aws-sdk-s3 1.159.0 → 1.163.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -32,6 +32,7 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
32
32
  require 'aws-sdk-core/plugins/request_compression.rb'
33
33
  require 'aws-sdk-core/plugins/defaults_mode.rb'
34
34
  require 'aws-sdk-core/plugins/recursion_detection.rb'
35
+ require 'aws-sdk-core/plugins/telemetry.rb'
35
36
  require 'aws-sdk-core/plugins/sign.rb'
36
37
  require 'aws-sdk-core/plugins/protocols/rest_xml.rb'
37
38
  require 'aws-sdk-s3/plugins/accelerate.rb'
@@ -104,6 +105,7 @@ module Aws::S3
104
105
  add_plugin(Aws::Plugins::RequestCompression)
105
106
  add_plugin(Aws::Plugins::DefaultsMode)
106
107
  add_plugin(Aws::Plugins::RecursionDetection)
108
+ add_plugin(Aws::Plugins::Telemetry)
107
109
  add_plugin(Aws::Plugins::Sign)
108
110
  add_plugin(Aws::Plugins::Protocols::RestXml)
109
111
  add_plugin(Aws::S3::Plugins::Accelerate)
@@ -432,6 +434,16 @@ module Aws::S3
432
434
  # ** Please note ** When response stubbing is enabled, no HTTP
433
435
  # requests are made, and retries are disabled.
434
436
  #
437
+ # @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
438
+ # Allows you to provide a telemetry provider, which is used to
439
+ # emit telemetry data. By default, uses `NoOpTelemetryProvider` which
440
+ # will not record or emit any telemetry data. The SDK supports the
441
+ # following telemetry providers:
442
+ #
443
+ # * OpenTelemetry (OTel) - To use the OTel provider, install and require the
444
+ # `opentelemetry-sdk` gem and then, pass in an instance of a
445
+ # `Aws::Telemetry::OTelProvider` for telemetry provider.
446
+ #
435
447
  # @option options [Aws::TokenProvider] :token_provider
436
448
  # A Bearer Token Provider. This can be an instance of any one of the
437
449
  # following classes:
@@ -520,6 +532,12 @@ module Aws::S3
520
532
  # @option options [String] :ssl_ca_store
521
533
  # Sets the X509::Store to verify peer certificate.
522
534
  #
535
+ # @option options [OpenSSL::X509::Certificate] :ssl_cert
536
+ # Sets a client certificate when creating http connections.
537
+ #
538
+ # @option options [OpenSSL::PKey] :ssl_key
539
+ # Sets a client key when creating http connections.
540
+ #
523
541
  # @option options [Float] :ssl_timeout
524
542
  # Sets the SSL timeout in seconds
525
543
  #
@@ -782,9 +800,15 @@ module Aws::S3
782
800
  # [Multipart Upload and Permissions][6] in the *Amazon S3 User
783
801
  # Guide*.
784
802
  #
803
+ # If you provide an [additional checksum value][7] in your
804
+ # `MultipartUpload` requests and the object is encrypted with Key
805
+ # Management Service, you must have permission to use the
806
+ # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
807
+ # succeed.
808
+ #
785
809
  # * **Directory bucket permissions** - To grant access to this API
786
810
  # operation on a directory bucket, we recommend that you use the [
787
- # `CreateSession` ][7] API operation for session-based
811
+ # `CreateSession` ][8] API operation for session-based
788
812
  # authorization. Specifically, you grant the
789
813
  # `s3express:CreateSession` permission to the directory bucket in a
790
814
  # bucket policy or an IAM identity-based policy. Then, you make the
@@ -795,13 +819,11 @@ module Aws::S3
795
819
  # token for use. Amazon Web Services CLI or SDKs create session and
796
820
  # refresh the session token automatically to avoid service
797
821
  # interruptions when a session expires. For more information about
798
- # authorization, see [ `CreateSession` ][7].
822
+ # authorization, see [ `CreateSession` ][8].
799
823
  #
800
- # * If you provide an [additional checksum value][8] in your
801
- # `MultipartUpload` requests and the object is encrypted with Key
802
- # Management Service, you must have permission to use the
803
- # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
804
- # succeed.
824
+ # If the object is encrypted with SSE-KMS, you must also have the
825
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
826
+ # identity-based policies and KMS key policies for the KMS key.
805
827
  #
806
828
  # Special errors
807
829
  # : * Error Code: `EntityTooSmall`
@@ -860,8 +882,8 @@ module Aws::S3
860
882
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
861
883
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
862
884
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
863
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
864
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
885
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
886
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
865
887
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
866
888
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
867
889
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
@@ -1247,6 +1269,10 @@ module Aws::S3
1247
1269
  # destination. The `s3express:SessionMode` condition key can't be
1248
1270
  # set to `ReadOnly` on the copy destination bucket.
1249
1271
  #
1272
+ # If the object is encrypted with SSE-KMS, you must also have the
1273
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
1274
+ # identity-based policies and KMS key policies for the KMS key.
1275
+ #
1250
1276
  # For example policies, see [Example bucket policies for S3 Express
1251
1277
  # One Zone][6] and [Amazon Web Services Identity and Access
1252
1278
  # Management (IAM) identity-based policies for S3 Express One
@@ -1693,9 +1719,8 @@ module Aws::S3
1693
1719
  #
1694
1720
  # @option params [String] :server_side_encryption
1695
1721
  # The server-side encryption algorithm used when storing this object in
1696
- # Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1697
- # Unrecognized or unsupported values won’t write a destination object
1698
- # and will receive a `400 Bad Request` response.
1722
+ # Amazon S3. Unrecognized or unsupported values won’t write a
1723
+ # destination object and will receive a `400 Bad Request` response.
1699
1724
  #
1700
1725
  # Amazon S3 automatically encrypts all new objects that are copied to an
1701
1726
  # S3 bucket. When copying an object, if you don't specify encryption
@@ -1703,35 +1728,72 @@ module Aws::S3
1703
1728
  # object is set to the default encryption configuration of the
1704
1729
  # destination bucket. By default, all buckets have a base level of
1705
1730
  # encryption configuration that uses server-side encryption with Amazon
1706
- # S3 managed keys (SSE-S3). If the destination bucket has a default
1707
- # encryption configuration that uses server-side encryption with Key
1708
- # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1709
- # encryption with Amazon Web Services KMS keys (DSSE-KMS), or
1710
- # server-side encryption with customer-provided encryption keys (SSE-C),
1711
- # Amazon S3 uses the corresponding KMS key, or a customer-provided key
1712
- # to encrypt the target object copy.
1713
- #
1714
- # When you perform a `CopyObject` operation, if you want to use a
1715
- # different type of encryption setting for the target object, you can
1716
- # specify appropriate encryption-related headers to encrypt the target
1717
- # object with an Amazon S3 managed key, a KMS key, or a
1718
- # customer-provided key. If the encryption setting in your request is
1719
- # different from the default encryption configuration of the destination
1720
- # bucket, the encryption setting in your request takes precedence.
1731
+ # S3 managed keys (SSE-S3). If the destination bucket has a different
1732
+ # default encryption configuration, Amazon S3 uses the corresponding
1733
+ # encryption key to encrypt the target object copy.
1721
1734
  #
1722
1735
  # With server-side encryption, Amazon S3 encrypts your data as it writes
1723
1736
  # your data to disks in its data centers and decrypts the data when you
1724
1737
  # access it. For more information about server-side encryption, see
1725
1738
  # [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
1726
1739
  #
1727
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1728
- # managed keys (SSE-S3) (`AES256`) is supported.
1729
- #
1730
- # </note>
1740
+ # <b>General purpose buckets </b>
1741
+ #
1742
+ # * For general purpose buckets, there are the following supported
1743
+ # options for server-side encryption: server-side encryption with Key
1744
+ # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1745
+ # encryption with Amazon Web Services KMS keys (DSSE-KMS), and
1746
+ # server-side encryption with customer-provided encryption keys
1747
+ # (SSE-C). Amazon S3 uses the corresponding KMS key, or a
1748
+ # customer-provided key to encrypt the target object copy.
1749
+ #
1750
+ # * When you perform a `CopyObject` operation, if you want to use a
1751
+ # different type of encryption setting for the target object, you can
1752
+ # specify appropriate encryption-related headers to encrypt the target
1753
+ # object with an Amazon S3 managed key, a KMS key, or a
1754
+ # customer-provided key. If the encryption setting in your request is
1755
+ # different from the default encryption configuration of the
1756
+ # destination bucket, the encryption setting in your request takes
1757
+ # precedence.
1758
+ #
1759
+ # <b>Directory buckets </b>
1760
+ #
1761
+ # * For directory buckets, there are only two supported options for
1762
+ # server-side encryption: server-side encryption with Amazon S3
1763
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
1764
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
1765
+ # encryption uses the desired encryption configuration and you don't
1766
+ # override the bucket default encryption in your `CreateSession`
1767
+ # requests or `PUT` object requests. Then, new objects are
1768
+ # automatically encrypted with the desired encryption settings. For
1769
+ # more information, see [Protecting data with server-side
1770
+ # encryption][2] in the *Amazon S3 User Guide*. For more information
1771
+ # about the encryption overriding behaviors in directory buckets, see
1772
+ # [Specifying server-side encryption with KMS for new object
1773
+ # uploads][3].
1774
+ #
1775
+ # * To encrypt new object copies to a directory bucket with SSE-KMS, we
1776
+ # recommend you specify SSE-KMS as the directory bucket's default
1777
+ # encryption configuration with a KMS key (specifically, a [customer
1778
+ # managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
1779
+ # isn't supported. Your SSE-KMS configuration can only support 1
1780
+ # [customer managed key][4] per directory bucket for the lifetime of
1781
+ # the bucket. After you specify a customer managed key for SSE-KMS,
1782
+ # you can't override the customer managed key for the bucket's
1783
+ # SSE-KMS configuration. Then, when you perform a `CopyObject`
1784
+ # operation and want to specify server-side encryption settings for
1785
+ # new object copies with SSE-KMS in the encryption-related request
1786
+ # headers, you must ensure the encryption key is the same customer
1787
+ # managed key that you specified for the directory bucket's default
1788
+ # encryption configuration.
1731
1789
  #
1732
1790
  #
1733
1791
  #
1734
1792
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1793
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1794
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1795
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1796
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1735
1797
  #
1736
1798
  # @option params [String] :storage_class
1737
1799
  # If the `x-amz-storage-class` header is not used, the copied object
@@ -1828,33 +1890,51 @@ module Aws::S3
1828
1890
  # </note>
1829
1891
  #
1830
1892
  # @option params [String] :ssekms_key_id
1831
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
1832
- # encryption. All GET and PUT requests for an object protected by KMS
1833
- # will fail if they're not made via SSL or using SigV4. For information
1834
- # about configuring any of the officially supported Amazon Web Services
1835
- # SDKs and Amazon Web Services CLI, see [Specifying the Signature
1836
- # Version in Request Authentication][1] in the *Amazon S3 User Guide*.
1893
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1894
+ # object encryption. All GET and PUT requests for an object protected by
1895
+ # KMS will fail if they're not made via SSL or using SigV4. For
1896
+ # information about configuring any of the officially supported Amazon
1897
+ # Web Services SDKs and Amazon Web Services CLI, see [Specifying the
1898
+ # Signature Version in Request Authentication][1] in the *Amazon S3 User
1899
+ # Guide*.
1837
1900
  #
1838
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1839
- # directory bucket.
1840
- #
1841
- # </note>
1901
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
1902
+ # with `aws:kms`, you must specify the `
1903
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
1904
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
1905
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
1906
+ # key ID or key ARN. The key alias format of the KMS key isn't
1907
+ # supported. Your SSE-KMS configuration can only support 1 [customer
1908
+ # managed key][2] per directory bucket for the lifetime of the bucket.
