aws-sdk-s3 1.156.0 → 1.166.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -667,9 +667,8 @@ module Aws::S3
667
667
  # </note>
668
668
  # @option options [String] :server_side_encryption
669
669
  # The server-side encryption algorithm used when storing this object in
670
- # Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
671
- # Unrecognized or unsupported values won’t write a destination object
672
- # and will receive a `400 Bad Request` response.
670
+ # Amazon S3. Unrecognized or unsupported values won’t write a
671
+ # destination object and will receive a `400 Bad Request` response.
673
672
  #
674
673
  # Amazon S3 automatically encrypts all new objects that are copied to an
675
674
  # S3 bucket. When copying an object, if you don't specify encryption
@@ -677,35 +676,72 @@ module Aws::S3
677
676
  # object is set to the default encryption configuration of the
678
677
  # destination bucket. By default, all buckets have a base level of
679
678
  # encryption configuration that uses server-side encryption with Amazon
680
- # S3 managed keys (SSE-S3). If the destination bucket has a default
681
- # encryption configuration that uses server-side encryption with Key
682
- # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
683
- # encryption with Amazon Web Services KMS keys (DSSE-KMS), or
684
- # server-side encryption with customer-provided encryption keys (SSE-C),
685
- # Amazon S3 uses the corresponding KMS key, or a customer-provided key
686
- # to encrypt the target object copy.
687
- #
688
- # When you perform a `CopyObject` operation, if you want to use a
689
- # different type of encryption setting for the target object, you can
690
- # specify appropriate encryption-related headers to encrypt the target
691
- # object with an Amazon S3 managed key, a KMS key, or a
692
- # customer-provided key. If the encryption setting in your request is
693
- # different from the default encryption configuration of the destination
694
- # bucket, the encryption setting in your request takes precedence.
679
+ # S3 managed keys (SSE-S3). If the destination bucket has a different
680
+ # default encryption configuration, Amazon S3 uses the corresponding
681
+ # encryption key to encrypt the target object copy.
695
682
  #
696
683
  # With server-side encryption, Amazon S3 encrypts your data as it writes
697
684
  # your data to disks in its data centers and decrypts the data when you
698
685
  # access it. For more information about server-side encryption, see
699
686
  # [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
700
687
  #
701
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
702
- # managed keys (SSE-S3) (`AES256`) is supported.
703
- #
704
- # </note>
688
+ # <b>General purpose buckets </b>
689
+ #
690
+ # * For general purpose buckets, there are the following supported
691
+ # options for server-side encryption: server-side encryption with Key
692
+ # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
693
+ # encryption with Amazon Web Services KMS keys (DSSE-KMS), and
694
+ # server-side encryption with customer-provided encryption keys
695
+ # (SSE-C). Amazon S3 uses the corresponding KMS key, or a
696
+ # customer-provided key to encrypt the target object copy.
697
+ #
698
+ # * When you perform a `CopyObject` operation, if you want to use a
699
+ # different type of encryption setting for the target object, you can
700
+ # specify appropriate encryption-related headers to encrypt the target
701
+ # object with an Amazon S3 managed key, a KMS key, or a
702
+ # customer-provided key. If the encryption setting in your request is
703
+ # different from the default encryption configuration of the
704
+ # destination bucket, the encryption setting in your request takes
705
+ # precedence.
706
+ #
707
+ # <b>Directory buckets </b>
708
+ #
709
+ # * For directory buckets, there are only two supported options for
710
+ # server-side encryption: server-side encryption with Amazon S3
711
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
712
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
713
+ # encryption uses the desired encryption configuration and you don't
714
+ # override the bucket default encryption in your `CreateSession`
715
+ # requests or `PUT` object requests. Then, new objects are
716
+ # automatically encrypted with the desired encryption settings. For
717
+ # more information, see [Protecting data with server-side
718
+ # encryption][2] in the *Amazon S3 User Guide*. For more information
719
+ # about the encryption overriding behaviors in directory buckets, see
720
+ # [Specifying server-side encryption with KMS for new object
721
+ # uploads][3].
