aws-sdk-s3 1.159.0 → 1.163.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -32,6 +32,7 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
32
32
  require 'aws-sdk-core/plugins/request_compression.rb'
33
33
  require 'aws-sdk-core/plugins/defaults_mode.rb'
34
34
  require 'aws-sdk-core/plugins/recursion_detection.rb'
35
+ require 'aws-sdk-core/plugins/telemetry.rb'
35
36
  require 'aws-sdk-core/plugins/sign.rb'
36
37
  require 'aws-sdk-core/plugins/protocols/rest_xml.rb'
37
38
  require 'aws-sdk-s3/plugins/accelerate.rb'
@@ -104,6 +105,7 @@ module Aws::S3
104
105
  add_plugin(Aws::Plugins::RequestCompression)
105
106
  add_plugin(Aws::Plugins::DefaultsMode)
106
107
  add_plugin(Aws::Plugins::RecursionDetection)
108
+ add_plugin(Aws::Plugins::Telemetry)
107
109
  add_plugin(Aws::Plugins::Sign)
108
110
  add_plugin(Aws::Plugins::Protocols::RestXml)
109
111
  add_plugin(Aws::S3::Plugins::Accelerate)
@@ -432,6 +434,16 @@ module Aws::S3
432
434
  # ** Please note ** When response stubbing is enabled, no HTTP
433
435
  # requests are made, and retries are disabled.
434
436
  #
437
+ # @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
438
+ # Allows you to provide a telemetry provider, which is used to
439
+ # emit telemetry data. By default, uses `NoOpTelemetryProvider` which
440
+ # will not record or emit any telemetry data. The SDK supports the
441
+ # following telemetry providers:
442
+ #
443
+ # * OpenTelemetry (OTel) - To use the OTel provider, install and require the
444
+ # `opentelemetry-sdk` gem and then, pass in an instance of a
445
+ # `Aws::Telemetry::OTelProvider` for telemetry provider.
446
+ #
435
447
  # @option options [Aws::TokenProvider] :token_provider
436
448
  # A Bearer Token Provider. This can be an instance of any one of the
437
449
  # following classes:
@@ -520,6 +532,12 @@ module Aws::S3
520
532
  # @option options [String] :ssl_ca_store
521
533
  # Sets the X509::Store to verify peer certificate.
522
534
  #
535
+ # @option options [OpenSSL::X509::Certificate] :ssl_cert
536
+ # Sets a client certificate when creating http connections.
537
+ #
538
+ # @option options [OpenSSL::PKey] :ssl_key
539
+ # Sets a client key when creating http connections.
540
+ #
523
541
  # @option options [Float] :ssl_timeout
524
542
  # Sets the SSL timeout in seconds
525
543
  #
@@ -782,9 +800,15 @@ module Aws::S3
782
800
  # [Multipart Upload and Permissions][6] in the *Amazon S3 User
783
801
  # Guide*.
784
802
  #
803
+ # If you provide an [additional checksum value][7] in your
804
+ # `MultipartUpload` requests and the object is encrypted with Key
805
+ # Management Service, you must have permission to use the
806
+ # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
807
+ # succeed.
808
+ #
785
809
  # * **Directory bucket permissions** - To grant access to this API
786
810
  # operation on a directory bucket, we recommend that you use the [
787
- # `CreateSession` ][7] API operation for session-based
811
+ # `CreateSession` ][8] API operation for session-based
788
812
  # authorization. Specifically, you grant the
789
813
  # `s3express:CreateSession` permission to the directory bucket in a
790
814
  # bucket policy or an IAM identity-based policy. Then, you make the
@@ -795,13 +819,11 @@ module Aws::S3
795
819
  # token for use. Amazon Web Services CLI or SDKs create session and
796
820
  # refresh the session token automatically to avoid service
797
821
  # interruptions when a session expires. For more information about
798
- # authorization, see [ `CreateSession` ][7].
822
+ # authorization, see [ `CreateSession` ][8].
799
823
  #
800
- # * If you provide an [additional checksum value][8] in your
801
- # `MultipartUpload` requests and the object is encrypted with Key
802
- # Management Service, you must have permission to use the
803
- # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
804
- # succeed.
824
+ # If the object is encrypted with SSE-KMS, you must also have the
825
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
826
+ # identity-based policies and KMS key policies for the KMS key.
