [GetBucketEncryption][15]
     #
-    # * [DeleteBucketEncryption][7]
+    # * [DeleteBucketEncryption][16]
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
-    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
-    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
-    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
+    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
+    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
+    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
+    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
+    # [14]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
+    # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
+    # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
     #
     # @option params [required, String] :bucket
     #   Specifies default encryption for a bucket using server-side encryption
-    #   with different key options. By default, all buckets have a default
-    #   encryption configuration that uses server-side encryption with Amazon
-    #   S3 managed keys (SSE-S3). You can optionally configure default
-    #   encryption for a bucket by using server-side encryption with an Amazon
-    #   Web Services KMS key (SSE-KMS) or a customer-provided key (SSE-C). For
-    #   information about the bucket default encryption feature, see [Amazon
-    #   S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
+    #   with different key options.
+    #
+    #   <b>Directory buckets </b> - When you use this operation with a
+    #   directory bucket, you must use path-style requests in the format
+    #   `https://s3express-control.region_code.amazonaws.com/bucket-name `.
+    #   Virtual-hosted-style requests aren't supported. Directory bucket
+    #   names must be unique in the chosen Availability Zone. Bucket names
+    #   must also follow the format ` bucket_base_name--az_id--x-s3` (for
+    #   example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
+    #   bucket naming restrictions, see [Directory bucket naming rules][1] in
+    #   the *Amazon S3 User Guide*
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
     #
     # @option params [String] :content_md5
     #   The base64-encoded 128-bit MD5 digest of the server-side encryption
@@ -12452,6 +13247,10 @@ module Aws::S3
     #   (CLI) or Amazon Web Services SDKs, this field is calculated
     #   automatically.
     #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
+    #
     # @option params [String] :checksum_algorithm
     #   Indicates the algorithm used to create the checksum for the object
     #   when you use the SDK. This header will not provide any additional
@@ -12464,6 +13263,11 @@ module Aws::S3
     #   If you provide an individual checksum, Amazon S3 ignores any provided
     #   `ChecksumAlgorithm` parameter.
     #
+    #   <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
+    #   is the default checksum algorithm that's used for performance.
+    #
+    #    </note>
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12476,6 +13280,12 @@ module Aws::S3
     #   you provide does not match the actual owner of the bucket, the request
     #   fails with the HTTP status code `403 Forbidden` (access denied).
     #
+    #   <note markdown="1"> For directory buckets, this header is not supported in this API
+    #   operation. If you specify this header, the request fails with the HTTP
+    #   status code `501 Not Implemented`.
+    #
+    #    </note>
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     # @example Request syntax with placeholder values
@@ -12946,23 +13756,22 @@ module Aws::S3
     # lifecycle configuration. For information about lifecycle
     # configuration, see [Managing your storage lifecycle][1].
     #
-    # <note markdown="1"> Bucket lifecycle configuration now supports specifying a lifecycle
-    # rule using an object key name prefix, one or more object tags, object
-    # size, or any combination of these. Accordingly, this section describes
-    # the latest API. The previous version of the API supported filtering
-    # based only on an object key name prefix, which is supported for
-    # backward compatibility. For the related API description, see
-    # [PutBucketLifecycle][2].
-    #
-    #  </note>
-    #
     # Rules
     #
     # : You specify the lifecycle configuration in your request body. The
     #   lifecycle configuration is specified as XML consisting of one or
     #   more rules. An Amazon S3 Lifecycle configuration can have up to
-    #   1,000 rules. This limit is not adjustable. Each rule consists of the
-    #   following:
+    #   1,000 rules. This limit is not adjustable.
+    #
+    #   Bucket lifecycle configuration supports specifying a lifecycle rule
+    #   using an object key name prefix, one or more object tags, object
+    #   size, or any combination of these. Accordingly, this section
+    #   describes the latest API. The previous version of the API supported
+    #   filtering based only on an object key name prefix, which is
+    #   supported for backward compatibility. For the related API
+    #   description, see [PutBucketLifecycle][2].
+    #
+    #   A lifecycle rule consists of the following:
     #
     #   * A filter identifying a subset of objects to which the rule
     #     applies. The filter can be based on a key name prefix, object
@@ -13053,7 +13862,26 @@ module Aws::S3
     #   you provide does not match the actual owner of the bucket, the request
     #   fails with the HTTP status code `403 Forbidden` (access denied).
     #
-    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    # @option params [String] :transition_default_minimum_object_size
+    #   Indicates which default minimum object size behavior is applied to the
+    #   lifecycle configuration.
+    #
+    #   * `all_storage_classes_128K` - Objects smaller than 128 KB will not
+    #     transition to any storage class by default.
+    #
+    #   * `varies_by_storage_class` - Objects smaller than 128 KB will
+    #     transition to Glacier Flexible Retrieval or Glacier Deep Archive
+    #     storage classes. By default, all other storage classes will prevent
+    #     transitions smaller than 128 KB.