1909
+ # [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
1842
1910
  #
1843
1911
  #
1844
1912
  #
1845
1913
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
1914
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1915
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1846
1916
  #
1847
1917
  # @option params [String] :ssekms_encryption_context
1848
- # Specifies the Amazon Web Services KMS Encryption Context to use for
1849
- # object encryption. The value of this header is a base64-encoded UTF-8
1850
- # string holding JSON with the encryption context key-value pairs. This
1851
- # value must be explicitly added to specify encryption context for
1852
- # `CopyObject` requests.
1918
+ # Specifies the Amazon Web Services KMS Encryption Context as an
1919
+ # additional encryption context to use for the destination object
1920
+ # encryption. The value of this header is a base64-encoded UTF-8 string
1921
+ # holding JSON with the encryption context key-value pairs.
1853
1922
  #
1854
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1855
- # directory bucket.
1923
+ # **General purpose buckets** - This value must be explicitly added to
1924
+ # specify encryption context for `CopyObject` requests if you want an
1925
+ # additional encryption context for your destination object. The
1926
+ # additional encryption context of the source object won't be copied to
1927
+ # the destination object. For more information, see [Encryption
1928
+ # context][1] in the *Amazon S3 User Guide*.
1856
1929
  #
1857
- # </note>
1930
+ # **Directory buckets** - You can optionally provide an explicit
1931
+ # encryption context value. The value must match the default encryption
1932
+ # context - the bucket Amazon Resource Name (ARN). An additional
1933
+ # encryption context value is not supported.
1934
+ #
1935
+ #
1936
+ #
1937
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
1858
1938
  #
1859
1939
  # @option params [Boolean] :bucket_key_enabled
1860
1940
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
@@ -1869,14 +1949,19 @@ module Aws::S3
1869
1949
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
1870
1950
  # User Guide*.
1871
1951
  #
1872
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1873
- # directory bucket.
1952
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
1953
+ # copy SSE-KMS encrypted objects from general purpose buckets to
1954
+ # directory buckets, from directory buckets to general purpose buckets,
1955
+ # or between directory buckets, through [CopyObject][2]. In this case,
1956
+ # Amazon S3 makes a call to KMS every time a copy request is made for a
1957
+ # KMS-encrypted object.
1874
1958
  #
1875
1959
  # </note>
1876
1960
  #
1877
1961
  #
1878
1962
  #
1879
1963
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
1964
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1880
1965
  #
1881
1966
  # @option params [String] :copy_source_sse_customer_algorithm
1882
1967
  # Specifies the algorithm to use when decrypting the source object (for
@@ -2618,9 +2703,53 @@ module Aws::S3
2618
2703
  # using server-side encryption with customer-provided encryption
2619
2704
  # keys (SSE-C)][11] in the *Amazon S3 User Guide*.
2620
2705
  #
2621
- # * **Directory buckets** -For directory buckets, only server-side
2622
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
2623
- # supported.
2706
+ # * **Directory buckets** - For directory buckets, there are only two
2707
+ # supported options for server-side encryption: server-side
2708
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2709
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2710
+ # recommend that the bucket's default encryption uses the desired
2711
+ # encryption configuration and you don't override the bucket
2712
+ # default encryption in your `CreateSession` requests or `PUT`
2713
+ # object requests. Then, new objects are automatically encrypted
2714
+ # with the desired encryption settings. For more information, see
2715
+ # [Protecting data with server-side encryption][12] in the *Amazon
2716
+ # S3 User Guide*. For more information about the encryption
2717
+ # overriding behaviors in directory buckets, see [Specifying
2718
+ # server-side encryption with KMS for new object uploads][13].
2719
+ #
2720
+ # In the Zonal endpoint API calls (except [CopyObject][14] and
2721
+ # [UploadPartCopy][9]) using the REST API, the encryption request
2722
+ # headers must match the encryption settings that are specified in
2723
+ # the `CreateSession` request. You can't override the values of the
2724
+ # encryption settings (`x-amz-server-side-encryption`,
2725
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2726
+ # `x-amz-server-side-encryption-context`, and
2727
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2728
+ # specified in the `CreateSession` request. You don't need to
2729
+ # explicitly specify these encryption settings values in Zonal
2730
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2731
+ # values from the `CreateSession` request to protect new objects in
2732
+ # the directory bucket.
2733
+ #
2734
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2735
+ # `CreateSession`, the session token refreshes automatically to
2736
+ # avoid service interruptions when a session expires. The CLI or the
2737
+ # Amazon Web Services SDKs use the bucket's default encryption
2738
+ # configuration for the `CreateSession` request. It's not supported
2739
+ # to override the encryption settings values in the `CreateSession`
2740
+ # request. So in the Zonal endpoint API calls (except
2741
+ # [CopyObject][14] and [UploadPartCopy][9]), the encryption request
2742
+ # headers must match the default encryption configuration of the
2743
+ # directory bucket.
2744
+ #
2745
+ # </note>
2746
+ #
2747
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
2748
+ # operation and an `UploadPartCopy` operation, the request headers
2749
+ # you provide in the `CreateMultipartUpload` request must match the
2750
+ # default encryption configuration of the destination bucket.
2751
+ #
2752
+ # </note>
2624
2753
  #
2625
2754
  # HTTP Host header syntax
2626
2755
  #
@@ -2631,13 +2760,13 @@ module Aws::S3
2631
2760
  #
2632
2761
  # * [UploadPart][1]
2633
2762
  #
2634
- # * [CompleteMultipartUpload][12]
2763
+ # * [CompleteMultipartUpload][15]
2635
2764
  #
2636
- # * [AbortMultipartUpload][13]
2765
+ # * [AbortMultipartUpload][16]
2637
2766
  #
2638
- # * [ListParts][14]
2767
+ # * [ListParts][17]
2639
2768
  #
2640
- # * [ListMultipartUploads][15]
2769
+ # * [ListMultipartUploads][18]
2641
2770
  #
2642
2771
  #
2643
2772
  #
@@ -2652,10 +2781,13 @@ module Aws::S3
2652
2781
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2653
2782
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2654
2783
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
2655
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2656
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2657
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2658
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2784
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2785
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2786
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2787
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2788
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2789
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2790
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2659
2791
  #
2660
2792
  # @option params [String] :acl
2661
2793
  # The canned ACL to apply to the object. Amazon S3 supports a set of
@@ -3018,10 +3150,52 @@ module Aws::S3
3018
3150
  # The server-side encryption algorithm used when you store this object
3019
3151
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3020
3152
  #
3021
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3022
- # managed keys (SSE-S3) (`AES256`) is supported.
3153
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3154
+ # two supported options for server-side encryption: server-side
3155
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3156
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3157
+ # recommend that the bucket's default encryption uses the desired
3158
+ # encryption configuration and you don't override the bucket default
3159
+ # encryption in your `CreateSession` requests or `PUT` object
3160
+ # requests. Then, new objects are automatically encrypted with the
3161
+ # desired encryption settings. For more information, see [Protecting
3162
+ # data with server-side encryption][1] in the *Amazon S3 User Guide*.
3163
+ # For more information about the encryption overriding behaviors in
3164
+ # directory buckets, see [Specifying server-side encryption with KMS
3165
+ # for new object uploads][2].
3166
+ #
3167
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3168
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3169
+ # headers must match the encryption settings that are specified in the
3170
+ # `CreateSession` request. You can't override the values of the
3171
+ # encryption settings (`x-amz-server-side-encryption`,
3172
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3173
+ # `x-amz-server-side-encryption-context`, and
3174
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3175
+ # specified in the `CreateSession` request. You don't need to
3176
+ # explicitly specify these encryption settings values in Zonal
3177
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3178
+ # values from the `CreateSession` request to protect new objects in
3179
+ # the directory bucket.
3180
+ #
3181
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3182
+ # `CreateSession`, the session token refreshes automatically to avoid
3183
+ # service interruptions when a session expires. The CLI or the Amazon
3184
+ # Web Services SDKs use the bucket's default encryption configuration
3185
+ # for the `CreateSession` request. It's not supported to override the
3186
+ # encryption settings values in the `CreateSession` request. So in the
3187
+ # Zonal endpoint API calls (except [CopyObject][3] and
3188
+ # [UploadPartCopy][4]), the encryption request headers must match the
3189
+ # default encryption configuration of the directory bucket.
3023
3190
  #
3024
- # </note>
3191
+ # </note>
3192
+ #
3193
+ #
3194
+ #
3195
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3196
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3197
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3198
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3025
3199
  #
3026
3200
  # @option params [String] :storage_class
3027
3201
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -3080,34 +3254,71 @@ module Aws::S3
3080
3254
  # </note>
3081
3255
  #
3082
3256
  # @option params [String] :ssekms_key_id
3083
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3084
- # encryption customer managed key to use for object encryption.
3085
- #
3086
- # <note markdown="1"> This functionality is not supported for directory buckets.
3087
- #
3088
- # </note>
3257
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3258
+ # object encryption. If the KMS key doesn't exist in the same account
3259
+ # that's issuing the command, you must use the full Key ARN not the Key
3260
+ # ID.
3261
+ #
3262
+ # **General purpose buckets** - If you specify
3263
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
3264
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
3265
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
3266
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3267
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3268
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3269
+ #
3270
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
3271
+ # with `aws:kms`, you must specify the `
3272
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
3273
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
3274
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
3275
+ # key ID or key ARN. The key alias format of the KMS key isn't
3276
+ # supported. Your SSE-KMS configuration can only support 1 [customer
3277
+ # managed key][1] per directory bucket for the lifetime of the bucket.
3278
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
3279
+ #
3280
+ #
3281
+ #
3282
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3283
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3089
3284
  #
3090
3285
  # @option params [String] :ssekms_encryption_context
3091
3286
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3092
- # object encryption. The value of this header is a base64-encoded UTF-8
3093
- # string holding JSON with the encryption context key-value pairs.
3094
- #
3095
- # <note markdown="1"> This functionality is not supported for directory buckets.
3287
+ # object encryption. The value of this header is a Base64-encoded string
3288
+ # of a UTF-8 encoded JSON, which contains the encryption context as
3289
+ # key-value pairs.
3096
3290
  #
3097
- # </note>
3291
+ # **Directory buckets** - You can optionally provide an explicit
3292
+ # encryption context value. The value must match the default encryption
3293
+ # context - the bucket Amazon Resource Name (ARN). An additional
3294
+ # encryption context value is not supported.
3098
3295
  #
3099
3296
  # @option params [Boolean] :bucket_key_enabled
3100
3297
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3101
3298
  # encryption with server-side encryption using Key Management Service
3102
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3103
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3299
+ # (KMS) keys (SSE-KMS).
3104
3300
  #
3105
- # Specifying this header with an object action doesn’t affect
3301
+ # **General purpose buckets** - Setting this header to `true` causes
3302
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
3303
+ # Also, specifying this header with a PUT action doesn't affect
3106
3304
  # bucket-level settings for S3 Bucket Key.
3107
3305
  #
3108
- # <note markdown="1"> This functionality is not supported for directory buckets.
3306
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3307
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3308
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
3309
+ # from general purpose buckets to directory buckets, from directory
3310
+ # buckets to general purpose buckets, or between directory buckets,
3311
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
3312
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
3313
+ # makes a call to KMS every time a copy request is made for a
3314
+ # KMS-encrypted object.
3315
+ #
3109
3316
  #
3110
- # </note>
3317
+ #
3318
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3319
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3320
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3321
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3111
3322
  #
3112
3323
  # @option params [String] :request_payer
3113
3324
  # Confirms that the requester knows that they will be charged for the
@@ -3268,9 +3479,10 @@ module Aws::S3
3268
3479
 
3269
3480
  # Creates a session that establishes temporary security credentials to
3270
3481
  # support fast authentication and authorization for the Zonal endpoint
3271
- # APIs on directory buckets. For more information about Zonal endpoint
3272
- # APIs that include the Availability Zone in the request endpoint, see
3273
- # [S3 Express One Zone APIs][1] in the *Amazon S3 User Guide*.
3482
+ # API operations on directory buckets. For more information about Zonal
3483
+ # endpoint API operations that include the Availability Zone in the
3484
+ # request endpoint, see [S3 Express One Zone APIs][1] in the *Amazon S3
3485
+ # User Guide*.