722
+ #
723
+ # * To encrypt new object copies to a directory bucket with SSE-KMS, we
724
+ # recommend you specify SSE-KMS as the directory bucket's default
725
+ # encryption configuration with a KMS key (specifically, a [customer
726
+ # managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
727
+ # isn't supported. Your SSE-KMS configuration can only support 1
728
+ # [customer managed key][4] per directory bucket for the lifetime of
729
+ # the bucket. After you specify a customer managed key for SSE-KMS,
730
+ # you can't override the customer managed key for the bucket's
731
+ # SSE-KMS configuration. Then, when you perform a `CopyObject`
732
+ # operation and want to specify server-side encryption settings for
733
+ # new object copies with SSE-KMS in the encryption-related request
734
+ # headers, you must ensure the encryption key is the same customer
735
+ # managed key that you specified for the directory bucket's default
736
+ # encryption configuration.
705
737
  #
706
738
  #
707
739
  #
708
740
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
741
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
742
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
743
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
744
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
709
745
  # @option options [String] :storage_class
710
746
  # If the `x-amz-storage-class` header is not used, the copied object
711
747
  # will be stored in the `STANDARD` Storage Class by default. The
@@ -796,32 +832,50 @@ module Aws::S3
796
832
  #
797
833
  # </note>
798
834
  # @option options [String] :ssekms_key_id
799
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
800
- # encryption. All GET and PUT requests for an object protected by KMS
801
- # will fail if they're not made via SSL or using SigV4. For information
802
- # about configuring any of the officially supported Amazon Web Services
803
- # SDKs and Amazon Web Services CLI, see [Specifying the Signature
804
- # Version in Request Authentication][1] in the *Amazon S3 User Guide*.
805
- #
806
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
807
- # directory bucket.
808
- #
809
- # </note>
835
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
836
+ # object encryption. All GET and PUT requests for an object protected by
837
+ # KMS will fail if they're not made via SSL or using SigV4. For
838
+ # information about configuring any of the officially supported Amazon
839
+ # Web Services SDKs and Amazon Web Services CLI, see [Specifying the
840
+ # Signature Version in Request Authentication][1] in the *Amazon S3 User
841
+ # Guide*.
842
+ #
843
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
844
+ # with `aws:kms`, you must specify the `
845
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
846
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
847
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
848
+ # key ID or key ARN. The key alias format of the KMS key isn't
849
+ # supported. Your SSE-KMS configuration can only support 1 [customer
850
+ # managed key][2] per directory bucket for the lifetime of the bucket.
851
+ # [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
810
852
  #
811
853
  #
812
854
  #
813
855
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
856
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
857
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
814
858
  # @option options [String] :ssekms_encryption_context
815
- # Specifies the Amazon Web Services KMS Encryption Context to use for
816
- # object encryption. The value of this header is a base64-encoded UTF-8
817
- # string holding JSON with the encryption context key-value pairs. This
818
- # value must be explicitly added to specify encryption context for
819
- # `CopyObject` requests.
859
+ # Specifies the Amazon Web Services KMS Encryption Context as an
860
+ # additional encryption context to use for the destination object
861
+ # encryption. The value of this header is a base64-encoded UTF-8 string
862
+ # holding JSON with the encryption context key-value pairs.
820
863
  #
821
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
822
- # directory bucket.
864
+ # **General purpose buckets** - This value must be explicitly added to
865
+ # specify encryption context for `CopyObject` requests if you want an
866
+ # additional encryption context for your destination object. The
867
+ # additional encryption context of the source object won't be copied to
868
+ # the destination object. For more information, see [Encryption
869
+ # context][1] in the *Amazon S3 User Guide*.
823
870
  #
824
- # </note>
871
+ # **Directory buckets** - You can optionally provide an explicit
872
+ # encryption context value. The value must match the default encryption
873
+ # context - the bucket Amazon Resource Name (ARN). An additional
874
+ # encryption context value is not supported.