+    #
+    #   To customize the minimum object size for any transition you can add a
+    #   filter that specifies a custom `ObjectSizeGreaterThan` or
+    #   `ObjectSizeLessThan` in the body of your transition rule. Custom
+    #   filters always take precedence over the default transition behavior.
+    #
+    # @return [Types::PutBucketLifecycleConfigurationOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::PutBucketLifecycleConfigurationOutput#transition_default_minimum_object_size #transition_default_minimum_object_size} => String
     #
     #
     # @example Example: Put bucket lifecycle
@@ -13145,8 +13973,13 @@ module Aws::S3
     #       ],
     #     },
     #     expected_bucket_owner: "AccountId",
+    #     transition_default_minimum_object_size: "varies_by_storage_class", # accepts varies_by_storage_class, all_storage_classes_128K
     #   })
     #
+    # @example Response structure
+    #
+    #   resp.transition_default_minimum_object_size #=> String, one of "varies_by_storage_class", "all_storage_classes_128K"
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketLifecycleConfiguration AWS API Documentation
     #
     # @overload put_bucket_lifecycle_configuration(params = {})
@@ -13899,13 +14732,13 @@ module Aws::S3
     #   For the `x-amz-checksum-algorithm ` header, replace ` algorithm ` with
     #   the supported algorithm from the following list:
     #
-    #   * CRC32
+    #   * `CRC32`
     #
-    #   * CRC32C
+    #   * `CRC32C`
     #
-    #   * SHA1
+    #   * `SHA1`
     #
-    #   * SHA256
+    #   * `SHA256`
     #
     #   For more information, see [Checking object integrity][1] in the
     #   *Amazon S3 User Guide*.
@@ -14472,6 +15305,14 @@ module Aws::S3
     #
     #  </note>
     #
+    # <note markdown="1"> When you enable versioning on a bucket for the first time, it might
+    # take a short amount of time for the change to be fully propagated. We
+    # recommend that you wait for 15 minutes after enabling versioning
+    # before issuing write operations (`PUT` or `DELETE`) on objects in the
+    # bucket.
+    #
+    #  </note>
+    #
     # Sets the versioning state of an existing bucket.
     #
     # You can set the versioning state with one of the following values:
@@ -14865,6 +15706,10 @@ module Aws::S3
     #     interruptions when a session expires. For more information about
     #     authorization, see [ `CreateSession` ][5].
     #
+    #     If the object is encrypted with SSE-KMS, you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key.
+    #
     # Data integrity with Content-MD5
     # : * **General purpose bucket** - To ensure that data is not corrupted
     #     traversing the network, use the `Content-MD5` header. When you use
@@ -15032,10 +15877,11 @@ module Aws::S3
     #   information about REST request authentication, see [REST
     #   Authentication][1].
     #
-    #   <note markdown="1"> The `Content-MD5` header is required for any request to upload an
-    #   object with a retention period configured using Amazon S3 Object Lock.
-    #   For more information about Amazon S3 Object Lock, see [Amazon S3
-    #   Object Lock Overview][2] in the *Amazon S3 User Guide*.
+    #   <note markdown="1"> The `Content-MD5` or `x-amz-sdk-checksum-algorithm` header is required
+    #   for any request to upload an object with a retention period configured
+    #   using Amazon S3 Object Lock. For more information, see [Uploading
+    #   objects to an Object Lock enabled bucket ][2] in the *Amazon S3 User
+    #   Guide*.
     #
     #    </note>
     #
@@ -15046,7 +15892,7 @@ module Aws::S3
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
-    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-put-object
     #
     # @option params [String] :content_type
     #   A standard MIME type describing the format of the contents. For more
@@ -15068,13 +15914,13 @@ module Aws::S3
     #   For the `x-amz-checksum-algorithm ` header, replace ` algorithm ` with
     #   the supported algorithm from the following list:
     #
-    #   * CRC32
+    #   * `CRC32`
     #
-    #   * CRC32C
+    #   * `CRC32C`
     #
-    #   * SHA1
+    #   * `SHA1`
     #
-    #   * SHA256
+    #   * `SHA256`
     #
     #   For more information, see [Checking object integrity][1] in the
     #   *Amazon S3 User Guide*.
@@ -15085,21 +15931,28 @@ module Aws::S3
     #   provided `ChecksumAlgorithm` parameter and uses the checksum algorithm
     #   that matches the provided value in `x-amz-checksum-algorithm `.
     #
-    #   <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
-    #   is the default checksum algorithm that's used for performance.
+    #   <note markdown="1"> The `Content-MD5` or `x-amz-sdk-checksum-algorithm` header is required
+    #   for any request to upload an object with a retention period configured
+    #   using Amazon S3 Object Lock. For more information, see [Uploading
+    #   objects to an Object Lock enabled bucket ][2] in the *Amazon S3 User
+    #   Guide*.
     #
     #    </note>
     #
+    #   For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
+    #   is the default checksum algorithm that's used for performance.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-put-object
     #
     # @option params [String] :checksum_crc32
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This header
-    #   specifies the base64-encoded, 32-bit CRC32 checksum of the object. For
-    #   more information, see [Checking object integrity][1] in the *Amazon S3
-    #   User Guide*.