3274
3486
  #
3275
3487
  # To make Zonal endpoint API requests on a directory bucket, use the
3276
3488
  # `CreateSession` API operation. Specifically, you grant
@@ -3279,13 +3491,13 @@ module Aws::S3
3279
3491
  # the `CreateSession` API request on the bucket, which returns temporary
3280
3492
  # security credentials that include the access key ID, secret access
3281
3493
  # key, session token, and expiration. These credentials have associated
3282
- # permissions to access the Zonal endpoint APIs. After the session is
3283
- # created, you don’t need to use other policies to grant permissions to
3284
- # each Zonal endpoint API individually. Instead, in your Zonal endpoint
3285
- # API requests, you sign your requests by applying the temporary
3286
- # security credentials of the session to the request headers and
3287
- # following the SigV4 protocol for authentication. You also apply the
3288
- # session token to the `x-amz-s3session-token` request header for
3494
+ # permissions to access the Zonal endpoint API operations. After the
3495
+ # session is created, you don’t need to use other policies to grant
3496
+ # permissions to each Zonal endpoint API individually. Instead, in your
3497
+ # Zonal endpoint API requests, you sign your requests by applying the
3498
+ # temporary security credentials of the session to the request headers
3499
+ # and following the SigV4 protocol for authentication. You also apply
3500
+ # the session token to the `x-amz-s3session-token` request header for
3289
3501
  # authorization. Temporary security credentials are scoped to the bucket
3290
3502
  # and expire after 5 minutes. After the expiration time, any calls that
3291
3503
  # you make with those credentials will fail. You must use IAM
@@ -3308,16 +3520,16 @@ module Aws::S3
3308
3520
  # [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
3309
3521
  #
3310
3522
  # * <b> <code>CopyObject</code> API operation</b> - Unlike other Zonal
3311
- # endpoint APIs, the `CopyObject` API operation doesn't use the
3312
- # temporary security credentials returned from the `CreateSession` API
3313
- # operation for authentication and authorization. For information
3523
+ # endpoint API operations, the `CopyObject` API operation doesn't use
3524
+ # the temporary security credentials returned from the `CreateSession`
3525
+ # API operation for authentication and authorization. For information
3314
3526
  # about authentication and authorization of the `CopyObject` API
3315
3527
  # operation on directory buckets, see [CopyObject][4].
3316
3528
  #
3317
3529
  # * <b> <code>HeadBucket</code> API operation</b> - Unlike other Zonal
3318
- # endpoint APIs, the `HeadBucket` API operation doesn't use the
3319
- # temporary security credentials returned from the `CreateSession` API
3320
- # operation for authentication and authorization. For information
3530
+ # endpoint API operations, the `HeadBucket` API operation doesn't use
3531
+ # the temporary security credentials returned from the `CreateSession`
3532
+ # API operation for authentication and authorization. For information
3321
3533
  # about authentication and authorization of the `HeadBucket` API
3322
3534
  # operation on directory buckets, see [HeadBucket][5].
3323
3535
  #
@@ -3336,9 +3548,71 @@ module Aws::S3
3336
3548
  # Identity and Access Management (IAM) identity-based policies for S3
3337
3549
  # Express One Zone][8] in the *Amazon S3 User Guide*.
3338
3550
  #
3339
- # To grant cross-account access to Zonal endpoint APIs, the bucket
3340
- # policy should also grant both accounts the `s3express:CreateSession`
3341
- # permission.
3551
+ # To grant cross-account access to Zonal endpoint API operations, the
3552
+ # bucket policy should also grant both accounts the
3553
+ # `s3express:CreateSession` permission.
3554
+ #
3555
+ # If you want to encrypt objects with SSE-KMS, you must also have the
3556
+ # `kms:GenerateDataKey` and the `kms:Decrypt` permissions in IAM
3557
+ # identity-based policies and KMS key policies for the target KMS key.
3558
+ #
3559
+ # Encryption
3560
+ #
3561
+ # : For directory buckets, there are only two supported options for
3562
+ # server-side encryption: server-side encryption with Amazon S3
3563
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3564
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
3565
+ # encryption uses the desired encryption configuration and you don't
3566
+ # override the bucket default encryption in your `CreateSession`
3567
+ # requests or `PUT` object requests. Then, new objects are
3568
+ # automatically encrypted with the desired encryption settings. For
3569
+ # more information, see [Protecting data with server-side
3570
+ # encryption][9] in the *Amazon S3 User Guide*. For more information
3571
+ # about the encryption overriding behaviors in directory buckets, see
3572
+ # [Specifying server-side encryption with KMS for new object
3573
+ # uploads][10].
3574
+ #
3575
+ # For [Zonal endpoint (object-level) API operations][11] except
3576
+ # [CopyObject][4] and [UploadPartCopy][12], you authenticate and
3577
+ # authorize requests through [CreateSession][13] for low latency. To
3578
+ # encrypt new objects in a directory bucket with SSE-KMS, you must
3579
+ # specify SSE-KMS as the directory bucket's default encryption
3580
+ # configuration with a KMS key (specifically, a [customer managed
3581
+ # key][14]). Then, when a session is created for Zonal endpoint API
3582
+ # operations, new objects are automatically encrypted and decrypted
3583
+ # with SSE-KMS and S3 Bucket Keys during the session.
3584
+ #
3585
+ # <note markdown="1"> Only 1 [customer managed key][14] is supported per directory bucket
3586
+ # for the lifetime of the bucket. [Amazon Web Services managed
3587
+ # key][15] (`aws/s3`) isn't supported. After you specify SSE-KMS as
3588
+ # your bucket's default encryption configuration with a customer
3589
+ # managed key, you can't change the customer managed key for the
3590
+ # bucket's SSE-KMS configuration.
3591
+ #
3592
+ # </note>
3593
+ #
3594
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
3595
+ # [UploadPartCopy][12]) using the REST API, you can't override the
3596
+ # values of the encryption settings (`x-amz-server-side-encryption`,
3597
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3598
+ # `x-amz-server-side-encryption-context`, and
3599
+ # `x-amz-server-side-encryption-bucket-key-enabled`) from the
3600
+ # `CreateSession` request. You don't need to explicitly specify these
3601
+ # encryption settings values in Zonal endpoint API calls, and Amazon
3602
+ # S3 will use the encryption settings values from the `CreateSession`
3603
+ # request to protect new objects in the directory bucket.
3604
+ #
3605
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3606
+ # `CreateSession`, the session token refreshes automatically to avoid
3607
+ # service interruptions when a session expires. The CLI or the Amazon
3608
+ # Web Services SDKs use the bucket's default encryption configuration
3609
+ # for the `CreateSession` request. It's not supported to override the
3610
+ # encryption settings values in the `CreateSession` request. Also, in
3611
+ # the Zonal endpoint API calls (except [CopyObject][4] and
3612
+ # [UploadPartCopy][12]), it's not supported to override the values of
3613
+ # the encryption settings from the `CreateSession` request.
3614
+ #
3615
+ # </note>
3342
3616
  #
3343
3617
  # HTTP Host header syntax
3344
3618
  #
@@ -3355,21 +3629,110 @@ module Aws::S3
3355
3629
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters
3356
3630
  # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
3357
3631
  # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
3632
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3633
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3634
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations
3635
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3636
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
3637
+ # [14]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3638
+ # [15]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3358
3639
  #
3359
3640
  # @option params [String] :session_mode
3360
3641
  # Specifies the mode of the session that will be created, either
3361
3642
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3362
3643
  # created. A `ReadWrite` session is capable of executing all the Zonal
3363
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3364
- # constrained to execute the following Zonal endpoint APIs: `GetObject`,
3365
- # `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`, `ListParts`, and
3366
- # `ListMultipartUploads`.
3644
+ # endpoint API operations on a directory bucket. A `ReadOnly` session is
3645
+ # constrained to execute the following Zonal endpoint API operations:
3646
+ # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3647
+ # `ListParts`, and `ListMultipartUploads`.
3367
3648
  #
3368
3649
  # @option params [required, String] :bucket
3369
3650
  # The name of the bucket that you create a session for.
3370
3651
  #
3652
+ # @option params [String] :server_side_encryption
3653
+ # The server-side encryption algorithm to use when you store objects in
3654
+ # the directory bucket.
3655
+ #
3656
+ # For directory buckets, there are only two supported options for
3657
+ # server-side encryption: server-side encryption with Amazon S3 managed
3658
+ # keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys
3659
+ # (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3660
+ # SSE-S3. For more information, see [Protecting data with server-side
3661
+ # encryption][1] in the *Amazon S3 User Guide*.
3662
+ #
3663
+ #
3664
+ #
3665
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3666
+ #
3667
+ # @option params [String] :ssekms_key_id
3668
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you must
3669
+ # specify the ` x-amz-server-side-encryption-aws-kms-key-id` header with
3670
+ # the ID (Key ID or Key ARN) of the KMS symmetric encryption customer
3671
+ # managed key to use. Otherwise, you get an HTTP `400 Bad Request`
3672
+ # error. Only use the key ID or key ARN. The key alias format of the KMS
3673
+ # key isn't supported. Also, if the KMS key doesn't exist in the same
3674
+ # account that't issuing the command, you must use the full Key ARN not
3675
+ # the Key ID.
3676
+ #
3677
+ # Your SSE-KMS configuration can only support 1 [customer managed
3678
+ # key][1] per directory bucket for the lifetime of the bucket. [Amazon
3679
+ # Web Services managed key][2] (`aws/s3`) isn't supported.
3680
+ #
3681
+ #
3682
+ #
3683
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3684
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3685
+ #
3686
+ # @option params [String] :ssekms_encryption_context
3687
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3688
+ # additional encryption context to use for object encryption. The value
3689
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
3690
+ # which contains the encryption context as key-value pairs. This value
3691
+ # is stored as object metadata and automatically gets passed on to
3692
+ # Amazon Web Services KMS for future `GetObject` operations on this
3693
+ # object.
3694
+ #
3695
+ # **General purpose buckets** - This value must be explicitly added
3696
+ # during `CopyObject` operations if you want an additional encryption
3697
+ # context for your object. For more information, see [Encryption
3698
+ # context][1] in the *Amazon S3 User Guide*.
3699
+ #
3700
+ # **Directory buckets** - You can optionally provide an explicit
3701
+ # encryption context value. The value must match the default encryption
3702
+ # context - the bucket Amazon Resource Name (ARN). An additional
3703
+ # encryption context value is not supported.
3704
+ #
3705
+ #
3706
+ #
3707
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3708
+ #
3709
+ # @option params [Boolean] :bucket_key_enabled
3710
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3711
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3712
+ #
3713
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a
3714
+ # directory bucket and can’t be disabled. S3 Bucket Keys aren't
3715
+ # supported, when you copy SSE-KMS encrypted objects from general
3716
+ # purpose buckets to directory buckets, from directory buckets to
3717
+ # general purpose buckets, or between directory buckets, through
3718
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3719
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3 makes
3720
+ # a call to KMS every time a copy request is made for a KMS-encrypted
3721
+ # object.