805
827
  #
806
828
  # Special errors
807
829
  # : * Error Code: `EntityTooSmall`
@@ -860,8 +882,8 @@ module Aws::S3
860
882
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
861
883
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
862
884
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
863
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
864
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
885
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
886
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
865
887
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
866
888
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
867
889
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
@@ -1247,6 +1269,10 @@ module Aws::S3
1247
1269
  # destination. The `s3express:SessionMode` condition key can't be
1248
1270
  # set to `ReadOnly` on the copy destination bucket.
1249
1271
  #
1272
+ # If the object is encrypted with SSE-KMS, you must also have the
1273
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
1274
+ # identity-based policies and KMS key policies for the KMS key.
1275
+ #
1250
1276
  # For example policies, see [Example bucket policies for S3 Express
1251
1277
  # One Zone][6] and [Amazon Web Services Identity and Access
1252
1278
  # Management (IAM) identity-based policies for S3 Express One
@@ -1693,9 +1719,8 @@ module Aws::S3
1693
1719
  #
1694
1720
  # @option params [String] :server_side_encryption
1695
1721
  # The server-side encryption algorithm used when storing this object in
1696
- # Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1697
- # Unrecognized or unsupported values won’t write a destination object
1698
- # and will receive a `400 Bad Request` response.
1722
+ # Amazon S3. Unrecognized or unsupported values won’t write a
1723
+ # destination object and will receive a `400 Bad Request` response.
1699
1724
  #
1700
1725
  # Amazon S3 automatically encrypts all new objects that are copied to an
1701
1726
  # S3 bucket. When copying an object, if you don't specify encryption
@@ -1703,35 +1728,72 @@ module Aws::S3
1703
1728
  # object is set to the default encryption configuration of the
1704
1729
  # destination bucket. By default, all buckets have a base level of
1705
1730
  # encryption configuration that uses server-side encryption with Amazon
1706
- # S3 managed keys (SSE-S3). If the destination bucket has a default
1707
- # encryption configuration that uses server-side encryption with Key
1708
- # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1709
- # encryption with Amazon Web Services KMS keys (DSSE-KMS), or
1710
- # server-side encryption with customer-provided encryption keys (SSE-C),
1711
- # Amazon S3 uses the corresponding KMS key, or a customer-provided key
1712
- # to encrypt the target object copy.
1713
- #
1714
- # When you perform a `CopyObject` operation, if you want to use a
1715
- # different type of encryption setting for the target object, you can
1716
- # specify appropriate encryption-related headers to encrypt the target
1717
- # object with an Amazon S3 managed key, a KMS key, or a
1718
- # customer-provided key. If the encryption setting in your request is
1719
- # different from the default encryption configuration of the destination
1720
- # bucket, the encryption setting in your request takes precedence.
1731
+ # S3 managed keys (SSE-S3). If the destination bucket has a different
1732
+ # default encryption configuration, Amazon S3 uses the corresponding
1733
+ # encryption key to encrypt the target object copy.
1721
1734
  #
1722
1735
  # With server-side encryption, Amazon S3 encrypts your data as it writes
1723
1736
  # your data to disks in its data centers and decrypts the data when you
1724
1737
  # access it. For more information about server-side encryption, see
1725
1738
  # [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
1726
1739
  #
1727
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1728
- # managed keys (SSE-S3) (`AES256`) is supported.
1729
- #
1730
- # </note>
1740
+ # <b>General purpose buckets </b>
1741
+ #
1742
+ # * For general purpose buckets, there are the following supported
1743
+ # options for server-side encryption: server-side encryption with Key
1744
+ # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1745
+ # encryption with Amazon Web Services KMS keys (DSSE-KMS), and
1746
+ # server-side encryption with customer-provided encryption keys
1747
+ # (SSE-C). Amazon S3 uses the corresponding KMS key, or a
1748
+ # customer-provided key to encrypt the target object copy.
1749
+ #
1750
+ # * When you perform a `CopyObject` operation, if you want to use a
1751
+ # different type of encryption setting for the target object, you can
1752
+ # specify appropriate encryption-related headers to encrypt the target
1753
+ # object with an Amazon S3 managed key, a KMS key, or a
1754
+ # customer-provided key. If the encryption setting in your request is
1755
+ # different from the default encryption configuration of the
1756
+ # destination bucket, the encryption setting in your request takes
1757
+ # precedence.