+    #   specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
+    #   For more information, see [Checking object integrity][1] in the
+    #   *Amazon S3 User Guide*.
     #
     #
     #
@@ -15108,7 +15961,7 @@ module Aws::S3
     # @option params [String] :checksum_crc32c
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This header
-    #   specifies the base64-encoded, 32-bit CRC32C checksum of the object.
+    #   specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
     #   For more information, see [Checking object integrity][1] in the
     #   *Amazon S3 User Guide*.
     #
@@ -15147,6 +16000,25 @@ module Aws::S3
     #
     #   [1]: https://www.rfc-editor.org/rfc/rfc7234#section-5.3
     #
+    # @option params [String] :if_none_match
+    #   Uploads the object only if the object key name does not already exist
+    #   in the bucket specified. Otherwise, Amazon S3 returns a `412
+    #   Precondition Failed` error.
+    #
+    #   If a conflicting operation occurs during the upload S3 returns a `409
+    #   ConditionalRequestConflict` response. On a 409 failure you should
+    #   retry the upload.
+    #
+    #   Expects the '*' (asterisk) character.
+    #
+    #   For more information about conditional requests, see [RFC 7232][1], or
+    #   [Conditional requests][2] in the *Amazon S3 User Guide*.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc7232
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-requests.html
+    #
     # @option params [String] :grant_full_control
     #   Gives the grantee READ, READ\_ACP, and WRITE\_ACP permissions on the
     #   object.
@@ -15195,25 +16067,65 @@ module Aws::S3
     #   object in Amazon S3 (for example, `AES256`, `aws:kms`,
     #   `aws:kms:dsse`).
     #
-    #   <b>General purpose buckets </b> - You have four mutually exclusive
-    #   options to protect data using server-side encryption in Amazon S3,
-    #   depending on how you choose to manage the encryption keys.
-    #   Specifically, the encryption key options are Amazon S3 managed keys
-    #   (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
-    #   customer-provided keys (SSE-C). Amazon S3 encrypts data with
-    #   server-side encryption by using Amazon S3 managed keys (SSE-S3) by
-    #   default. You can optionally tell Amazon S3 to encrypt data at rest by
-    #   using server-side encryption with other key options. For more
-    #   information, see [Using Server-Side Encryption][1] in the *Amazon S3
-    #   User Guide*.
+    #   * <b>General purpose buckets </b> - You have four mutually exclusive
+    #     options to protect data using server-side encryption in Amazon S3,
+    #     depending on how you choose to manage the encryption keys.
+    #     Specifically, the encryption key options are Amazon S3 managed keys
+    #     (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
+    #     customer-provided keys (SSE-C). Amazon S3 encrypts data with
+    #     server-side encryption by using Amazon S3 managed keys (SSE-S3) by
+    #     default. You can optionally tell Amazon S3 to encrypt data at rest
+    #     by using server-side encryption with other key options. For more
+    #     information, see [Using Server-Side Encryption][1] in the *Amazon S3
+    #     User Guide*.
+    #
+    #   * <b>Directory buckets </b> - For directory buckets, there are only
+    #     two supported options for server-side encryption: server-side
+    #     encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
+    #     server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
+    #     recommend that the bucket's default encryption uses the desired
+    #     encryption configuration and you don't override the bucket default
+    #     encryption in your `CreateSession` requests or `PUT` object
+    #     requests. Then, new objects are automatically encrypted with the
+    #     desired encryption settings. For more information, see [Protecting
+    #     data with server-side encryption][2] in the *Amazon S3 User Guide*.
+    #     For more information about the encryption overriding behaviors in
+    #     directory buckets, see [Specifying server-side encryption with KMS
+    #     for new object uploads][3].
+    #
+    #     In the Zonal endpoint API calls (except [CopyObject][4] and
+    #     [UploadPartCopy][5]) using the REST API, the encryption request
+    #     headers must match the encryption settings that are specified in the
+    #     `CreateSession` request. You can't override the values of the
+    #     encryption settings (`x-amz-server-side-encryption`,
+    #     `x-amz-server-side-encryption-aws-kms-key-id`,
+    #     `x-amz-server-side-encryption-context`, and
+    #     `x-amz-server-side-encryption-bucket-key-enabled`) that are
+    #     specified in the `CreateSession` request. You don't need to
+    #     explicitly specify these encryption settings values in Zonal
+    #     endpoint API calls, and Amazon S3 will use the encryption settings
+    #     values from the `CreateSession` request to protect new objects in
+    #     the directory bucket.
+    #
+    #     <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
+    #     `CreateSession`, the session token refreshes automatically to avoid
+    #     service interruptions when a session expires. The CLI or the Amazon
+    #     Web Services SDKs use the bucket's default encryption configuration
+    #     for the `CreateSession` request. It's not supported to override the
+    #     encryption settings values in the `CreateSession` request. So in the
+    #     Zonal endpoint API calls (except [CopyObject][4] and
+    #     [UploadPartCopy][5]), the encryption request headers must match the
+    #     default encryption configuration of the directory bucket.