3722
+ #
3723
+ #
3724
+ #
3725
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3726
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3727
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3728
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3729
+ #
3371
3730
  # @return [Types::CreateSessionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3372
3731
  #
3732
+ # * {Types::CreateSessionOutput#server_side_encryption #server_side_encryption} => String
3733
+ # * {Types::CreateSessionOutput#ssekms_key_id #ssekms_key_id} => String
3734
+ # * {Types::CreateSessionOutput#ssekms_encryption_context #ssekms_encryption_context} => String
3735
+ # * {Types::CreateSessionOutput#bucket_key_enabled #bucket_key_enabled} => Boolean
3373
3736
  # * {Types::CreateSessionOutput#credentials #credentials} => Types::SessionCredentials
3374
3737
  #
3375
3738
  # @example Request syntax with placeholder values
@@ -3377,10 +3740,18 @@ module Aws::S3
3377
3740
  # resp = client.create_session({
3378
3741
  # session_mode: "ReadOnly", # accepts ReadOnly, ReadWrite
3379
3742
  # bucket: "BucketName", # required
3743
+ # server_side_encryption: "AES256", # accepts AES256, aws:kms, aws:kms:dsse
3744
+ # ssekms_key_id: "SSEKMSKeyId",
3745
+ # ssekms_encryption_context: "SSEKMSEncryptionContext",
3746
+ # bucket_key_enabled: false,
3380
3747
  # })
3381
3748
  #
3382
3749
  # @example Response structure
3383
3750
  #
3751
+ # resp.server_side_encryption #=> String, one of "AES256", "aws:kms", "aws:kms:dsse"
3752
+ # resp.ssekms_key_id #=> String
3753
+ # resp.ssekms_encryption_context #=> String
3754
+ # resp.bucket_key_enabled #=> Boolean
3384
3755
  # resp.credentials.access_key_id #=> String
3385
3756
  # resp.credentials.secret_access_key #=> String
3386
3757
  # resp.credentials.session_token #=> String
@@ -3626,47 +3997,92 @@ module Aws::S3
3626
3997
  req.send_request(options)
3627
3998
  end
3628
3999
 
3629
- # <note markdown="1"> This operation is not supported by directory buckets.
4000
+ # This implementation of the DELETE action resets the default encryption
4001
+ # for the bucket as server-side encryption with Amazon S3 managed keys
4002
+ # (SSE-S3).
4003
+ #
4004
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
4005
+ # default encryption feature, see [Amazon S3 Bucket Default
4006
+ # Encryption][1] in the *Amazon S3 User Guide*.
4007
+ #
4008
+ # * **Directory buckets** - For directory buckets, there are only two
4009
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
4010
+ # For information about the default encryption configuration in
4011
+ # directory buckets, see [Setting default server-side encryption
4012
+ # behavior for directory buckets][2].
3630
4013
  #
3631
4014
  # </note>
3632
4015
  #
3633
- # This implementation of the DELETE action resets the default encryption
3634
- # for the bucket as server-side encryption with Amazon S3 managed keys
3635
- # (SSE-S3). For information about the bucket default encryption feature,
3636
- # see [Amazon S3 Bucket Default Encryption][1] in the *Amazon S3 User
3637
- # Guide*.
4016
+ # Permissions
4017
+ # : * **General purpose bucket permissions** - The
4018
+ # `s3:PutEncryptionConfiguration` permission is required in a
4019
+ # policy. The bucket owner has this permission by default. The
4020
+ # bucket owner can grant this permission to others. For more
4021
+ # information about permissions, see [Permissions Related to Bucket
4022
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
4023
+ # Resources][4].
3638
4024
  #
3639
- # To use this operation, you must have permissions to perform the
3640
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
3641
- # permission by default. The bucket owner can grant this permission to
3642
- # others. For more information about permissions, see [Permissions
3643
- # Related to Bucket Subresource Operations][2] and [Managing Access
3644
- # Permissions to your Amazon S3 Resources][3] in the *Amazon S3 User
3645
- # Guide*.
4025
+ # * **Directory bucket permissions** - To grant access to this API
4026
+ # operation, you must have the
4027
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
4028
+ # identity-based policy instead of a bucket policy. Cross-account
4029
+ # access to this API operation isn't supported. This operation can
4030
+ # only be performed by the Amazon Web Services account that owns the
4031
+ # resource. For more information about directory bucket policies and
4032
+ # permissions, see [Amazon Web Services Identity and Access
4033
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
4034
+ # User Guide*.
4035
+ #
4036
+ # HTTP Host header syntax
4037
+ #
4038
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
4039
+ # `s3express-control.region.amazonaws.com`.
3646
4040
  #
3647
4041
  # The following operations are related to `DeleteBucketEncryption`:
3648
4042
  #
3649
- # * [PutBucketEncryption][4]
4043
+ # * [PutBucketEncryption][6]
3650
4044
  #
3651
- # * [GetBucketEncryption][5]
4045
+ # * [GetBucketEncryption][7]
3652
4046
  #
3653
4047
  #
3654
4048
  #
3655
4049
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
3656
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
3657
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
3658
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
3659
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
4050
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
4051
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
4052
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
4053
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
4054
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
4055
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
3660
4056
  #
3661
4057
  # @option params [required, String] :bucket
3662
4058
  # The name of the bucket containing the server-side encryption
3663
4059
  # configuration to delete.
3664
4060
  #
4061
+ # <b>Directory buckets </b> - When you use this operation with a
4062
+ # directory bucket, you must use path-style requests in the format
4063
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
4064
+ # Virtual-hosted-style requests aren't supported. Directory bucket
4065
+ # names must be unique in the chosen Availability Zone. Bucket names
4066
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
4067
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
4068
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
4069
+ # the *Amazon S3 User Guide*
4070
+ #
4071
+ #
4072
+ #
4073
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
4074
+ #
3665
4075
  # @option params [String] :expected_bucket_owner
3666
4076
  # The account ID of the expected bucket owner. If the account ID that
3667
4077
  # you provide does not match the actual owner of the bucket, the request
3668
4078
  # fails with the HTTP status code `403 Forbidden` (access denied).
3669
4079
  #
4080
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
4081
+ # operation. If you specify this header, the request fails with the HTTP
4082
+ # status code `501 Not Implemented`.
4083
+ #
4084
+ # </note>
4085
+ #
3670
4086
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
3671
4087
  #
3672
4088
  # @example Request syntax with placeholder values
@@ -4660,35 +5076,35 @@ module Aws::S3
4660
5076
  # * {Types::DeleteObjectTaggingOutput#version_id #version_id} => String
4661
5077
  #
4662
5078
  #
4663
- # @example Example: To remove tag set from an object version
5079
+ # @example Example: To remove tag set from an object
4664
5080
  #
4665
- # # The following example removes tag set associated with the specified object version. The request specifies both the
4666
- # # object key and object version.
5081
+ # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
5082
+ # # operation removes tag set from the latest object version.
4667
5083
  #
4668
5084
  # resp = client.delete_object_tagging({
4669
5085
  # bucket: "examplebucket",
4670
5086
  # key: "HappyFace.jpg",
4671
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4672
5087
  # })
4673
5088
  #
4674
5089
  # resp.to_h outputs the following:
4675
5090
  # {
4676
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
5091
+ # version_id: "null",
4677
5092
  # }
4678
5093
  #
4679
- # @example Example: To remove tag set from an object
5094
+ # @example Example: To remove tag set from an object version
4680
5095
  #
4681
- # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
4682
- # # operation removes tag set from the latest object version.
5096
+ # # The following example removes tag set associated with the specified object version. The request specifies both the
5097
+ # # object key and object version.
4683
5098
  #
4684
5099
  # resp = client.delete_object_tagging({
4685
5100
  # bucket: "examplebucket",
4686
5101
  # key: "HappyFace.jpg",
5102
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4687
5103
  # })
4688
5104
  #
4689
5105
  # resp.to_h outputs the following:
4690
5106
  # {
4691
- # version_id: "null",
5107
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4692
5108
  # }
4693
5109
  #
4694
5110
  # @example Request syntax with placeholder values
@@ -4971,20 +5387,22 @@ module Aws::S3
4971
5387
  # * {Types::DeleteObjectsOutput#errors #errors} => Array&lt;Types::Error&gt;
4972
5388
  #
4973
5389
  #
4974
- # @example Example: To delete multiple objects from a versioned bucket
5390
+ # @example Example: To delete multiple object versions from a versioned bucket
4975
5391
  #
4976
- # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
4977
- # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5392
+ # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5393
+ # # versions and returns the key and versions of deleted objects in the response.
4978
5394
  #
4979
5395
  # resp = client.delete_objects({
4980
5396
  # bucket: "examplebucket",
4981
5397
  # delete: {
4982
5398
  # objects: [
4983
5399
  # {
4984
- # key: "objectkey1",
5400
+ # key: "HappyFace.jpg",
5401
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
4985
5402
  # },
4986
5403
  # {
4987
- # key: "objectkey2",
5404
+ # key: "HappyFace.jpg",
5405
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
4988
5406
  # },
4989
5407
  # ],
4990
5408
  # quiet: false,
@@ -4995,34 +5413,30 @@ module Aws::S3
4995
5413
  # {
4996
5414
  # deleted: [
4997
5415
  # {
4998
- # delete_marker: true,
4999
- # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5000
- # key: "objectkey1",
5416
+ # key: "HappyFace.jpg",
5417
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5001
5418
  # },
5002
5419
  # {
5003
- # delete_marker: true,
5004
- # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5005
- # key: "objectkey2",
5420
+ # key: "HappyFace.jpg",
5421
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5006
5422
  # },
5007
5423
  # ],
5008
5424
  # }
5009
5425
  #
5010
- # @example Example: To delete multiple object versions from a versioned bucket
5426
+ # @example Example: To delete multiple objects from a versioned bucket
5011
5427
  #
5012
- # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5013
- # # versions and returns the key and versions of deleted objects in the response.
5428
+ # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
5429
+ # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5014
5430
  #
5015
5431
  # resp = client.delete_objects({
5016
5432
  # bucket: "examplebucket",
5017
5433
  # delete: {
5018
5434
  # objects: [
5019
5435
  # {
5020
- # key: "HappyFace.jpg",
5021
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5436
+ # key: "objectkey1",
5022
5437
  # },
5023
5438
  # {
5024
- # key: "HappyFace.jpg",
5025
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5439
+ # key: "objectkey2",
5026
5440
  # },
5027
5441
  # ],
5028
5442
  # quiet: false,
@@ -5033,12 +5447,14 @@ module Aws::S3
5033
5447
  # {
5034
5448
  # deleted: [
5035
5449
  # {
5036
- # key: "HappyFace.jpg",
5037
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5450
+ # delete_marker: true,
5451
+ # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5452
+ # key: "objectkey1",
5038
5453
  # },
5039
5454
  # {
5040
- # key: "HappyFace.jpg",
5041
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5455
+ # delete_marker: true,
5456
+ # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5457
+ # key: "objectkey2",
5042
5458
  # },
5043
5459
  # ],
5044
5460
  # }
@@ -5541,46 +5957,92 @@ module Aws::S3
5541
5957
  req.send_request(options)
5542
5958
  end
5543
5959
 
5544
- # <note markdown="1"> This operation is not supported by directory buckets.
5960
+ # Returns the default encryption configuration for an Amazon S3 bucket.
5961
+ # By default, all buckets have a default encryption configuration that
5962
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
5963
+ #
5964
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
5965
+ # default encryption feature, see [Amazon S3 Bucket Default
5966
+ # Encryption][1] in the *Amazon S3 User Guide*.
5967
+ #
5968
+ # * **Directory buckets** - For directory buckets, there are only two
5969
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
5970
+ # For information about the default encryption configuration in
5971
+ # directory buckets, see [Setting default server-side encryption
5972
+ # behavior for directory buckets][2].
5545
5973
  #
5546
5974
  # </note>
5547
5975
  #
5548
- # Returns the default encryption configuration for an Amazon S3 bucket.
5549
- # By default, all buckets have a default encryption configuration that
5550
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). For
5551
- # information about the bucket default encryption feature, see [Amazon
5552
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
5976
+ # Permissions
5977
+ # : * **General purpose bucket permissions** - The
5978
+ # `s3:GetEncryptionConfiguration` permission is required in a
5979
+ # policy. The bucket owner has this permission by default. The
5980
+ # bucket owner can grant this permission to others. For more
5981
+ # information about permissions, see [Permissions Related to Bucket
5982
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
5983
+ # Resources][4].
5553
5984
  #
5554
- # To use this operation, you must have permission to perform the
5555
- # `s3:GetEncryptionConfiguration` action. The bucket owner has this
5556
- # permission by default. The bucket owner can grant this permission to
5557
- # others. For more information about permissions, see [Permissions
5558
- # Related to Bucket Subresource Operations][2] and [Managing Access
5559
- # Permissions to Your Amazon S3 Resources][3].