875
+ #
876
+ #
877
+ #
878
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
825
879
  # @option options [Boolean] :bucket_key_enabled
826
880
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
827
881
  # encryption with server-side encryption using Key Management Service
@@ -835,14 +889,19 @@ module Aws::S3
835
889
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
836
890
  # User Guide*.
837
891
  #
838
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
839
- # directory bucket.
892
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
893
+ # copy SSE-KMS encrypted objects from general purpose buckets to
894
+ # directory buckets, from directory buckets to general purpose buckets,
895
+ # or between directory buckets, through [CopyObject][2]. In this case,
896
+ # Amazon S3 makes a call to KMS every time a copy request is made for a
897
+ # KMS-encrypted object.
840
898
  #
841
899
  # </note>
842
900
  #
843
901
  #
844
902
  #
845
903
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
904
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
846
905
  # @option options [String] :copy_source_sse_customer_algorithm
847
906
  # Specifies the algorithm to use when decrypting the source object (for
848
907
  # example, `AES256`).
@@ -1298,6 +1357,15 @@ module Aws::S3
1298
1357
  # fails with the HTTP status code `403 Forbidden` (access denied).
1299
1358
  # @option options [String] :checksum_mode
1300
1359
  # To retrieve the checksum, this mode must be enabled.
1360
+ #
1361
+ # **General purpose buckets** - In addition, if you enable checksum mode
1362
+ # and the object is uploaded with a [checksum][1] and encrypted with an
1363
+ # Key Management Service (KMS) key, you must have permission to use the
1364
+ # `kms:Decrypt` action to retrieve the checksum.
1365
+ #
1366
+ #
1367
+ #
1368
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
1301
1369
  # @return [Types::GetObjectOutput]
1302
1370
  def get(options = {}, &block)
1303
1371
  options = options.merge(
@@ -1646,10 +1714,52 @@ module Aws::S3
1646
1714
  # The server-side encryption algorithm used when you store this object
1647
1715
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
1648
1716
  #
1649
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1650
- # managed keys (SSE-S3) (`AES256`) is supported.
1717
+ # * <b>Directory buckets </b> - For directory buckets, there are only
1718
+ # two supported options for server-side encryption: server-side
1719
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
1720
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
1721
+ # recommend that the bucket's default encryption uses the desired
1722
+ # encryption configuration and you don't override the bucket default
1723
+ # encryption in your `CreateSession` requests or `PUT` object
1724
+ # requests. Then, new objects are automatically encrypted with the
1725
+ # desired encryption settings. For more information, see [Protecting
1726
+ # data with server-side encryption][1] in the *Amazon S3 User Guide*.
1727
+ # For more information about the encryption overriding behaviors in
1728
+ # directory buckets, see [Specifying server-side encryption with KMS
1729
+ # for new object uploads][2].
1730
+ #
1731
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
1732
+ # [UploadPartCopy][4]) using the REST API, the encryption request
1733
+ # headers must match the encryption settings that are specified in the
1734
+ # `CreateSession` request. You can't override the values of the
1735
+ # encryption settings (`x-amz-server-side-encryption`,
1736
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
1737
+ # `x-amz-server-side-encryption-context`, and
1738
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
1739
+ # specified in the `CreateSession` request. You don't need to
1740
+ # explicitly specify these encryption settings values in Zonal
1741
+ # endpoint API calls, and Amazon S3 will use the encryption settings
1742
+ # values from the `CreateSession` request to protect new objects in
1743
+ # the directory bucket.
1744
+ #
1745
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
1746
+ # `CreateSession`, the session token refreshes automatically to avoid
1747
+ # service interruptions when a session expires. The CLI or the Amazon
1748
+ # Web Services SDKs use the bucket's default encryption configuration
1749
+ # for the `CreateSession` request. It's not supported to override the
1750
+ # encryption settings values in the `CreateSession` request. So in the
1751
+ # Zonal endpoint API calls (except [CopyObject][3] and
1752
+ # [UploadPartCopy][4]), the encryption request headers must match the
1753
+ # default encryption configuration of the directory bucket.