     #
-    #   <b>Directory buckets </b> - For directory buckets, only the
-    #   server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
-    #   value is supported.
+    #      </note>
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    #   [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
+    #   [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    #   [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
     #
     # @option params [String] :storage_class
     #   By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -15293,46 +16205,88 @@ module Aws::S3
     #    </note>
     #
     # @option params [String] :ssekms_key_id
-    #   If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
-    #   `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
-    #   Alias) of the Key Management Service (KMS) symmetric encryption
-    #   customer managed key that was used for the object. If you specify
-    #   `x-amz-server-side-encryption:aws:kms` or
-    #   `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
-    #   x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
-    #   Amazon Web Services managed key (`aws/s3`) to protect the data. If the
-    #   KMS key does not exist in the same account that's issuing the
-    #   command, you must use the full ARN and not just the ID.
+    #   Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
+    #   object encryption. If the KMS key doesn't exist in the same account
+    #   that's issuing the command, you must use the full Key ARN not the Key
+    #   ID.
+    #
+    #   **General purpose buckets** - If you specify
+    #   `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
+    #   header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
+    #   to use. If you specify `x-amz-server-side-encryption:aws:kms` or
+    #   `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
+    #   `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
+    #   Amazon Web Services managed key (`aws/s3`) to protect the data.
+    #
+    #   **Directory buckets** - If you specify `x-amz-server-side-encryption`
+    #   with `aws:kms`, the ` x-amz-server-side-encryption-aws-kms-key-id`
+    #   header is implicitly assigned the ID of the KMS symmetric encryption
+    #   customer managed key that's configured for your directory bucket's
+    #   default encryption setting. If you want to specify the `
+    #   x-amz-server-side-encryption-aws-kms-key-id` header explicitly, you
+    #   can only specify it with the ID (Key ID or Key ARN) of the KMS
+    #   customer managed key that's configured for your directory bucket's
+    #   default encryption setting. Otherwise, you get an HTTP `400 Bad
+    #   Request` error. Only use the key ID or key ARN. The key alias format
+    #   of the KMS key isn't supported. Your SSE-KMS configuration can only
+    #   support 1 [customer managed key][1] per directory bucket for the
+    #   lifetime of the bucket. The [Amazon Web Services managed key][2]
+    #   (`aws/s3`) isn't supported.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
     #
-    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    # @option params [String] :ssekms_encryption_context
+    #   Specifies the Amazon Web Services KMS Encryption Context as an
+    #   additional encryption context to use for object encryption. The value
+    #   of this header is a Base64-encoded string of a UTF-8 encoded JSON,
+    #   which contains the encryption context as key-value pairs. This value
+    #   is stored as object metadata and automatically gets passed on to
+    #   Amazon Web Services KMS for future `GetObject` operations on this
+    #   object.
     #
-    #    </note>
+    #   **General purpose buckets** - This value must be explicitly added
+    #   during `CopyObject` operations if you want an additional encryption
+    #   context for your object. For more information, see [Encryption
+    #   context][1] in the *Amazon S3 User Guide*.
     #
-    # @option params [String] :ssekms_encryption_context
-    #   Specifies the Amazon Web Services KMS Encryption Context to use for
-    #   object encryption. The value of this header is a base64-encoded UTF-8
-    #   string holding JSON with the encryption context key-value pairs. This
-    #   value is stored as object metadata and automatically gets passed on to
-    #   Amazon Web Services KMS for future `GetObject` or `CopyObject`
-    #   operations on this object. This value must be explicitly added during
-    #   `CopyObject` operations.
+    #   **Directory buckets** - You can optionally provide an explicit
+    #   encryption context value. The value must match the default encryption
+    #   context - the bucket Amazon Resource Name (ARN). An additional
+    #   encryption context value is not supported.
     #
-    #   <note markdown="1"> This functionality is not supported for directory buckets.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
     #
     # @option params [Boolean] :bucket_key_enabled
     #   Specifies whether Amazon S3 should use an S3 Bucket Key for object
     #   encryption with server-side encryption using Key Management Service
-    #   (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
-    #   to use an S3 Bucket Key for object encryption with SSE-KMS.
+    #   (KMS) keys (SSE-KMS).
     #
-    #   Specifying this header with a PUT action doesn’t affect bucket-level
-    #   settings for S3 Bucket Key.
+    #   **General purpose buckets** - Setting this header to `true` causes
+    #   Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
+    #   Also, specifying this header with a PUT action doesn't affect
+    #   bucket-level settings for S3 Bucket Key.
+    #
+    #   **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
+    #   and `PUT` operations in a directory bucket and can’t be disabled. S3
+    #   Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
+    #   from general purpose buckets to directory buckets, from directory
+    #   buckets to general purpose buckets, or between directory buckets,
+    #   through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
+    #   Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
+    #   makes a call to KMS every time a copy request is made for a
+    #   KMS-encrypted object.