5985
+ # * **Directory bucket permissions** - To grant access to this API
5986
+ # operation, you must have the
5987
+ # `s3express:GetEncryptionConfiguration` permission in an IAM
5988
+ # identity-based policy instead of a bucket policy. Cross-account
5989
+ # access to this API operation isn't supported. This operation can
5990
+ # only be performed by the Amazon Web Services account that owns the
5991
+ # resource. For more information about directory bucket policies and
5992
+ # permissions, see [Amazon Web Services Identity and Access
5993
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
5994
+ # User Guide*.
5995
+ #
5996
+ # HTTP Host header syntax
5997
+ #
5998
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
5999
+ # `s3express-control.region.amazonaws.com`.
5560
6000
  #
5561
6001
  # The following operations are related to `GetBucketEncryption`:
5562
6002
  #
5563
- # * [PutBucketEncryption][4]
6003
+ # * [PutBucketEncryption][6]
5564
6004
  #
5565
- # * [DeleteBucketEncryption][5]
6005
+ # * [DeleteBucketEncryption][7]
5566
6006
  #
5567
6007
  #
5568
6008
  #
5569
6009
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
5570
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
5571
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
5572
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
5573
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6010
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
6011
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
6012
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
6013
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
6014
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
6015
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6016
+ #
6017
+ # @option params [required, String] :bucket
6018
+ # The name of the bucket from which the server-side encryption
6019
+ # configuration is retrieved.
6020
+ #
6021
+ # <b>Directory buckets </b> - When you use this operation with a
6022
+ # directory bucket, you must use path-style requests in the format
6023
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
6024
+ # Virtual-hosted-style requests aren't supported. Directory bucket
6025
+ # names must be unique in the chosen Availability Zone. Bucket names
6026
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
6027
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
6028
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
6029
+ # the *Amazon S3 User Guide*
6030
+ #
5574
6031
  #
5575
- # @option params [required, String] :bucket
5576
- # The name of the bucket from which the server-side encryption
5577
- # configuration is retrieved.
6032
+ #
6033
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5578
6034
  #
5579
6035
  # @option params [String] :expected_bucket_owner
5580
6036
  # The account ID of the expected bucket owner. If the account ID that
5581
6037
  # you provide does not match the actual owner of the bucket, the request
5582
6038
  # fails with the HTTP status code `403 Forbidden` (access denied).
5583
6039
  #
6040
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
6041
+ # operation. If you specify this header, the request fails with the HTTP
6042
+ # status code `501 Not Implemented`.
6043
+ #
6044
+ # </note>
6045
+ #
5584
6046
  # @return [Types::GetBucketEncryptionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5585
6047
  #
5586
6048
  # * {Types::GetBucketEncryptionOutput#server_side_encryption_configuration #server_side_encryption_configuration} => Types::ServerSideEncryptionConfiguration
@@ -7320,6 +7782,10 @@ module Aws::S3
7320
7782
  # interruptions when a session expires. For more information about
7321
7783
  # authorization, see [ `CreateSession` ][4].
7322
7784
  #
7785
+ # If the object is encrypted using SSE-KMS, you must also have the
7786
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
7787
+ # identity-based policies and KMS key policies for the KMS key.
7788
+ #
7323
7789
  # Storage classes
7324
7790
  #
7325
7791
  # : If the object you are retrieving is stored in the S3 Glacier
@@ -7348,6 +7814,11 @@ module Aws::S3
7348
7814
  # `GetObject` requests for the object that uses these types of keys,
7349
7815
  # you’ll get an HTTP `400 Bad Request` error.
7350
7816
  #
7817
+ # **Directory buckets** - For directory buckets, there are only two
7818
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
7819
+ # SSE-C isn't supported. For more information, see [Protecting data
7820
+ # with server-side encryption][7] in the *Amazon S3 User Guide*.
7821
+ #
7351
7822
  # Overriding response header values through the request
7352
7823
  #
7353
7824
  # : There are times when you want to override certain response header
@@ -7395,9 +7866,9 @@ module Aws::S3
7395
7866
  #
7396
7867
  # The following operations are related to `GetObject`:
7397
7868
  #
7398
- # * [ListBuckets][7]
7869
+ # * [ListBuckets][8]
7399
7870
  #
7400
- # * [GetObjectAcl][8]
7871
+ # * [GetObjectAcl][9]
7401
7872
  #
7402
7873
  #
7403
7874
  #
@@ -7407,8 +7878,9 @@ module Aws::S3
7407
7878
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
7408
7879
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
7409
7880
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html
7410
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7411
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7881
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
7882
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7883
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7412
7884
  #
7413
7885
  # @option params [String, IO] :response_target
7414
7886
  # Where to write response data, file path, or IO object.
@@ -7705,10 +8177,10 @@ module Aws::S3
7705
8177
  # @option params [String] :checksum_mode
7706
8178
  # To retrieve the checksum, this mode must be enabled.
7707
8179
  #
7708
- # In addition, if you enable checksum mode and the object is uploaded
7709
- # with a [checksum][1] and encrypted with an Key Management Service
7710
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
7711
- # retrieve the checksum.
8180
+ # **General purpose buckets** - In addition, if you enable checksum mode
8181
+ # and the object is uploaded with a [checksum][1] and encrypted with an
8182
+ # Key Management Service (KMS) key, you must have permission to use the
8183
+ # `kms:Decrypt` action to retrieve the checksum.
7712
8184
  #
7713
8185
  #
7714
8186
  #
@@ -8110,7 +8582,7 @@ module Aws::S3
8110
8582
  # Permissions
8111
8583
  # : * **General purpose bucket permissions** - To use
8112
8584
  # `GetObjectAttributes`, you must have READ access to the object.
8113
- # The permissions that you need to use this operation with depend on
8585
+ # The permissions that you need to use this operation depend on
8114
8586
  # whether the bucket is versioned. If the bucket is versioned, you
8115
8587
  # need both the `s3:GetObjectVersion` and
8116
8588
  # `s3:GetObjectVersionAttributes` permissions for this operation. If
@@ -8144,6 +8616,10 @@ module Aws::S3
8144
8616
  # interruptions when a session expires. For more information about
8145
8617
  # authorization, see [ `CreateSession` ][3].
8146
8618
  #
8619
+ # If the object is encrypted with SSE-KMS, you must also have the
8620
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
8621
+ # identity-based policies and KMS key policies for the KMS key.
8622
+ #
8147
8623
  # Encryption
8148
8624
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
8149
8625
  # should not be sent for `HEAD` requests if your object uses
@@ -8177,9 +8653,19 @@ module Aws::S3
8177
8653
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
8178
8654
  # Guide*.
8179
8655
  #
8180
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
8181
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
8182
- # (`AES256`) is supported.
8656
+ # <note markdown="1"> **Directory bucket permissions** - For directory buckets, there are
8657
+ # only two supported options for server-side encryption: server-side
8658
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
8659
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
8660
+ # recommend that the bucket's default encryption uses the desired
8661
+ # encryption configuration and you don't override the bucket default
8662
+ # encryption in your `CreateSession` requests or `PUT` object
8663
+ # requests. Then, new objects are automatically encrypted with the
8664
+ # desired encryption settings. For more information, see [Protecting
8665
+ # data with server-side encryption][5] in the *Amazon S3 User Guide*.
8666
+ # For more information about the encryption overriding behaviors in
8667
+ # directory buckets, see [Specifying server-side encryption with KMS
8668
+ # for new object uploads][6].
8183
8669
  #
8184
8670
  # </note>
8185
8671
  #
@@ -8203,7 +8689,7 @@ module Aws::S3
8203
8689
  # * `If-Unmodified-Since` condition evaluates to `false`.
8204
8690
  #
8205
8691
  # For more information about conditional requests, see [RFC
8206
- # 7232][5].
8692
+ # 7232][7].
8207
8693
  #
8208
8694
  # * If both of the `If-None-Match` and `If-Modified-Since` headers are
8209
8695
  # present in the request as follows, then Amazon S3 returns the HTTP
@@ -8214,7 +8700,7 @@ module Aws::S3
8214
8700
  # * `If-Modified-Since` condition evaluates to `true`.
8215
8701
  #
8216
8702
  # For more information about conditional requests, see [RFC
8217
- # 7232][5].
8703
+ # 7232][7].
8218
8704
  #
8219
8705
  # HTTP Host header syntax
8220
8706
  #
@@ -8223,21 +8709,21 @@ module Aws::S3
8223
8709
  #
8224
8710
  # The following actions are related to `GetObjectAttributes`:
8225
8711
  #
8226
- # * [GetObject][6]
8712
+ # * [GetObject][8]
8227
8713
  #
8228
- # * [GetObjectAcl][7]
8714
+ # * [GetObjectAcl][9]
8229
8715
  #
8230
- # * [GetObjectLegalHold][8]
8716
+ # * [GetObjectLegalHold][10]
8231
8717
  #
8232
- # * [GetObjectLockConfiguration][9]
8718
+ # * [GetObjectLockConfiguration][11]
8233
8719
  #
8234
- # * [GetObjectRetention][10]
8720
+ # * [GetObjectRetention][12]
8235
8721
  #
8236
- # * [GetObjectTagging][11]
8722
+ # * [GetObjectTagging][13]
8237
8723
  #
8238
- # * [HeadObject][12]
8724
+ # * [HeadObject][14]
8239
8725
  #
8240
- # * [ListParts][13]
8726
+ # * [ListParts][15]
8241
8727
  #
8242
8728
  #
8243
8729
  #
@@ -8245,15 +8731,17 @@ module Aws::S3
8245
8731
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
8246
8732
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
8247
8733
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
8248
- # [5]: https://tools.ietf.org/html/rfc7232
8249
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8250
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8251
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8252
- # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8253
- # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8254
- # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8255
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8256
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8734
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
8735
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
8736
+ # [7]: https://tools.ietf.org/html/rfc7232
8737
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8738
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8739
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8740
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8741
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8742
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8743
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8744
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8257
8745
  #
8258
8746
  # @option params [required, String] :bucket
8259
8747
  # The name of the bucket that contains the object.
@@ -8797,49 +9285,49 @@ module Aws::S3
8797
9285
  # * {Types::GetObjectTaggingOutput#tag_set #tag_set} => Array&lt;Types::Tag&gt;
8798
9286
  #
8799
9287
  #
8800
- # @example Example: To retrieve tag set of an object
9288
+ # @example Example: To retrieve tag set of a specific object version
8801
9289
  #
8802
- # # The following example retrieves tag set of an object.
9290
+ # # The following example retrieves tag set of an object. The request specifies object version.
8803
9291
  #
8804
9292
  # resp = client.get_object_tagging({
8805
9293
  # bucket: "examplebucket",
8806
- # key: "HappyFace.jpg",
9294
+ # key: "exampleobject",
9295
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8807
9296
  # })
8808
9297
  #
8809
9298
  # resp.to_h outputs the following:
8810
9299
  # {
8811
9300
  # tag_set: [
8812
9301
  # {
8813
- # key: "Key4",
8814
- # value: "Value4",
8815
- # },
8816
- # {
8817
- # key: "Key3",
8818
- # value: "Value3",
9302
+ # key: "Key1",
9303
+ # value: "Value1",
8819
9304
  # },
8820
9305
  # ],
8821
- # version_id: "null",
9306
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8822
9307
  # }
8823
9308
  #
8824
- # @example Example: To retrieve tag set of a specific object version
9309
+ # @example Example: To retrieve tag set of an object
8825
9310
  #
8826
- # # The following example retrieves tag set of an object. The request specifies object version.
9311
+ # # The following example retrieves tag set of an object.