1651
1754
  #
1652
- # </note>
1755
+ # </note>
1756
+ #
1757
+ #
1758
+ #
1759
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1760
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1761
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1762
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
1653
1763
  # @option options [String] :storage_class
1654
1764
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
1655
1765
  # created objects. The STANDARD storage class provides high durability
@@ -1702,32 +1812,69 @@ module Aws::S3
1702
1812
  #
1703
1813
  # </note>
1704
1814
  # @option options [String] :ssekms_key_id
1705
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
1706
- # encryption customer managed key to use for object encryption.
1707
- #
1708
- # <note markdown="1"> This functionality is not supported for directory buckets.
1709
- #
1710
- # </note>
1815
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1816
+ # object encryption. If the KMS key doesn't exist in the same account
1817
+ # that's issuing the command, you must use the full Key ARN not the Key
1818
+ # ID.
1819
+ #
1820
+ # **General purpose buckets** - If you specify
1821
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
1822
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
1823
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
1824
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
1825
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
1826
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
1827
+ #
1828
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
1829
+ # with `aws:kms`, you must specify the `
1830
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
1831
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
1832
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
1833
+ # key ID or key ARN. The key alias format of the KMS key isn't
1834
+ # supported. Your SSE-KMS configuration can only support 1 [customer
1835
+ # managed key][1] per directory bucket for the lifetime of the bucket.
1836
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
1837
+ #
1838
+ #
1839
+ #
1840
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1841
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1711
1842
  # @option options [String] :ssekms_encryption_context
1712
1843
  # Specifies the Amazon Web Services KMS Encryption Context to use for
1713
- # object encryption. The value of this header is a base64-encoded UTF-8
1714
- # string holding JSON with the encryption context key-value pairs.
1715
- #
1716
- # <note markdown="1"> This functionality is not supported for directory buckets.
1717
- #
1718
- # </note>
1844
+ # object encryption. The value of this header is a Base64-encoded string
1845
+ # of a UTF-8 encoded JSON, which contains the encryption context as
1846
+ # key-value pairs.
1847
+ #
1848
+ # **Directory buckets** - You can optionally provide an explicit
1849
+ # encryption context value. The value must match the default encryption
1850
+ # context - the bucket Amazon Resource Name (ARN). An additional
1851
+ # encryption context value is not supported.
1719
1852
  # @option options [Boolean] :bucket_key_enabled
1720
1853
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
1721
1854
  # encryption with server-side encryption using Key Management Service
1722
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
1723
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
1855
+ # (KMS) keys (SSE-KMS).
1724
1856
  #
1725
- # Specifying this header with an object action doesn’t affect
1857
+ # **General purpose buckets** - Setting this header to `true` causes
1858
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
1859
+ # Also, specifying this header with a PUT action doesn't affect
1726
1860
  # bucket-level settings for S3 Bucket Key.
1727
1861
  #
1728
- # <note markdown="1"> This functionality is not supported for directory buckets.
1862
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
1863
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
1864
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
1865
+ # from general purpose buckets to directory buckets, from directory
1866
+ # buckets to general purpose buckets, or between directory buckets,
1867
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
1868
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
1869
+ # makes a call to KMS every time a copy request is made for a
1870
+ # KMS-encrypted object.