     #
-    #   <note markdown="1"> This functionality is not supported for directory buckets.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
+    #   [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
+    #   [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
     #
     # @option params [String] :request_payer
     #   Confirms that the requester knows that they will be charged for the
@@ -15410,41 +16364,20 @@ module Aws::S3
     #   * {Types::PutObjectOutput#request_charged #request_charged} => String
     #
     #
-    # @example Example: To upload an object
-    #
-    #   # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
-    #   # syntax. S3 returns VersionId of the newly created object.
-    #
-    #   resp = client.put_object({
-    #     body: "HappyFace.jpg", 
-    #     bucket: "examplebucket", 
-    #     key: "HappyFace.jpg", 
-    #   })
-    #
-    #   resp.to_h outputs the following:
-    #   {
-    #     etag: "\"6805f2cfc46c0f04559748bb039d69ae\"", 
-    #     version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk", 
-    #   }
-    #
-    # @example Example: To upload an object (specify optional headers)
+    # @example Example: To create an object.
     #
-    #   # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
-    #   # storage class and use server-side encryption.
+    #   # The following example creates an object. If the bucket is versioning enabled, S3 returns version ID in response.
     #
     #   resp = client.put_object({
-    #     body: "HappyFace.jpg", 
+    #     body: "filetoupload", 
     #     bucket: "examplebucket", 
-    #     key: "HappyFace.jpg", 
-    #     server_side_encryption: "AES256", 
-    #     storage_class: "STANDARD_IA", 
+    #     key: "objectkey", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
     #     etag: "\"6805f2cfc46c0f04559748bb039d69ae\"", 
-    #     server_side_encryption: "AES256", 
-    #     version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp", 
+    #     version_id: "Bvq0EDKxOcXLJXNo_Lkz37eM3R4pfzyQ", 
     #   }
     #
     # @example Example: To upload object and specify user-defined metadata
@@ -15468,58 +16401,59 @@ module Aws::S3
     #     version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0", 
     #   }
     #
-    # @example Example: To upload an object and specify canned ACL.
+    # @example Example: To upload an object
     #
-    #   # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
-    #   # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
+    #   # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
+    #   # syntax. S3 returns VersionId of the newly created object.
     #
     #   resp = client.put_object({
-    #     acl: "authenticated-read", 
-    #     body: "filetoupload", 
+    #     body: "HappyFace.jpg", 
     #     bucket: "examplebucket", 
-    #     key: "exampleobject", 
+    #     key: "HappyFace.jpg", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
     #     etag: "\"6805f2cfc46c0f04559748bb039d69ae\"", 
-    #     version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr", 
+    #     version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk", 
     #   }
     #
-    # @example Example: To create an object.
+    # @example Example: To upload an object and specify canned ACL.
     #
-    #   # The following example creates an object. If the bucket is versioning enabled, S3 returns version ID in response.
+    #   # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
+    #   # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
     #
     #   resp = client.put_object({
+    #     acl: "authenticated-read", 
     #     body: "filetoupload", 
     #     bucket: "examplebucket", 
-    #     key: "objectkey", 
+    #     key: "exampleobject", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
     #     etag: "\"6805f2cfc46c0f04559748bb039d69ae\"", 
-    #     version_id: "Bvq0EDKxOcXLJXNo_Lkz37eM3R4pfzyQ", 
+    #     version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr", 
     #   }
     #
-    # @example Example: To upload an object and specify server-side encryption and object tags
+    # @example Example: To upload an object (specify optional headers)
     #
-    #   # The following example uploads an object. The request specifies the optional server-side encryption option. The request
-    #   # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
+    #   # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
+    #   # storage class and use server-side encryption.
     #
     #   resp = client.put_object({
-    #     body: "filetoupload", 
+    #     body: "HappyFace.jpg", 
     #     bucket: "examplebucket", 
-    #     key: "exampleobject", 
+    #     key: "HappyFace.jpg", 
     #     server_side_encryption: "AES256", 
-    #     tagging: "key1=value1&key2=value2", 
+    #     storage_class: "STANDARD_IA", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
     #     etag: "\"6805f2cfc46c0f04559748bb039d69ae\"", 
     #     server_side_encryption: "AES256", 
-    #     version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt", 
+    #     version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp", 
     #   }
     #
     # @example Example: To upload an object and specify optional tags
@@ -15540,6 +16474,26 @@ module Aws::S3
     #     version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a", 
     #   }
     #
+    # @example Example: To upload an object and specify server-side encryption and object tags
+    #
+    #   # The following example uploads an object. The request specifies the optional server-side encryption option. The request
+    #   # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
+    #
+    #   resp = client.put_object({
+    #     body: "filetoupload", 
+    #     bucket: "examplebucket", 
+    #     key: "exampleobject", 
+    #     server_side_encryption: "AES256", 
+    #     tagging: "key1=value1&key2=value2", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     etag: "\"6805f2cfc46c0f04559748bb039d69ae\"", 
+    #     server_side_encryption: "AES256", 
+    #     version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt", 
+    #   }
+    #
     # @example Streaming a file from disk
     #   # upload file from disk in a single request, may not exceed 5GB
     #   File.open('/source/file/path', 'rb') do |file|
@@ -15565,6 +16519,7 @@ module Aws::S3
     #     checksum_sha1: "ChecksumSHA1",
     #     checksum_sha256: "ChecksumSHA256",
     #     expires: Time.now,
+    #     if_none_match: "IfNoneMatch",
     #     grant_full_control: "GrantFullControl",
     #     grant_read: "GrantRead",
     #     grant_read_acp: "GrantReadACP",
@@ -17506,14 +18461,27 @@ module Aws::S3
     #  </note>
     #
     # Permissions
-    # : * **General purpose bucket permissions** - For information on the
-    #     permissions required to use the multipart upload API, see
-    #     [Multipart Upload and Permissions][6] in the *Amazon S3 User
-    #     Guide*.