1758
+ #
1759
+ # <b>Directory buckets </b>
1760
+ #
1761
+ # * For directory buckets, there are only two supported options for
1762
+ # server-side encryption: server-side encryption with Amazon S3
1763
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
1764
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
1765
+ # encryption uses the desired encryption configuration and you don't
1766
+ # override the bucket default encryption in your `CreateSession`
1767
+ # requests or `PUT` object requests. Then, new objects are
1768
+ # automatically encrypted with the desired encryption settings. For
1769
+ # more information, see [Protecting data with server-side
1770
+ # encryption][2] in the *Amazon S3 User Guide*. For more information
1771
+ # about the encryption overriding behaviors in directory buckets, see
1772
+ # [Specifying server-side encryption with KMS for new object
1773
+ # uploads][3].
1774
+ #
1775
+ # * To encrypt new object copies to a directory bucket with SSE-KMS, we
1776
+ # recommend you specify SSE-KMS as the directory bucket's default
1777
+ # encryption configuration with a KMS key (specifically, a [customer
1778
+ # managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
1779
+ # isn't supported. Your SSE-KMS configuration can only support 1
1780
+ # [customer managed key][4] per directory bucket for the lifetime of
1781
+ # the bucket. After you specify a customer managed key for SSE-KMS,
1782
+ # you can't override the customer managed key for the bucket's
1783
+ # SSE-KMS configuration. Then, when you perform a `CopyObject`
1784
+ # operation and want to specify server-side encryption settings for
1785
+ # new object copies with SSE-KMS in the encryption-related request
1786
+ # headers, you must ensure the encryption key is the same customer
1787
+ # managed key that you specified for the directory bucket's default
1788
+ # encryption configuration.
1731
1789
  #
1732
1790
  #
1733
1791
  #
1734
1792
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1793
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1794
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1795
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1796
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1735
1797
  #
1736
1798
  # @option params [String] :storage_class
1737
1799
  # If the `x-amz-storage-class` header is not used, the copied object
@@ -1828,33 +1890,51 @@ module Aws::S3
1828
1890
  # </note>
1829
1891
  #
1830
1892
  # @option params [String] :ssekms_key_id
1831
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
1832
- # encryption. All GET and PUT requests for an object protected by KMS
1833
- # will fail if they're not made via SSL or using SigV4. For information
1834
- # about configuring any of the officially supported Amazon Web Services
1835
- # SDKs and Amazon Web Services CLI, see [Specifying the Signature
1836
- # Version in Request Authentication][1] in the *Amazon S3 User Guide*.
1893
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1894
+ # object encryption. All GET and PUT requests for an object protected by
1895
+ # KMS will fail if they're not made via SSL or using SigV4. For
1896
+ # information about configuring any of the officially supported Amazon
1897
+ # Web Services SDKs and Amazon Web Services CLI, see [Specifying the
1898
+ # Signature Version in Request Authentication][1] in the *Amazon S3 User
1899
+ # Guide*.
1837
1900
  #
1838
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1839
- # directory bucket.
1840
- #
1841
- # </note>
1901
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
1902
+ # with `aws:kms`, you must specify the `
1903
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
1904
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
1905
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
1906
+ # key ID or key ARN. The key alias format of the KMS key isn't
1907
+ # supported. Your SSE-KMS configuration can only support 1 [customer
1908
+ # managed key][2] per directory bucket for the lifetime of the bucket.
1909
+ # [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
1842
1910
  #
1843
1911
  #
1844
1912
  #
1845
1913
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
1914
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1915
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1846
1916
  #
1847
1917
  # @option params [String] :ssekms_encryption_context
1848
- # Specifies the Amazon Web Services KMS Encryption Context to use for
1849
- # object encryption. The value of this header is a base64-encoded UTF-8
1850
- # string holding JSON with the encryption context key-value pairs. This
1851
- # value must be explicitly added to specify encryption context for
1852
- # `CopyObject` requests.
1918
+ # Specifies the Amazon Web Services KMS Encryption Context as an
1919
+ # additional encryption context to use for the destination object
1920
+ # encryption. The value of this header is a base64-encoded UTF-8 string
1921
+ # holding JSON with the encryption context key-value pairs.
1853
1922
  #
1854
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1855
- # directory bucket.
1923
+ # **General purpose buckets** - This value must be explicitly added to
1924
+ # specify encryption context for `CopyObject` requests if you want an
1925
+ # additional encryption context for your destination object. The
1926
+ # additional encryption context of the source object won't be copied to
1927
+ # the destination object. For more information, see [Encryption
1928
+ # context][1] in the *Amazon S3 User Guide*.