1729
1871
  #
1730
- # </note>
1872
+ #
1873
+ #
1874
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1875
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
1876
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
1877
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
1731
1878
  # @option options [String] :request_payer
1732
1879
  # Confirms that the requester knows that they will be charged for the
1733
1880
  # request. Bucket owners need not specify this parameter in their
@@ -1818,6 +1965,7 @@ module Aws::S3
1818
1965
  # checksum_sha1: "ChecksumSHA1",
1819
1966
  # checksum_sha256: "ChecksumSHA256",
1820
1967
  # expires: Time.now,
1968
+ # if_none_match: "IfNoneMatch",
1821
1969
  # grant_full_control: "GrantFullControl",
1822
1970
  # grant_read: "GrantRead",
1823
1971
  # grant_read_acp: "GrantReadACP",
@@ -2032,6 +2180,24 @@ module Aws::S3
2032
2180
  #
2033
2181
  #
2034
2182
  # [1]: https://www.rfc-editor.org/rfc/rfc7234#section-5.3
2183
+ # @option options [String] :if_none_match
2184
+ # Uploads the object only if the object key name does not already exist
2185
+ # in the bucket specified. Otherwise, Amazon S3 returns a `412
2186
+ # Precondition Failed` error.
2187
+ #
2188
+ # If a conflicting operation occurs during the upload S3 returns a `409
2189
+ # ConditionalRequestConflict` response. On a 409 failure you should
2190
+ # retry the upload.
2191
+ #
2192
+ # Expects the '*' (asterisk) character.
2193
+ #
2194
+ # For more information about conditional requests, see [RFC 7232][1], or
2195
+ # [Conditional requests][2] in the *Amazon S3 User Guide*.
2196
+ #
2197
+ #
2198
+ #
2199
+ # [1]: https://tools.ietf.org/html/rfc7232
2200
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-requests.html
2035
2201
  # @option options [String] :grant_full_control
2036
2202
  # Gives the grantee READ, READ\_ACP, and WRITE\_ACP permissions on the
2037
2203
  # object.
@@ -2072,25 +2238,65 @@ module Aws::S3
2072
2238
  # object in Amazon S3 (for example, `AES256`, `aws:kms`,
2073
2239
  # `aws:kms:dsse`).
2074
2240
  #
2075
- # <b>General purpose buckets </b> - You have four mutually exclusive
2076
- # options to protect data using server-side encryption in Amazon S3,
2077
- # depending on how you choose to manage the encryption keys.
2078
- # Specifically, the encryption key options are Amazon S3 managed keys
2079
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
2080
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
2081
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
2082
- # default. You can optionally tell Amazon S3 to encrypt data at rest by
2083
- # using server-side encryption with other key options. For more
2084
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
2085
- # User Guide*.
2241
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
2242
+ # options to protect data using server-side encryption in Amazon S3,
2243
+ # depending on how you choose to manage the encryption keys.
2244
+ # Specifically, the encryption key options are Amazon S3 managed keys
2245
+ # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
2246
+ # customer-provided keys (SSE-C). Amazon S3 encrypts data with
2247
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
2248
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
2249
+ # by using server-side encryption with other key options. For more
2250
+ # information, see [Using Server-Side Encryption][1] in the *Amazon S3
2251
+ # User Guide*.
2252
+ #
2253
+ # * <b>Directory buckets </b> - For directory buckets, there are only
2254
+ # two supported options for server-side encryption: server-side
2255
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2256
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2257
+ # recommend that the bucket's default encryption uses the desired
2258
+ # encryption configuration and you don't override the bucket default
2259
+ # encryption in your `CreateSession` requests or `PUT` object
2260
+ # requests. Then, new objects are automatically encrypted with the
2261
+ # desired encryption settings. For more information, see [Protecting
2262
+ # data with server-side encryption][2] in the *Amazon S3 User Guide*.
2263
+ # For more information about the encryption overriding behaviors in
2264
+ # directory buckets, see [Specifying server-side encryption with KMS
2265
+ # for new object uploads][3].
2266
+ #
2267
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
2268
+ # [UploadPartCopy][5]) using the REST API, the encryption request
2269
+ # headers must match the encryption settings that are specified in the
2270
+ # `CreateSession` request. You can't override the values of the
2271
+ # encryption settings (`x-amz-server-side-encryption`,
2272
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2273
+ # `x-amz-server-side-encryption-context`, and
2274
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2275
+ # specified in the `CreateSession` request. You don't need to
2276
+ # explicitly specify these encryption settings values in Zonal
2277
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2278
+ # values from the `CreateSession` request to protect new objects in
2279
+ # the directory bucket.