+    # : * **General purpose bucket permissions** - To perform a multipart
+    #     upload with encryption using an Key Management Service key, the
+    #     requester must have permission to the `kms:Decrypt` and
+    #     `kms:GenerateDataKey` actions on the key. The requester must also
+    #     have permissions for the `kms:GenerateDataKey` action for the
+    #     `CreateMultipartUpload` API. Then, the requester needs permissions
+    #     for the `kms:Decrypt` action on the `UploadPart` and
+    #     `UploadPartCopy` APIs.
+    #
+    #     These permissions are required because Amazon S3 must decrypt and
+    #     read data from the encrypted file parts before it completes the
+    #     multipart upload. For more information about KMS permissions, see
+    #     [Protecting data using server-side encryption with KMS][6] in the
+    #     *Amazon S3 User Guide*. For information about the permissions
+    #     required to use the multipart upload API, see [Multipart upload
+    #     and permissions][7] and [Multipart upload API and permissions][8]
+    #     in the *Amazon S3 User Guide*.
     #
     #   * **Directory bucket permissions** - To grant access to this API
     #     operation on a directory bucket, we recommend that you use the [
-    #     `CreateSession` ][7] API operation for session-based
+    #     `CreateSession` ][9] API operation for session-based
     #     authorization. Specifically, you grant the
     #     `s3express:CreateSession` permission to the directory bucket in a
     #     bucket policy or an IAM identity-based policy. Then, you make the
@@ -17524,7 +18492,11 @@ module Aws::S3
     #     token for use. Amazon Web Services CLI or SDKs create session and
     #     refresh the session token automatically to avoid service
     #     interruptions when a session expires. For more information about
-    #     authorization, see [ `CreateSession` ][7].
+    #     authorization, see [ `CreateSession` ][9].
+    #
+    #     If the object is encrypted with SSE-KMS, you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key.
     #
     # Data integrity
     #
@@ -17536,7 +18508,7 @@ module Aws::S3
     #   then Amazon Web Services S3 uses the `x-amz-content-sha256` header
     #   as a checksum instead of `Content-MD5`. For more information see
     #   [Authenticating Requests: Using the Authorization Header (Amazon Web
-    #   Services Signature Version 4)][8].
+    #   Services Signature Version 4)][10].
     #
     #   <note markdown="1"> **Directory buckets** - MD5 is not supported by directory buckets.
     #   You can use checksum algorithms to check object integrity.
@@ -17577,12 +18549,13 @@ module Aws::S3
     #
     #     * x-amz-server-side-encryption-customer-key-MD5
     #
-    #   * **Directory bucket** - For directory buckets, only server-side
-    #     encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
-    #     supported.
+    #     For more information, see [Using Server-Side Encryption][11] in
+    #     the *Amazon S3 User Guide*.
     #
-    #   For more information, see [Using Server-Side Encryption][9] in the
-    #   *Amazon S3 User Guide*.
+    #   * <b>Directory buckets </b> - For directory buckets, there are only
+    #     two supported options for server-side encryption: server-side
+    #     encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
+    #     server-side encryption with KMS keys (SSE-KMS) (`aws:kms`).
     #
     # Special errors
     # : * Error Code: `NoSuchUpload`
@@ -17604,13 +18577,13 @@ module Aws::S3
     #
     # * [CreateMultipartUpload][2]
     #
-    # * [CompleteMultipartUpload][10]
+    # * [CompleteMultipartUpload][12]
     #
-    # * [AbortMultipartUpload][11]
+    # * [AbortMultipartUpload][13]
     #
-    # * [ListParts][12]
+    # * [ListParts][14]
     #
-    # * [ListMultipartUploads][13]
+    # * [ListMultipartUploads][15]
     #
     #
     #
@@ -17619,14 +18592,16 @@ module Aws::S3
     # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/qfacts.html
     # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html
     # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
-    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
-    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
-    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
-    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
-    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
-    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
-    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
+    # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
+    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
+    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
+    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
+    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
+    # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
+    # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
     #
     # @option params [String, StringIO, File] :body
     #   Object data.
@@ -17710,9 +18685,9 @@ module Aws::S3
     # @option params [String] :checksum_crc32
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This header
-    #   specifies the base64-encoded, 32-bit CRC32 checksum of the object. For
-    #   more information, see [Checking object integrity][1] in the *Amazon S3
-    #   User Guide*.