8827
9312
  #
8828
9313
  # resp = client.get_object_tagging({
8829
9314
  # bucket: "examplebucket",
8830
- # key: "exampleobject",
8831
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9315
+ # key: "HappyFace.jpg",
8832
9316
  # })
8833
9317
  #
8834
9318
  # resp.to_h outputs the following:
8835
9319
  # {
8836
9320
  # tag_set: [
8837
9321
  # {
8838
- # key: "Key1",
8839
- # value: "Value1",
9322
+ # key: "Key4",
9323
+ # value: "Value4",
9324
+ # },
9325
+ # {
9326
+ # key: "Key3",
9327
+ # value: "Value3",
8840
9328
  # },
8841
9329
  # ],
8842
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9330
+ # version_id: "null",
8843
9331
  # }
8844
9332
  #
8845
9333
  # @example Request syntax with placeholder values
@@ -9272,6 +9760,13 @@ module Aws::S3
9272
9760
  # interruptions when a session expires. For more information about
9273
9761
  # authorization, see [ `CreateSession` ][3].
9274
9762
  #
9763
+ # If you enable `x-amz-checksum-mode` in the request and the object
9764
+ # is encrypted with Amazon Web Services Key Management Service
9765
+ # (Amazon Web Services KMS), you must also have the
9766
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
9767
+ # identity-based policies and KMS key policies for the KMS key to
9768
+ # retrieve the checksum of the object.
9769
+ #
9275
9770
  # Encryption
9276
9771
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
9277
9772
  # should not be sent for `HEAD` requests if your object uses
@@ -9305,9 +9800,10 @@ module Aws::S3
9305
9800
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
9306
9801
  # Guide*.
9307
9802
  #
9308
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
9309
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
9310
- # (`AES256`) is supported.
9803
+ # <note markdown="1"> <b>Directory bucket </b> - For directory buckets, there are only two
9804
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
9805
+ # SSE-C isn't supported. For more information, see [Protecting data
9806
+ # with server-side encryption][5] in the *Amazon S3 User Guide*.
9311
9807
  #
9312
9808
  # </note>
9313
9809
  #
@@ -9341,15 +9837,15 @@ module Aws::S3
9341
9837
  # requests in the format
9342
9838
  # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
9343
9839
  # `. Path-style requests are not supported. For more information, see
9344
- # [Regional and Zonal endpoints][5] in the *Amazon S3 User Guide*.
9840
+ # [Regional and Zonal endpoints][6] in the *Amazon S3 User Guide*.
9345
9841
  #
9346
9842
  # </note>
9347
9843
  #
9348
9844
  # The following actions are related to `HeadObject`:
9349
9845
  #
9350
- # * [GetObject][6]
9846
+ # * [GetObject][7]
9351
9847
  #
9352
- # * [GetObjectAttributes][7]
9848
+ # * [GetObjectAttributes][8]
9353
9849
  #
9354
9850
  #
9355
9851
  #
@@ -9357,9 +9853,10 @@ module Aws::S3
9357
9853
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
9358
9854
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
9359
9855
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
9360
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9361
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9362
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9856
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
9857
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9858
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9859
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9363
9860
  #
9364
9861
  # @option params [required, String] :bucket
9365
9862
  # The name of the bucket that contains the object.
@@ -9575,10 +10072,16 @@ module Aws::S3
9575
10072
  # @option params [String] :checksum_mode
9576
10073
  # To retrieve the checksum, this parameter must be enabled.
9577
10074
  #
9578
- # In addition, if you enable checksum mode and the object is uploaded
9579
- # with a [checksum][1] and encrypted with an Key Management Service
9580
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
9581
- # retrieve the checksum.
10075
+ # **General purpose buckets** - If you enable checksum mode and the
10076
+ # object is uploaded with a [checksum][1] and encrypted with an Key
10077
+ # Management Service (KMS) key, you must have permission to use the
10078
+ # `kms:Decrypt` action to retrieve the checksum.
10079
+ #
10080
+ # **Directory buckets** - If you enable `ChecksumMode` and the object is
10081
+ # encrypted with Amazon Web Services Key Management Service (Amazon Web
10082
+ # Services KMS), you must also have the `kms:GenerateDataKey` and
10083
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
10084
+ # policies for the KMS key to retrieve the checksum of the object.
9582
10085
  #
9583
10086
  #
9584
10087
  #
@@ -12574,24 +13077,73 @@ module Aws::S3
12574
13077
  req.send_request(options)
12575
13078
  end
12576
13079
 
12577
- # <note markdown="1"> This operation is not supported by directory buckets.
13080
+ # This operation configures default encryption and Amazon S3 Bucket Keys
13081
+ # for an existing bucket.
12578
13082
  #
12579
- # </note>
13083
+ # <note markdown="1"> <b>Directory buckets </b> - For directory buckets, you must make
13084
+ # requests for this API operation to the Regional endpoint. These
13085
+ # endpoints support path-style requests in the format
13086
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13087
+ # Virtual-hosted-style requests aren't supported. For more information,
13088
+ # see [Regional and Zonal endpoints][1] in the *Amazon S3 User Guide*.
12580
13089
  #
12581
- # This action uses the `encryption` subresource to configure default
12582
- # encryption and Amazon S3 Bucket Keys for an existing bucket.
13090
+ # </note>
12583
13091
  #
12584
13092
  # By default, all buckets have a default encryption configuration that
12585
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). You
12586
- # can optionally configure default encryption for a bucket by using
12587
- # server-side encryption with Key Management Service (KMS) keys
12588
- # (SSE-KMS) or dual-layer server-side encryption with Amazon Web
12589
- # Services KMS keys (DSSE-KMS). If you specify default encryption by
12590
- # using SSE-KMS, you can also configure [Amazon S3 Bucket Keys][1]. If
12591
- # you use PutBucketEncryption to set your [default bucket encryption][2]
12592
- # to SSE-KMS, you should verify that your KMS key ID is correct. Amazon
12593
- # S3 does not validate the KMS key ID provided in PutBucketEncryption
12594
- # requests.
13093
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
13094
+ #
13095
+ # <note markdown="1"> * **General purpose buckets**
13096
+ #
13097
+ # * You can optionally configure default encryption for a bucket by
13098
+ # using server-side encryption with Key Management Service (KMS)
13099
+ # keys (SSE-KMS) or dual-layer server-side encryption with Amazon
13100
+ # Web Services KMS keys (DSSE-KMS). If you specify default
13101
+ # encryption by using SSE-KMS, you can also configure [Amazon S3
13102
+ # Bucket Keys][2]. For information about the bucket default
13103
+ # encryption feature, see [Amazon S3 Bucket Default Encryption][3]
13104
+ # in the *Amazon S3 User Guide*.
13105
+ #
13106
+ # * If you use PutBucketEncryption to set your [default bucket
13107
+ # encryption][3] to SSE-KMS, you should verify that your KMS key ID
13108
+ # is correct. Amazon S3 doesn't validate the KMS key ID provided in
13109
+ # PutBucketEncryption requests.
13110
+ #
13111
+ # * <b>Directory buckets </b> - You can optionally configure default
13112
+ # encryption for a bucket by using server-side encryption with Key
13113
+ # Management Service (KMS) keys (SSE-KMS).
13114
+ #
13115
+ # * We recommend that the bucket's default encryption uses the
13116
+ # desired encryption configuration and you don't override the
13117
+ # bucket default encryption in your `CreateSession` requests or
13118
+ # `PUT` object requests. Then, new objects are automatically
13119
+ # encrypted with the desired encryption settings. For more
13120
+ # information about the encryption overriding behaviors in directory
13121
+ # buckets, see [Specifying server-side encryption with KMS for new
13122
+ # object uploads][4].
13123
+ #
13124
+ # * Your SSE-KMS configuration can only support 1 [customer managed
13125
+ # key][5] per directory bucket for the lifetime of the bucket.
13126
+ # [Amazon Web Services managed key][6] (`aws/s3`) isn't supported.
13127
+ #
13128
+ # * S3 Bucket Keys are always enabled for `GET` and `PUT` operations
13129
+ # in a directory bucket and can’t be disabled. S3 Bucket Keys
13130
+ # aren't supported, when you copy SSE-KMS encrypted objects from
13131
+ # general purpose buckets to directory buckets, from directory
13132
+ # buckets to general purpose buckets, or between directory buckets,
13133
+ # through [CopyObject][7], [UploadPartCopy][8], [the Copy operation
13134
+ # in Batch Operations][9], or [the import jobs][10]. In this case,
13135
+ # Amazon S3 makes a call to KMS every time a copy request is made
13136
+ # for a KMS-encrypted object.
13137
+ #
13138
+ # * When you specify an [KMS customer managed key][5] for encryption
13139
+ # in your directory bucket, only use the key ID or key ARN. The key
13140
+ # alias format of the KMS key isn't supported.
13141
+ #
13142
+ # * For directory buckets, if you use PutBucketEncryption to set your
13143
+ # [default bucket encryption][3] to SSE-KMS, Amazon S3 validates the
13144
+ # KMS key ID provided in PutBucketEncryption requests.
13145
+ #
13146
+ # </note>
12595
13147
  #
12596
13148
  # If you're specifying a customer managed KMS key, we recommend using a
12597
13149
  # fully qualified KMS key ARN. If you use a KMS key alias instead, then
@@ -12601,45 +13153,80 @@ module Aws::S3
12601
13153
  #
12602
13154
  # Also, this action requires Amazon Web Services Signature Version 4.
12603
13155
  # For more information, see [ Authenticating Requests (Amazon Web
12604
- # Services Signature Version 4)][3].
13156
+ # Services Signature Version 4)][11].
12605
13157
  #
12606
- # To use this operation, you must have permission to perform the
12607
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
12608
- # permission by default. The bucket owner can grant this permission to
12609
- # others. For more information about permissions, see [Permissions
12610
- # Related to Bucket Subresource Operations][4] and [Managing Access
12611
- # Permissions to Your Amazon S3 Resources][5] in the *Amazon S3 User
12612
- # Guide*.
13158
+ # Permissions
13159
+ # : * **General purpose bucket permissions** - The
13160
+ # `s3:PutEncryptionConfiguration` permission is required in a
13161
+ # policy. The bucket owner has this permission by default. The
13162
+ # bucket owner can grant this permission to others. For more
13163
+ # information about permissions, see [Permissions Related to Bucket
13164
+ # Operations][12] and [Managing Access Permissions to Your Amazon S3
13165
+ # Resources][13] in the *Amazon S3 User Guide*.
13166
+ #
13167
+ # * **Directory bucket permissions** - To grant access to this API
13168
+ # operation, you must have the
13169
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
13170
+ # identity-based policy instead of a bucket policy. Cross-account
13171
+ # access to this API operation isn't supported. This operation can
13172
+ # only be performed by the Amazon Web Services account that owns the
13173
+ # resource. For more information about directory bucket policies and
13174
+ # permissions, see [Amazon Web Services Identity and Access
13175
+ # Management (IAM) for S3 Express One Zone][14] in the *Amazon S3
13176
+ # User Guide*.
13177
+ #
13178
+ # To set a directory bucket default encryption with SSE-KMS, you
13179
+ # must also have the `kms:GenerateDataKey` and the `kms:Decrypt`
13180
+ # permissions in IAM identity-based policies and KMS key policies
13181
+ # for the target KMS key.
13182
+ #
13183
+ # HTTP Host header syntax
13184
+ #
13185
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
13186
+ # `s3express-control.region.amazonaws.com`.
12613
13187
  #
12614
13188
  # The following operations are related to `PutBucketEncryption`:
12615
13189
  #
12616
- # * [GetBucketEncryption][6]
13190
+ # * [GetBucketEncryption][15]
12617
13191
  #
12618
- # * [DeleteBucketEncryption][7]
13192
+ # * [DeleteBucketEncryption][16]
12619
13193
  #
12620
13194
  #
12621
13195
  #
12622
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
12623
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12624
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
12625
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
12626
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
12627
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
12628
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
13196
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
13197
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
13198
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13199
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
13200
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
13201
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
13202
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
13203
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
13204
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
13205
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
13206
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
13207
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
13208
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
13209
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
13210
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
13211
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
12629
13212
  #
12630
13213
  # @option params [required, String] :bucket
12631
13214
  # Specifies default encryption for a bucket using server-side encryption
12632
- # with different key options. By default, all buckets have a default
12633
- # encryption configuration that uses server-side encryption with Amazon
12634
- # S3 managed keys (SSE-S3). You can optionally configure default
12635
- # encryption for a bucket by using server-side encryption with an Amazon
12636
- # Web Services KMS key (SSE-KMS) or a customer-provided key (SSE-C). For
12637
- # information about the bucket default encryption feature, see [Amazon
12638
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
13215
+ # with different key options.