2280
+ #
2281
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2282
+ # `CreateSession`, the session token refreshes automatically to avoid
2283
+ # service interruptions when a session expires. The CLI or the Amazon
2284
+ # Web Services SDKs use the bucket's default encryption configuration
2285
+ # for the `CreateSession` request. It's not supported to override the
2286
+ # encryption settings values in the `CreateSession` request. So in the
2287
+ # Zonal endpoint API calls (except [CopyObject][4] and
2288
+ # [UploadPartCopy][5]), the encryption request headers must match the
2289
+ # default encryption configuration of the directory bucket.
2086
2290
  #
2087
- # <b>Directory buckets </b> - For directory buckets, only the
2088
- # server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
2089
- # value is supported.
2291
+ # </note>
2090
2292
  #
2091
2293
  #
2092
2294
  #
2093
2295
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
2296
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2297
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2298
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2299
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2094
2300
  # @option options [String] :storage_class
2095
2301
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
2096
2302
  # created objects. The STANDARD storage class provides high durability
@@ -2164,44 +2370,81 @@ module Aws::S3
2164
2370
  #
2165
2371
  # </note>
2166
2372
  # @option options [String] :ssekms_key_id
2167
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
2168
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
2169
- # Alias) of the Key Management Service (KMS) symmetric encryption
2170
- # customer managed key that was used for the object. If you specify
2171
- # `x-amz-server-side-encryption:aws:kms` or
2172
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
2173
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
2174
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If the
2175
- # KMS key does not exist in the same account that's issuing the
2176
- # command, you must use the full ARN and not just the ID.
2373
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
2374
+ # object encryption. If the KMS key doesn't exist in the same account
2375
+ # that's issuing the command, you must use the full Key ARN not the Key
2376
+ # ID.
2377
+ #
2378
+ # **General purpose buckets** - If you specify
2379
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
2380
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
2381
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
2382
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
2383
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
2384
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
2385
+ #
2386
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
2387
+ # with `aws:kms`, you must specify the `
2388
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
2389
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
2390
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
2391
+ # key ID or key ARN. The key alias format of the KMS key isn't
2392
+ # supported. Your SSE-KMS configuration can only support 1 [customer
2393
+ # managed key][1] per directory bucket for the lifetime of the bucket.
2394
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
2395
+ #
2396
+ #
2397
+ #
2398
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2399
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
2400
+ # @option options [String] :ssekms_encryption_context
2401
+ # Specifies the Amazon Web Services KMS Encryption Context as an
2402
+ # additional encryption context to use for object encryption. The value
2403
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
2404
+ # which contains the encryption context as key-value pairs. This value
2405
+ # is stored as object metadata and automatically gets passed on to
2406
+ # Amazon Web Services KMS for future `GetObject` operations on this
2407
+ # object.
2177
2408
  #
2178
- # <note markdown="1"> This functionality is not supported for directory buckets.
2409
+ # **General purpose buckets** - This value must be explicitly added
2410
+ # during `CopyObject` operations if you want an additional encryption
2411
+ # context for your object. For more information, see [Encryption
2412
+ # context][1] in the *Amazon S3 User Guide*.
2179
2413
  #
2180
- # </note>
2181
- # @option options [String] :ssekms_encryption_context
2182
- # Specifies the Amazon Web Services KMS Encryption Context to use for
2183
- # object encryption. The value of this header is a base64-encoded UTF-8
2184
- # string holding JSON with the encryption context key-value pairs. This
2185
- # value is stored as object metadata and automatically gets passed on to
2186
- # Amazon Web Services KMS for future `GetObject` or `CopyObject`
2187
- # operations on this object. This value must be explicitly added during
2188
- # `CopyObject` operations.
2414
+ # **Directory buckets** - You can optionally provide an explicit
2415
+ # encryption context value. The value must match the default encryption
2416
+ # context - the bucket Amazon Resource Name (ARN). An additional
2417
+ # encryption context value is not supported.