1856
1929
  #
1857
- # </note>
1930
+ # **Directory buckets** - You can optionally provide an explicit
1931
+ # encryption context value. The value must match the default encryption
1932
+ # context - the bucket Amazon Resource Name (ARN). An additional
1933
+ # encryption context value is not supported.
1934
+ #
1935
+ #
1936
+ #
1937
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
1858
1938
  #
1859
1939
  # @option params [Boolean] :bucket_key_enabled
1860
1940
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
@@ -1869,14 +1949,19 @@ module Aws::S3
1869
1949
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
1870
1950
  # User Guide*.
1871
1951
  #
1872
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1873
- # directory bucket.
1952
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
1953
+ # copy SSE-KMS encrypted objects from general purpose buckets to
1954
+ # directory buckets, from directory buckets to general purpose buckets,
1955
+ # or between directory buckets, through [CopyObject][2]. In this case,
1956
+ # Amazon S3 makes a call to KMS every time a copy request is made for a
1957
+ # KMS-encrypted object.
1874
1958
  #
1875
1959
  # </note>
1876
1960
  #
1877
1961
  #
1878
1962
  #
1879
1963
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
1964
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1880
1965
  #
1881
1966
  # @option params [String] :copy_source_sse_customer_algorithm
1882
1967
  # Specifies the algorithm to use when decrypting the source object (for
@@ -2618,9 +2703,53 @@ module Aws::S3
2618
2703
  # using server-side encryption with customer-provided encryption
2619
2704
  # keys (SSE-C)][11] in the *Amazon S3 User Guide*.
2620
2705
  #
2621
- # * **Directory buckets** -For directory buckets, only server-side
2622
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
2623
- # supported.
2706
+ # * **Directory buckets** - For directory buckets, there are only two
2707
+ # supported options for server-side encryption: server-side
2708
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2709
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2710
+ # recommend that the bucket's default encryption uses the desired
2711
+ # encryption configuration and you don't override the bucket
2712
+ # default encryption in your `CreateSession` requests or `PUT`
2713
+ # object requests. Then, new objects are automatically encrypted
2714
+ # with the desired encryption settings. For more information, see
2715
+ # [Protecting data with server-side encryption][12] in the *Amazon
2716
+ # S3 User Guide*. For more information about the encryption
2717
+ # overriding behaviors in directory buckets, see [Specifying
2718
+ # server-side encryption with KMS for new object uploads][13].
2719
+ #
2720
+ # In the Zonal endpoint API calls (except [CopyObject][14] and
2721
+ # [UploadPartCopy][9]) using the REST API, the encryption request
2722
+ # headers must match the encryption settings that are specified in
2723
+ # the `CreateSession` request. You can't override the values of the
2724
+ # encryption settings (`x-amz-server-side-encryption`,
2725
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2726
+ # `x-amz-server-side-encryption-context`, and
2727
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2728
+ # specified in the `CreateSession` request. You don't need to
2729
+ # explicitly specify these encryption settings values in Zonal
2730
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2731
+ # values from the `CreateSession` request to protect new objects in
2732
+ # the directory bucket.
2733
+ #
2734
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2735
+ # `CreateSession`, the session token refreshes automatically to
2736
+ # avoid service interruptions when a session expires. The CLI or the
2737
+ # Amazon Web Services SDKs use the bucket's default encryption
2738
+ # configuration for the `CreateSession` request. It's not supported
2739
+ # to override the encryption settings values in the `CreateSession`
2740
+ # request. So in the Zonal endpoint API calls (except
2741
+ # [CopyObject][14] and [UploadPartCopy][9]), the encryption request
2742
+ # headers must match the default encryption configuration of the
2743
+ # directory bucket.
2744
+ #
2745
+ # </note>
2746
+ #
2747
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
2748
+ # operation and an `UploadPartCopy` operation, the request headers
2749
+ # you provide in the `CreateMultipartUpload` request must match the
2750
+ # default encryption configuration of the destination bucket.