13216
+ #
13217
+ # <b>Directory buckets </b> - When you use this operation with a
13218
+ # directory bucket, you must use path-style requests in the format
13219
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13220
+ # Virtual-hosted-style requests aren't supported. Directory bucket
13221
+ # names must be unique in the chosen Availability Zone. Bucket names
13222
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
13223
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
13224
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
13225
+ # the *Amazon S3 User Guide*
12639
13226
  #
12640
13227
  #
12641
13228
  #
12642
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13229
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12643
13230
  #
12644
13231
  # @option params [String] :content_md5
12645
13232
  # The base64-encoded 128-bit MD5 digest of the server-side encryption
@@ -12649,6 +13236,10 @@ module Aws::S3
12649
13236
  # (CLI) or Amazon Web Services SDKs, this field is calculated
12650
13237
  # automatically.
12651
13238
  #
13239
+ # <note markdown="1"> This functionality is not supported for directory buckets.
13240
+ #
13241
+ # </note>
13242
+ #
12652
13243
  # @option params [String] :checksum_algorithm
12653
13244
  # Indicates the algorithm used to create the checksum for the object
12654
13245
  # when you use the SDK. This header will not provide any additional
@@ -12661,6 +13252,11 @@ module Aws::S3
12661
13252
  # If you provide an individual checksum, Amazon S3 ignores any provided
12662
13253
  # `ChecksumAlgorithm` parameter.
12663
13254
  #
13255
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
13256
+ # is the default checksum algorithm that's used for performance.
13257
+ #
13258
+ # </note>
13259
+ #
12664
13260
  #
12665
13261
  #
12666
13262
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12673,6 +13269,12 @@ module Aws::S3
12673
13269
  # you provide does not match the actual owner of the bucket, the request
12674
13270
  # fails with the HTTP status code `403 Forbidden` (access denied).
12675
13271
  #
13272
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
13273
+ # operation. If you specify this header, the request fails with the HTTP
13274
+ # status code `501 Not Implemented`.
13275
+ #
13276
+ # </note>
13277
+ #
12676
13278
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
12677
13279
  #
12678
13280
  # @example Request syntax with placeholder values
@@ -15070,6 +15672,10 @@ module Aws::S3
15070
15672
  # interruptions when a session expires. For more information about
15071
15673
  # authorization, see [ `CreateSession` ][5].
15072
15674
  #
15675
+ # If the object is encrypted with SSE-KMS, you must also have the
15676
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
15677
+ # identity-based policies and KMS key policies for the KMS key.
15678
+ #
15073
15679
  # Data integrity with Content-MD5
15074
15680
  # : * **General purpose bucket** - To ensure that data is not corrupted
15075
15681
  # traversing the network, use the `Content-MD5` header. When you use
@@ -15419,25 +16025,65 @@ module Aws::S3
15419
16025
  # object in Amazon S3 (for example, `AES256`, `aws:kms`,
15420
16026
  # `aws:kms:dsse`).
15421
16027
  #
15422
- # <b>General purpose buckets </b> - You have four mutually exclusive
15423
- # options to protect data using server-side encryption in Amazon S3,
15424
- # depending on how you choose to manage the encryption keys.
15425
- # Specifically, the encryption key options are Amazon S3 managed keys
15426
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
15427
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
15428
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
15429
- # default. You can optionally tell Amazon S3 to encrypt data at rest by
15430
- # using server-side encryption with other key options. For more
15431
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
15432
- # User Guide*.
16028
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
16029
+ # options to protect data using server-side encryption in Amazon S3,
16030
+ # depending on how you choose to manage the encryption keys.
16031
+ # Specifically, the encryption key options are Amazon S3 managed keys
16032
+ # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
16033
+ # customer-provided keys (SSE-C). Amazon S3 encrypts data with
16034
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
16035
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
16036
+ # by using server-side encryption with other key options. For more
16037
+ # information, see [Using Server-Side Encryption][1] in the *Amazon S3
16038
+ # User Guide*.
15433
16039
  #
15434
- # <b>Directory buckets </b> - For directory buckets, only the
15435
- # server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
15436
- # value is supported.
16040
+ # * <b>Directory buckets </b> - For directory buckets, there are only
16041
+ # two supported options for server-side encryption: server-side
16042
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
16043
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
16044
+ # recommend that the bucket's default encryption uses the desired
16045
+ # encryption configuration and you don't override the bucket default
16046
+ # encryption in your `CreateSession` requests or `PUT` object
16047
+ # requests. Then, new objects are automatically encrypted with the
16048
+ # desired encryption settings. For more information, see [Protecting
16049
+ # data with server-side encryption][2] in the *Amazon S3 User Guide*.
16050
+ # For more information about the encryption overriding behaviors in
16051
+ # directory buckets, see [Specifying server-side encryption with KMS
16052
+ # for new object uploads][3].
16053
+ #
16054
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
16055
+ # [UploadPartCopy][5]) using the REST API, the encryption request
16056
+ # headers must match the encryption settings that are specified in the
16057
+ # `CreateSession` request. You can't override the values of the
16058
+ # encryption settings (`x-amz-server-side-encryption`,
16059
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
16060
+ # `x-amz-server-side-encryption-context`, and
16061
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
16062
+ # specified in the `CreateSession` request. You don't need to
16063
+ # explicitly specify these encryption settings values in Zonal
16064
+ # endpoint API calls, and Amazon S3 will use the encryption settings
16065
+ # values from the `CreateSession` request to protect new objects in
16066
+ # the directory bucket.
16067
+ #
16068
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
16069
+ # `CreateSession`, the session token refreshes automatically to avoid
16070
+ # service interruptions when a session expires. The CLI or the Amazon
16071
+ # Web Services SDKs use the bucket's default encryption configuration
16072
+ # for the `CreateSession` request. It's not supported to override the
16073
+ # encryption settings values in the `CreateSession` request. So in the
16074
+ # Zonal endpoint API calls (except [CopyObject][4] and
16075
+ # [UploadPartCopy][5]), the encryption request headers must match the
16076
+ # default encryption configuration of the directory bucket.
16077
+ #
16078
+ # </note>
15437
16079
  #
15438
16080
  #
15439
16081
  #
15440
16082
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
16083
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
16084
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
16085
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16086
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
15441
16087
  #
15442
16088
  # @option params [String] :storage_class
15443
16089
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -15517,46 +16163,83 @@ module Aws::S3
15517
16163
  # </note>
15518
16164
  #
15519
16165
  # @option params [String] :ssekms_key_id
15520
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
15521
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
15522
- # Alias) of the Key Management Service (KMS) symmetric encryption
15523
- # customer managed key that was used for the object. If you specify
15524
- # `x-amz-server-side-encryption:aws:kms` or
15525
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
15526
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
15527
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If the
15528
- # KMS key does not exist in the same account that's issuing the
15529
- # command, you must use the full ARN and not just the ID.
16166
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
16167
+ # object encryption. If the KMS key doesn't exist in the same account
16168
+ # that's issuing the command, you must use the full Key ARN not the Key
16169
+ # ID.
16170
+ #
16171
+ # **General purpose buckets** - If you specify
16172
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
16173
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
16174
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
16175
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
16176
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
16177
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
16178
+ #
16179
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
16180
+ # with `aws:kms`, you must specify the `
16181
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
16182
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
16183
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
16184
+ # key ID or key ARN. The key alias format of the KMS key isn't
16185
+ # supported. Your SSE-KMS configuration can only support 1 [customer
16186
+ # managed key][1] per directory bucket for the lifetime of the bucket.
16187
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
16188
+ #
16189
+ #
16190
+ #
16191
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16192
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
15530
16193
  #
15531
- # <note markdown="1"> This functionality is not supported for directory buckets.
16194
+ # @option params [String] :ssekms_encryption_context
16195
+ # Specifies the Amazon Web Services KMS Encryption Context as an
16196
+ # additional encryption context to use for object encryption. The value
16197
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
16198
+ # which contains the encryption context as key-value pairs. This value
16199
+ # is stored as object metadata and automatically gets passed on to
16200
+ # Amazon Web Services KMS for future `GetObject` operations on this
16201
+ # object.
15532
16202
  #
15533
- # </note>
16203
+ # **General purpose buckets** - This value must be explicitly added
16204
+ # during `CopyObject` operations if you want an additional encryption
16205
+ # context for your object. For more information, see [Encryption
16206
+ # context][1] in the *Amazon S3 User Guide*.
15534
16207
  #
15535
- # @option params [String] :ssekms_encryption_context
15536
- # Specifies the Amazon Web Services KMS Encryption Context to use for
15537
- # object encryption. The value of this header is a base64-encoded UTF-8
15538
- # string holding JSON with the encryption context key-value pairs. This
15539
- # value is stored as object metadata and automatically gets passed on to
15540
- # Amazon Web Services KMS for future `GetObject` or `CopyObject`
15541
- # operations on this object. This value must be explicitly added during
15542
- # `CopyObject` operations.
16208
+ # **Directory buckets** - You can optionally provide an explicit
16209
+ # encryption context value. The value must match the default encryption
16210
+ # context - the bucket Amazon Resource Name (ARN). An additional
16211
+ # encryption context value is not supported.
15543
16212
  #
15544
- # <note markdown="1"> This functionality is not supported for directory buckets.
15545
16213
  #
15546
- # </note>
16214
+ #
16215
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
15547
16216
  #
15548
16217
  # @option params [Boolean] :bucket_key_enabled
15549
16218
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
15550
16219
  # encryption with server-side encryption using Key Management Service
15551
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
15552
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
16220
+ # (KMS) keys (SSE-KMS).
16221
+ #
16222
+ # **General purpose buckets** - Setting this header to `true` causes
16223
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
16224
+ # Also, specifying this header with a PUT action doesn't affect
16225
+ # bucket-level settings for S3 Bucket Key.
15553
16226
  #
15554
- # Specifying this header with a PUT action doesn’t affect bucket-level
15555
- # settings for S3 Bucket Key.
16227
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
16228
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
16229
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
16230
+ # from general purpose buckets to directory buckets, from directory
16231
+ # buckets to general purpose buckets, or between directory buckets,
16232
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
16233
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
16234
+ # makes a call to KMS every time a copy request is made for a
16235
+ # KMS-encrypted object.
15556
16236
  #
15557
- # <note markdown="1"> This functionality is not supported for directory buckets.
15558
16237
  #
15559
- # </note>
16238
+ #
16239
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16240
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16241
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16242
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
15560
16243
  #
15561
16244
  # @option params [String] :request_payer
15562
16245
  # Confirms that the requester knows that they will be charged for the
@@ -15634,24 +16317,22 @@ module Aws::S3
15634
16317
  # * {Types::PutObjectOutput#request_charged #request_charged} => String
15635
16318
  #
15636
16319
  #
15637
- # @example Example: To upload an object (specify optional headers)
16320
+ # @example Example: To upload an object and specify optional tags
15638
16321
  #
15639
- # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
15640
- # # storage class and use server-side encryption.
16322
+ # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
16323
+ # # S3 returns version ID of the newly created object.
15641
16324
  #
15642
16325
  # resp = client.put_object({
15643
- # body: "HappyFace.jpg",
16326
+ # body: "c:\\HappyFace.jpg",
15644
16327
  # bucket: "examplebucket",
15645
16328
  # key: "HappyFace.jpg",
15646
- # server_side_encryption: "AES256",
15647
- # storage_class: "STANDARD_IA",
16329
+ # tagging: "key1=value1&key2=value2",
15648
16330
  # })
15649
16331
  #
15650
16332
  # resp.to_h outputs the following:
15651
16333
  # {
15652
16334
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15653
- # server_side_encryption: "AES256",
15654
- # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
16335
+ # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
15655
16336
  # }
15656
16337
  #
15657
16338
  # @example Example: To create an object.
@@ -15670,98 +16351,100 @@ module Aws::S3
15670
16351
  # version_id: "Bvq0EDKxOcXLJXNo_Lkz37eM3R4pfzyQ",
15671
16352
  # }
15672
16353
  #
15673
- # @example Example: To upload an object
16354
+ # @example Example: To upload object and specify user-defined metadata
15674
16355
  #
15675
- # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
15676
- # # syntax. S3 returns VersionId of the newly created object.