+    #   specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
+    #   For more information, see [Checking object integrity][1] in the
+    #   *Amazon S3 User Guide*.
     #
     #
     #
@@ -17721,7 +18696,7 @@ module Aws::S3
     # @option params [String] :checksum_crc32c
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This header
-    #   specifies the base64-encoded, 32-bit CRC32C checksum of the object.
+    #   specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
     #   For more information, see [Checking object integrity][1] in the
     #   *Amazon S3 User Guide*.
     #
@@ -17959,9 +18934,21 @@ module Aws::S3
     #       have the <b> <code>s3:PutObject</code> </b> permission to write
     #       the object copy to the destination bucket.
     #
-    #     For information about permissions required to use the multipart
-    #     upload API, see [Multipart Upload and Permissions][7] in the
-    #     *Amazon S3 User Guide*.
+    #     * To perform a multipart upload with encryption using an Key
+    #       Management Service key, the requester must have permission to
+    #       the `kms:Decrypt` and `kms:GenerateDataKey` actions on the key.
+    #       The requester must also have permissions for the
+    #       `kms:GenerateDataKey` action for the `CreateMultipartUpload`
+    #       API. Then, the requester needs permissions for the `kms:Decrypt`
+    #       action on the `UploadPart` and `UploadPartCopy` APIs. These
+    #       permissions are required because Amazon S3 must decrypt and read
+    #       data from the encrypted file parts before it completes the
+    #       multipart upload. For more information about KMS permissions,
+    #       see [Protecting data using server-side encryption with KMS][7]
+    #       in the *Amazon S3 User Guide*. For information about the
+    #       permissions required to use the multipart upload API, see
+    #       [Multipart upload and permissions][8] and [Multipart upload API
+    #       and permissions][9] in the *Amazon S3 User Guide*.
     #
     #   * **Directory bucket permissions** - You must have permissions in a
     #     bucket policy or an IAM identity-based policy based on the source
@@ -17970,9 +18957,9 @@ module Aws::S3
     #     * If the source object that you want to copy is in a directory
     #       bucket, you must have the <b>
     #       <code>s3express:CreateSession</code> </b> permission in the
-    #       `Action` element of a policy to read the object . By default,
-    #       the session is in the `ReadWrite` mode. If you want to restrict
-    #       the access, you can explicitly set the `s3express:SessionMode`
+    #       `Action` element of a policy to read the object. By default, the
+    #       session is in the `ReadWrite` mode. If you want to restrict the
+    #       access, you can explicitly set the `s3express:SessionMode`
     #       condition key to `ReadOnly` on the copy source bucket.
     #
     #     * If the copy destination is a directory bucket, you must have the
@@ -17981,20 +18968,41 @@ module Aws::S3
     #       destination. The `s3express:SessionMode` condition key cannot be
     #       set to `ReadOnly` on the copy destination.
     #
+    #     If the object is encrypted with SSE-KMS, you must also have the
+    #     `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
+    #     identity-based policies and KMS key policies for the KMS key.
+    #
     #     For example policies, see [Example bucket policies for S3 Express
-    #     One Zone][8] and [Amazon Web Services Identity and Access
+    #     One Zone][10] and [Amazon Web Services Identity and Access
     #     Management (IAM) identity-based policies for S3 Express One
-    #     Zone][9] in the *Amazon S3 User Guide*.
+    #     Zone][11] in the *Amazon S3 User Guide*.
     #
     # Encryption
     # : * <b>General purpose buckets </b> - For information about using
     #     server-side encryption with customer-provided encryption keys with
-    #     the `UploadPartCopy` operation, see [CopyObject][10] and
+    #     the `UploadPartCopy` operation, see [CopyObject][12] and
     #     [UploadPart][2].
     #
-    #   * <b>Directory buckets </b> - For directory buckets, only
-    #     server-side encryption with Amazon S3 managed keys (SSE-S3)
-    #     (`AES256`) is supported.
+    #   * <b>Directory buckets </b> - For directory buckets, there are only
+    #     two supported options for server-side encryption: server-side
+    #     encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
+    #     server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). For
+    #     more information, see [Protecting data with server-side
+    #     encryption][13] in the *Amazon S3 User Guide*.
+    #
+    #     <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
+    #     operation and an `UploadPartCopy` operation, the request headers
+    #     you provide in the `CreateMultipartUpload` request must match the
+    #     default encryption configuration of the destination bucket.
+    #
+    #      </note>
+    #
+    #     S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted
+    #     objects from general purpose buckets to directory buckets, from
+    #     directory buckets to general purpose buckets, or between directory
+    #     buckets, through [UploadPartCopy][14]. In this case, Amazon S3
+    #     makes a call to KMS every time a copy request is made for a
+    #     KMS-encrypted object.