2189
2418
  #
2190
- # <note markdown="1"> This functionality is not supported for directory buckets.
2191
2419
  #
2192
- # </note>
2420
+ #
2421
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
2193
2422
  # @option options [Boolean] :bucket_key_enabled
2194
2423
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
2195
2424
  # encryption with server-side encryption using Key Management Service
2196
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
2197
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
2425
+ # (KMS) keys (SSE-KMS).
2198
2426
  #
2199
- # Specifying this header with a PUT action doesn’t affect bucket-level
2200
- # settings for S3 Bucket Key.
2427
+ # **General purpose buckets** - Setting this header to `true` causes
2428
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
2429
+ # Also, specifying this header with a PUT action doesn't affect
2430
+ # bucket-level settings for S3 Bucket Key.
2201
2431
  #
2202
- # <note markdown="1"> This functionality is not supported for directory buckets.
2432
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
2433
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
2434
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
2435
+ # from general purpose buckets to directory buckets, from directory
2436
+ # buckets to general purpose buckets, or between directory buckets,
2437
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
2438
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
2439
+ # makes a call to KMS every time a copy request is made for a
2440
+ # KMS-encrypted object.
2203
2441
  #
2204
- # </note>
2442
+ #
2443
+ #
2444
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2445
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2446
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
2447
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
2205
2448
  # @option options [String] :request_payer
2206
2449
  # Confirms that the requester knows that they will be charged for the
2207
2450
  # request. Bucket owners need not specify this parameter in their
@@ -2640,3 +2883,6 @@ module Aws::S3
2640
2883
  end
2641
2884
  end
2642
2885
  end
2886
+
2887
+ # Load customizations if they exist
2888
+ require 'aws-sdk-s3/customizations/object_summary'
@@ -523,6 +523,15 @@ module Aws::S3
523
523
  # fails with the HTTP status code `403 Forbidden` (access denied).
524
524
  # @option options [String] :checksum_mode
525
525
  # To retrieve the checksum, this mode must be enabled.
526
+ #
527
+ # **General purpose buckets** - In addition, if you enable checksum mode
528
+ # and the object is uploaded with a [checksum][1] and encrypted with an
529
+ # Key Management Service (KMS) key, you must have permission to use the
530
+ # `kms:Decrypt` action to retrieve the checksum.
531
+ #
532
+ #
533
+ #
534
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
526
535
  # @return [Types::GetObjectOutput]
527
536
  def get(options = {}, &block)
528
537
  options = options.merge(
@@ -701,10 +710,20 @@ module Aws::S3
701
710
  # @option options [String] :checksum_mode
702
711
  # To retrieve the checksum, this parameter must be enabled.
703
712
  #
704
- # In addition, if you enable `ChecksumMode` and the object is encrypted
705
- # with Amazon Web Services Key Management Service (Amazon Web Services
706
- # KMS), you must have permission to use the `kms:Decrypt` action for the
707
- # request to succeed.
713
+ # **General purpose buckets** - If you enable checksum mode and the
714
+ # object is uploaded with a [checksum][1] and encrypted with an Key
715
+ # Management Service (KMS) key, you must have permission to use the
716
+ # `kms:Decrypt` action to retrieve the checksum.
717
+ #
718
+ # **Directory buckets** - If you enable `ChecksumMode` and the object is
719
+ # encrypted with Amazon Web Services Key Management Service (Amazon Web
720
+ # Services KMS), you must also have the `kms:GenerateDataKey` and
721
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
722
+ # policies for the KMS key to retrieve the checksum of the object.
723
+ #
724
+ #
725
+ #
726
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
708
727
  # @return [Types::HeadObjectOutput]
709
728
  def head(options = {})
710
729
  options = options.merge(
@@ -898,3 +917,6 @@ module Aws::S3
898
917
  end
899
918
  end
900
919
  end
920
+
921
+ # Load customizations if they exist
922
+ require 'aws-sdk-s3/customizations/object_version'