16356
+ # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
16357
+ # # enabled, S3 returns version ID in response.
15677
16358
  #
15678
16359
  # resp = client.put_object({
15679
- # body: "HappyFace.jpg",
16360
+ # body: "filetoupload",
15680
16361
  # bucket: "examplebucket",
15681
- # key: "HappyFace.jpg",
16362
+ # key: "exampleobject",
16363
+ # metadata: {
16364
+ # "metadata1" => "value1",
16365
+ # "metadata2" => "value2",
16366
+ # },
15682
16367
  # })
15683
16368
  #
15684
16369
  # resp.to_h outputs the following:
15685
16370
  # {
15686
16371
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15687
- # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
16372
+ # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
15688
16373
  # }
15689
16374
  #
15690
- # @example Example: To upload an object and specify optional tags
16375
+ # @example Example: To upload an object
15691
16376
  #
15692
- # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
15693
- # # S3 returns version ID of the newly created object.
16377
+ # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
16378
+ # # syntax. S3 returns VersionId of the newly created object.
15694
16379
  #
15695
16380
  # resp = client.put_object({
15696
- # body: "c:\\HappyFace.jpg",
16381
+ # body: "HappyFace.jpg",
15697
16382
  # bucket: "examplebucket",
15698
16383
  # key: "HappyFace.jpg",
15699
- # tagging: "key1=value1&key2=value2",
15700
16384
  # })
15701
16385
  #
15702
16386
  # resp.to_h outputs the following:
15703
16387
  # {
15704
16388
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15705
- # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
16389
+ # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
15706
16390
  # }
15707
16391
  #
15708
- # @example Example: To upload an object and specify canned ACL.
16392
+ # @example Example: To upload an object and specify server-side encryption and object tags
15709
16393
  #
15710
- # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
15711
- # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
16394
+ # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
16395
+ # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
15712
16396
  #
15713
16397
  # resp = client.put_object({
15714
- # acl: "authenticated-read",
15715
16398
  # body: "filetoupload",
15716
16399
  # bucket: "examplebucket",
15717
16400
  # key: "exampleobject",
16401
+ # server_side_encryption: "AES256",
16402
+ # tagging: "key1=value1&key2=value2",
15718
16403
  # })
15719
16404
  #
15720
16405
  # resp.to_h outputs the following:
15721
16406
  # {
15722
16407
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15723
- # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
16408
+ # server_side_encryption: "AES256",
16409
+ # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
15724
16410
  # }
15725
16411
  #
15726
- # @example Example: To upload object and specify user-defined metadata
16412
+ # @example Example: To upload an object and specify canned ACL.
15727
16413
  #
15728
- # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
15729
- # # enabled, S3 returns version ID in response.
16414
+ # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
16415
+ # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
15730
16416
  #
15731
16417
  # resp = client.put_object({
16418
+ # acl: "authenticated-read",
15732
16419
  # body: "filetoupload",
15733
16420
  # bucket: "examplebucket",
15734
16421
  # key: "exampleobject",
15735
- # metadata: {
15736
- # "metadata1" => "value1",
15737
- # "metadata2" => "value2",
15738
- # },
15739
16422
  # })
15740
16423
  #
15741
16424
  # resp.to_h outputs the following:
15742
16425
  # {
15743
16426
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15744
- # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
16427
+ # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
15745
16428
  # }
15746
16429
  #
15747
- # @example Example: To upload an object and specify server-side encryption and object tags
16430
+ # @example Example: To upload an object (specify optional headers)
15748
16431
  #
15749
- # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
15750
- # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
16432
+ # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
16433
+ # # storage class and use server-side encryption.
15751
16434
  #
15752
16435
  # resp = client.put_object({
15753
- # body: "filetoupload",
16436
+ # body: "HappyFace.jpg",
15754
16437
  # bucket: "examplebucket",
15755
- # key: "exampleobject",
16438
+ # key: "HappyFace.jpg",
15756
16439
  # server_side_encryption: "AES256",
15757
- # tagging: "key1=value1&key2=value2",
16440
+ # storage_class: "STANDARD_IA",
15758
16441
  # })
15759
16442
  #
15760
16443
  # resp.to_h outputs the following:
15761
16444
  # {
15762
16445
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15763
16446
  # server_side_encryption: "AES256",
15764
- # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
16447
+ # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
15765
16448
  # }
15766
16449
  #
15767
16450
  # @example Streaming a file from disk
@@ -17774,6 +18457,10 @@ module Aws::S3
17774
18457
  # interruptions when a session expires. For more information about
17775
18458
  # authorization, see [ `CreateSession` ][9].
17776
18459
  #
18460
+ # If the object is encrypted with SSE-KMS, you must also have the
18461
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18462
+ # identity-based policies and KMS key policies for the KMS key.
18463
+ #
17777
18464
  # Data integrity
17778
18465
  #
17779
18466
  # : **General purpose bucket** - To ensure that data is not corrupted
@@ -17825,12 +18512,13 @@ module Aws::S3
17825
18512
  #
17826
18513
  # * x-amz-server-side-encryption-customer-key-MD5
17827
18514
  #
17828
- # * **Directory bucket** - For directory buckets, only server-side
17829
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
17830
- # supported.
18515
+ # For more information, see [Using Server-Side Encryption][11] in
18516
+ # the *Amazon S3 User Guide*.
17831
18517
  #
17832
- # For more information, see [Using Server-Side Encryption][11] in the
17833
- # *Amazon S3 User Guide*.
18518
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18519
+ # two supported options for server-side encryption: server-side
18520
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18521
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`).
17834
18522
  #
17835
18523
  # Special errors
17836
18524
  # : * Error Code: `NoSuchUpload`
@@ -18243,6 +18931,10 @@ module Aws::S3
18243
18931
  # destination. The `s3express:SessionMode` condition key cannot be
18244
18932
  # set to `ReadOnly` on the copy destination.
18245
18933
  #
18934
+ # If the object is encrypted with SSE-KMS, you must also have the
18935
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18936
+ # identity-based policies and KMS key policies for the KMS key.
18937
+ #
18246
18938
  # For example policies, see [Example bucket policies for S3 Express
18247
18939
  # One Zone][10] and [Amazon Web Services Identity and Access
18248
18940
  # Management (IAM) identity-based policies for S3 Express One
@@ -18254,9 +18946,26 @@ module Aws::S3
18254
18946
  # the `UploadPartCopy` operation, see [CopyObject][12] and
18255
18947
  # [UploadPart][2].
18256
18948
  #
18257
- # * <b>Directory buckets </b> - For directory buckets, only
18258
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
18259
- # (`AES256`) is supported.
18949
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18950
+ # two supported options for server-side encryption: server-side
18951
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18952
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). For
18953
+ # more information, see [Protecting data with server-side
18954
+ # encryption][13] in the *Amazon S3 User Guide*.
18955
+ #
18956
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
18957
+ # operation and an `UploadPartCopy` operation, the request headers
18958
+ # you provide in the `CreateMultipartUpload` request must match the
18959
+ # default encryption configuration of the destination bucket.
18960
+ #
18961
+ # </note>
18962
+ #
18963
+ # S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted
18964
+ # objects from general purpose buckets to directory buckets, from
18965
+ # directory buckets to general purpose buckets, or between directory
18966
+ # buckets, through [UploadPartCopy][14]. In this case, Amazon S3
18967
+ # makes a call to KMS every time a copy request is made for a
18968
+ # KMS-encrypted object.
18260
18969
  #
18261
18970
  # Special errors
18262
18971
  # : * Error Code: `NoSuchUpload`
@@ -18281,17 +18990,17 @@ module Aws::S3
18281
18990
  #
18282
18991
  # The following operations are related to `UploadPartCopy`:
18283
18992
  #
18284
- # * [CreateMultipartUpload][13]
18993
+ # * [CreateMultipartUpload][15]
18285
18994
  #
18286
18995
  # * [UploadPart][2]
18287
18996
  #
18288
- # * [CompleteMultipartUpload][14]
18997
+ # * [CompleteMultipartUpload][16]
18289
18998
  #
18290
- # * [AbortMultipartUpload][15]
18999
+ # * [AbortMultipartUpload][17]
18291
19000
  #
18292
- # * [ListParts][16]
19001
+ # * [ListParts][18]
18293
19002
  #
18294
- # * [ListMultipartUploads][17]
19003
+ # * [ListMultipartUploads][19]
18295
19004
  #
18296
19005
  #
18297
19006
  #
@@ -18307,11 +19016,13 @@ module Aws::S3
18307
19016
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
18308
19017
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
18309
19018
  # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
18310
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
18311
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
18312
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
18313
- # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
18314
- # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
19019
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
19020
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
19021
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
19022
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
19023
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
19024
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
19025
+ # [19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
18315
19026
  #
18316
19027
  # @option params [required, String] :bucket
18317
19028
  # The bucket name.
@@ -18597,45 +19308,45 @@ module Aws::S3
18597
19308
  # * {Types::UploadPartCopyOutput#request_charged #request_charged} => String
18598
19309
  #
18599
19310
  #
18600
- # @example Example: To upload a part by copying data from an existing object as data source
19311
+ # @example Example: To upload a part by copying byte range from an existing object as data source
18601
19312
  #
18602
- # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
19313
+ # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
19314
+ # # data source.
18603
19315
  #
18604
19316
  # resp = client.upload_part_copy({
18605
19317
  # bucket: "examplebucket",
18606
19318
  # copy_source: "/bucketname/sourceobjectkey",
19319
+ # copy_source_range: "bytes=1-100000",
18607
19320
  # key: "examplelargeobject",
18608
- # part_number: 1,
19321
+ # part_number: 2,
18609
19322
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18610
19323
  # })
18611
19324
  #
18612
19325
  # resp.to_h outputs the following:
18613
19326
  # {
18614
19327
  # copy_part_result: {
18615
- # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
18616
- # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
19328
+ # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
19329
+ # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
18617
19330
  # },
18618
19331
  # }
18619
19332
  #
18620
- # @example Example: To upload a part by copying byte range from an existing object as data source
19333
+ # @example Example: To upload a part by copying data from an existing object as data source
18621
19334
  #
18622
- # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
18623
- # # data source.
19335
+ # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
18624
19336
  #
18625
19337
  # resp = client.upload_part_copy({
18626
19338
  # bucket: "examplebucket",
18627
19339
  # copy_source: "/bucketname/sourceobjectkey",
18628
- # copy_source_range: "bytes=1-100000",
18629
19340
  # key: "examplelargeobject",
18630
- # part_number: 2,
19341
+ # part_number: 1,
18631
19342
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18632
19343
  # })
18633
19344
  #
18634
19345
  # resp.to_h outputs the following:
18635
19346
  # {
18636
19347
  # copy_part_result: {
18637
- # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
18638
- # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
19348
+ # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
19349
+ # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
18639
19350
  # },
18640
19351
  # }
18641
19352
  #
@@ -19085,14 +19796,19 @@ module Aws::S3
19085
19796
  # @api private
19086
19797
  def build_request(operation_name, params = {})
19087
19798
  handlers = @handlers.for(operation_name)
19799
+ tracer = config.telemetry_provider.tracer_provider.tracer(
19800
+ Aws::Telemetry.module_to_tracer_name('Aws::S3')
19801
+ )
19088
19802
  context = Seahorse::Client::RequestContext.new(
19089
19803
  operation_name: operation_name,
19090
19804
  operation: config.api.operation(operation_name),
19091
19805
  client: self,
19092
19806
  params: params,
19093
- config: config)
19807
+ config: config,
19808
+ tracer: tracer
19809
+ )
19094
19810
  context[:gem_name] = 'aws-sdk-s3'
19095
- context[:gem_version] = '1.159.0'
19811
+ context[:gem_version] = '1.163.0'
19096
19812
  Seahorse::Client::Request.new(handlers, context)
19097
19813
  end
19098
19814