2751
+ #
2752
+ # </note>
2624
2753
  #
2625
2754
  # HTTP Host header syntax
2626
2755
  #
@@ -2631,13 +2760,13 @@ module Aws::S3
2631
2760
  #
2632
2761
  # * [UploadPart][1]
2633
2762
  #
2634
- # * [CompleteMultipartUpload][12]
2763
+ # * [CompleteMultipartUpload][15]
2635
2764
  #
2636
- # * [AbortMultipartUpload][13]
2765
+ # * [AbortMultipartUpload][16]
2637
2766
  #
2638
- # * [ListParts][14]
2767
+ # * [ListParts][17]
2639
2768
  #
2640
- # * [ListMultipartUploads][15]
2769
+ # * [ListMultipartUploads][18]
2641
2770
  #
2642
2771
  #
2643
2772
  #
@@ -2652,10 +2781,13 @@ module Aws::S3
2652
2781
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2653
2782
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2654
2783
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
2655
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2656
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2657
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2658
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2784
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2785
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2786
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2787
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2788
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2789
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2790
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2659
2791
  #
2660
2792
  # @option params [String] :acl
2661
2793
  # The canned ACL to apply to the object. Amazon S3 supports a set of
@@ -3018,10 +3150,52 @@ module Aws::S3
3018
3150
  # The server-side encryption algorithm used when you store this object
3019
3151
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3020
3152
  #
3021
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3022
- # managed keys (SSE-S3) (`AES256`) is supported.
3153
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3154
+ # two supported options for server-side encryption: server-side
3155
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3156
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3157
+ # recommend that the bucket's default encryption uses the desired
3158
+ # encryption configuration and you don't override the bucket default
3159
+ # encryption in your `CreateSession` requests or `PUT` object
3160
+ # requests. Then, new objects are automatically encrypted with the
3161
+ # desired encryption settings. For more information, see [Protecting
3162
+ # data with server-side encryption][1] in the *Amazon S3 User Guide*.
3163
+ # For more information about the encryption overriding behaviors in
3164
+ # directory buckets, see [Specifying server-side encryption with KMS
3165
+ # for new object uploads][2].
3166
+ #
3167
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3168
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3169
+ # headers must match the encryption settings that are specified in the
3170
+ # `CreateSession` request. You can't override the values of the
3171
+ # encryption settings (`x-amz-server-side-encryption`,
3172
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3173
+ # `x-amz-server-side-encryption-context`, and
3174
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3175
+ # specified in the `CreateSession` request. You don't need to
3176
+ # explicitly specify these encryption settings values in Zonal
3177
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3178
+ # values from the `CreateSession` request to protect new objects in
3179
+ # the directory bucket.
3180
+ #
3181
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3182
+ # `CreateSession`, the session token refreshes automatically to avoid
3183
+ # service interruptions when a session expires. The CLI or the Amazon
3184
+ # Web Services SDKs use the bucket's default encryption configuration
3185
+ # for the `CreateSession` request. It's not supported to override the
3186
+ # encryption settings values in the `CreateSession` request. So in the
3187
+ # Zonal endpoint API calls (except [CopyObject][3] and
3188
+ # [UploadPartCopy][4]), the encryption request headers must match the
3189
+ # default encryption configuration of the directory bucket.
3023
3190
  #
3024
- # </note>
3191
+ # </note>
3192
+ #
3193
+ #
3194
+ #
3195
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3196
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3197
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3198
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3025
3199
  #
3026
3200
  # @option params [String] :storage_class
3027
3201
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -3080,34 +3254,71 @@ module Aws::S3
3080
3254
  # </note>
3081
3255
  #
3082
3256
  # @option params [String] :ssekms_key_id
3083
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3084
- # encryption customer managed key to use for object encryption.
3085
- #
3086
- # <note markdown="1"> This functionality is not supported for directory buckets.
3087
- #
3088
- # </note>
3257
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3258
+ # object encryption. If the KMS key doesn't exist in the same account
3259
+ # that's issuing the command, you must use the full Key ARN not the Key
3260
+ # ID.
3261
+ #
3262
+ # **General purpose buckets** - If you specify
3263
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
3264
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
3265
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
3266
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3267
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3268
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3269
+ #
3270
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
3271
+ # with `aws:kms`, you must specify the `
3272
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
3273
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
3274
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
3275
+ # key ID or key ARN. The key alias format of the KMS key isn't
3276
+ # supported. Your SSE-KMS configuration can only support 1 [customer
3277
+ # managed key][1] per directory bucket for the lifetime of the bucket.
3278
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
3279
+ #
3280
+ #
3281
+ #
3282
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3283
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3089
3284
  #
3090
3285
  # @option params [String] :ssekms_encryption_context
3091
3286
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3092
- # object encryption. The value of this header is a base64-encoded UTF-8
3093
- # string holding JSON with the encryption context key-value pairs.