     #
     # Special errors
     # : * Error Code: `NoSuchUpload`
@@ -18019,17 +19027,17 @@ module Aws::S3
     #
     # The following operations are related to `UploadPartCopy`:
     #
-    # * [CreateMultipartUpload][11]
+    # * [CreateMultipartUpload][15]
     #
     # * [UploadPart][2]
     #
-    # * [CompleteMultipartUpload][12]
+    # * [CompleteMultipartUpload][16]
     #
-    # * [AbortMultipartUpload][13]
+    # * [AbortMultipartUpload][17]
     #
-    # * [ListParts][14]
+    # * [ListParts][18]
     #
-    # * [ListMultipartUploads][15]
+    # * [ListMultipartUploads][19]
     #
     #
     #
@@ -18039,15 +19047,19 @@ module Aws::S3
     # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectOperations.html
     # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
     # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
-    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
-    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
-    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
-    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
-    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
-    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
-    # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
-    # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
+    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
+    # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions
+    # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
+    # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
+    # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
+    # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
+    # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
+    # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
+    # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
+    # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
+    # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
+    # [19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
     #
     # @option params [required, String] :bucket
     #   The bucket name.
@@ -18333,45 +19345,45 @@ module Aws::S3
     #   * {Types::UploadPartCopyOutput#request_charged #request_charged} => String
     #
     #
-    # @example Example: To upload a part by copying data from an existing object as data source
+    # @example Example: To upload a part by copying byte range from an existing object as data source
     #
-    #   # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
+    #   # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
+    #   # data source.
     #
     #   resp = client.upload_part_copy({
     #     bucket: "examplebucket", 
     #     copy_source: "/bucketname/sourceobjectkey", 
+    #     copy_source_range: "bytes=1-100000", 
     #     key: "examplelargeobject", 
-    #     part_number: 1, 
+    #     part_number: 2, 
     #     upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
     #     copy_part_result: {
-    #       etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"", 
-    #       last_modified: Time.parse("2016-12-29T21:24:43.000Z"), 
+    #       etag: "\"65d16d19e65a7508a51f043180edcc36\"", 
+    #       last_modified: Time.parse("2016-12-29T21:44:28.000Z"), 
     #     }, 
     #   }
     #
-    # @example Example: To upload a part by copying byte range from an existing object as data source
+    # @example Example: To upload a part by copying data from an existing object as data source
     #
-    #   # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
-    #   # data source.
+    #   # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
     #
     #   resp = client.upload_part_copy({
     #     bucket: "examplebucket", 
     #     copy_source: "/bucketname/sourceobjectkey", 
-    #     copy_source_range: "bytes=1-100000", 
     #     key: "examplelargeobject", 
-    #     part_number: 2, 
+    #     part_number: 1, 
     #     upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--", 
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
     #     copy_part_result: {
-    #       etag: "\"65d16d19e65a7508a51f043180edcc36\"", 
-    #       last_modified: Time.parse("2016-12-29T21:44:28.000Z"), 
+    #       etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"", 
+    #       last_modified: Time.parse("2016-12-29T21:24:43.000Z"), 
     #     }, 
     #   }
     #
@@ -18570,7 +19582,7 @@ module Aws::S3
     # @option params [String] :checksum_crc32
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This
-    #   specifies the base64-encoded, 32-bit CRC32 checksum of the object
+    #   specifies the base64-encoded, 32-bit CRC-32 checksum of the object
     #   returned by the Object Lambda function. This may not match the
     #   checksum for the object stored in Amazon S3. Amazon S3 will perform
     #   validation of the checksum values only when the original `GetObject`
@@ -18590,7 +19602,7 @@ module Aws::S3
     # @option params [String] :checksum_crc32c
     #   This header can be used as a data integrity check to verify that the
     #   data received is the same data that was originally sent. This
-    #   specifies the base64-encoded, 32-bit CRC32C checksum of the object
+    #   specifies the base64-encoded, 32-bit CRC-32C checksum of the object
     #   returned by the Object Lambda function. This may not match the
     #   checksum for the object stored in Amazon S3. Amazon S3 will perform
     #   validation of the checksum values only when the original `GetObject`
@@ -18821,14 +19833,19 @@ module Aws::S3
     # @api private
     def build_request(operation_name, params = {})
       handlers = @handlers.for(operation_name)
+      tracer = config.telemetry_provider.tracer_provider.tracer(
+        Aws::Telemetry.module_to_tracer_name('Aws::S3')
+      )
       context = Seahorse::Client::RequestContext.new(
         operation_name: operation_name,
         operation: config.api.operation(operation_name),
         client: self,
         params: params,
-        config: config)
+        config: config,
+        tracer: tracer
+      )
       context[:gem_name] = 'aws-sdk-s3'
-      context[:gem_version] = '1.150.0'
+      context[:gem_version] = '1.169.0'
       Seahorse::Client::Request.new(handlers, context)
     end