3094
- #
3095
- # <note markdown="1"> This functionality is not supported for directory buckets.
3287
+ # object encryption. The value of this header is a Base64-encoded string
3288
+ # of a UTF-8 encoded JSON, which contains the encryption context as
3289
+ # key-value pairs.
3096
3290
  #
3097
- # </note>
3291
+ # **Directory buckets** - You can optionally provide an explicit
3292
+ # encryption context value. The value must match the default encryption
3293
+ # context - the bucket Amazon Resource Name (ARN). An additional
3294
+ # encryption context value is not supported.
3098
3295
  #
3099
3296
  # @option params [Boolean] :bucket_key_enabled
3100
3297
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3101
3298
  # encryption with server-side encryption using Key Management Service
3102
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3103
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3299
+ # (KMS) keys (SSE-KMS).
3104
3300
  #
3105
- # Specifying this header with an object action doesn’t affect
3301
+ # **General purpose buckets** - Setting this header to `true` causes
3302
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
3303
+ # Also, specifying this header with a PUT action doesn't affect
3106
3304
  # bucket-level settings for S3 Bucket Key.
3107
3305
  #
3108
- # <note markdown="1"> This functionality is not supported for directory buckets.
3306
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3307
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3308
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
3309
+ # from general purpose buckets to directory buckets, from directory
3310
+ # buckets to general purpose buckets, or between directory buckets,
3311
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
3312
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
3313
+ # makes a call to KMS every time a copy request is made for a
3314
+ # KMS-encrypted object.
3315
+ #
3109
3316
  #
3110
- # </note>
3317
+ #
3318
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3319
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3320
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3321
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3111
3322
  #
3112
3323
  # @option params [String] :request_payer
3113
3324
  # Confirms that the requester knows that they will be charged for the
@@ -3268,9 +3479,10 @@ module Aws::S3
3268
3479
 
3269
3480
  # Creates a session that establishes temporary security credentials to
3270
3481
  # support fast authentication and authorization for the Zonal endpoint
3271
- # APIs on directory buckets. For more information about Zonal endpoint
3272
- # APIs that include the Availability Zone in the request endpoint, see
3273
- # [S3 Express One Zone APIs][1] in the *Amazon S3 User Guide*.
3482
+ # API operations on directory buckets. For more information about Zonal
3483
+ # endpoint API operations that include the Availability Zone in the
3484
+ # request endpoint, see [S3 Express One Zone APIs][1] in the *Amazon S3
3485
+ # User Guide*.
3274
3486
  #
3275
3487
  # To make Zonal endpoint API requests on a directory bucket, use the
3276
3488
  # `CreateSession` API operation. Specifically, you grant
@@ -3279,13 +3491,13 @@ module Aws::S3
3279
3491
  # the `CreateSession` API request on the bucket, which returns temporary
3280
3492
  # security credentials that include the access key ID, secret access
3281
3493
  # key, session token, and expiration. These credentials have associated
3282
- # permissions to access the Zonal endpoint APIs. After the session is
3283
- # created, you don’t need to use other policies to grant permissions to
3284
- # each Zonal endpoint API individually. Instead, in your Zonal endpoint
3285
- # API requests, you sign your requests by applying the temporary
3286
- # security credentials of the session to the request headers and
3287
- # following the SigV4 protocol for authentication. You also apply the
3288
- # session token to the `x-amz-s3session-token` request header for
3494
+ # permissions to access the Zonal endpoint API operations. After the
3495
+ # session is created, you don’t need to use other policies to grant
3496
+ # permissions to each Zonal endpoint API individually. Instead, in your
3497
+ # Zonal endpoint API requests, you sign your requests by applying the
3498
+ # temporary security credentials of the session to the request headers
3499
+ # and following the SigV4 protocol for authentication. You also apply
3500
+ # the session token to the `x-amz-s3session-token` request header for
3289
3501
  # authorization. Temporary security credentials are scoped to the bucket
3290
3502
  # and expire after 5 minutes. After the expiration time, any calls that
3291
3503
  # you make with those credentials will fail. You must use IAM
@@ -3308,16 +3520,16 @@ module Aws::S3
3308
3520
  # [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
3309
3521
  #
3310
3522
  # * <b> <code>CopyObject</code> API operation</b> - Unlike other Zonal
3311
- # endpoint APIs, the `CopyObject` API operation doesn't use the
3312
- # temporary security credentials returned from the `CreateSession` API
3313
- # operation for authentication and authorization. For information
3523
+ # endpoint API operations, the `CopyObject` API operation doesn't use
3524
+ # the temporary security credentials returned from the `CreateSession`
3525
+ # API operation for authentication and authorization. For information
3314
3526
  # about authentication and authorization of the `CopyObject` API
3315
3527
  # operation on directory buckets, see [CopyObject][4].
3316
3528
  #
3317
3529
  # * <b> <code>HeadBucket</code> API operation</b> - Unlike other Zonal
3318
- # endpoint APIs, the `HeadBucket` API operation doesn't use the
3319
- # temporary security credentials returned from the `CreateSession` API
3320
- # operation for authentication and authorization. For information
3530
+ # endpoint API operations, the `HeadBucket` API operation doesn't use
3531
+ # the temporary security credentials returned from the `CreateSession`
3532
+ # API operation for authentication and authorization. For information
3321
3533
  # about authentication and authorization of the `HeadBucket` API
3322
3534
  # operation on directory buckets, see [HeadBucket][5].
3323
3535
  #
@@ -3336,9 +3548,71 @@ module Aws::S3
3336
3548
  # Identity and Access Management (IAM) identity-based policies for S3
3337
3549
  # Express One Zone][8] in the *Amazon S3 User Guide*.
3338
3550
  #
3339
- # To grant cross-account access to Zonal endpoint APIs, the bucket
3340
- # policy should also grant both accounts the `s3express:CreateSession`
3341
- # permission.
3551
+ # To grant cross-account access to Zonal endpoint API operations, the
3552
+ # bucket policy should also grant both accounts the
3553
+ # `s3express:CreateSession` permission.
3554
+ #
3555
+ # If you want to encrypt objects with SSE-KMS, you must also have the
3556
+ # `kms:GenerateDataKey` and the `kms:Decrypt` permissions in IAM
3557
+ # identity-based policies and KMS key policies for the target KMS key.
3558
+ #
3559
+ # Encryption
3560
+ #
3561
+ # : For directory buckets, there are only two supported options for
3562
+ # server-side encryption: server-side encryption with Amazon S3
3563
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3564
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
3565
+ # encryption uses the desired encryption configuration and you don't
3566
+ # override the bucket default encryption in your `CreateSession`
3567
+ # requests or `PUT` object requests. Then, new objects are
3568
+ # automatically encrypted with the desired encryption settings. For
3569
+ # more information, see [Protecting data with server-side
3570
+ # encryption][9] in the *Amazon S3 User Guide*. For more information
3571
+ # about the encryption overriding behaviors in directory buckets, see
3572
+ # [Specifying server-side encryption with KMS for new object
3573
+ # uploads][10].
3574
+ #
3575
+ # For [Zonal endpoint (object-level) API operations][11] except
3576
+ # [CopyObject][4] and [UploadPartCopy][12], you authenticate and
3577
+ # authorize requests through [CreateSession][13] for low latency. To
3578
+ # encrypt new objects in a directory bucket with SSE-KMS, you must
3579
+ # specify SSE-KMS as the directory bucket's default encryption
3580
+ # configuration with a KMS key (specifically, a [customer managed
3581
+ # key][14]). Then, when a session is created for Zonal endpoint API
3582
+ # operations, new objects are automatically encrypted and decrypted
3583
+ # with SSE-KMS and S3 Bucket Keys during the session.
3584
+ #
3585
+ # <note markdown="1"> Only 1 [customer managed key][14] is supported per directory bucket
3586
+ # for the lifetime of the bucket. [Amazon Web Services managed
3587
+ # key][15] (`aws/s3`) isn't supported. After you specify SSE-KMS as
3588
+ # your bucket's default encryption configuration with a customer
3589
+ # managed key, you can't change the customer managed key for the
3590
+ # bucket's SSE-KMS configuration.
3591
+ #
3592
+ # </note>
3593
+ #
3594
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
3595
+ # [UploadPartCopy][12]) using the REST API, you can't override the
3596
+ # values of the encryption settings (`x-amz-server-side-encryption`,
3597
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3598
+ # `x-amz-server-side-encryption-context`, and
3599
+ # `x-amz-server-side-encryption-bucket-key-enabled`) from the
3600
+ # `CreateSession` request. You don't need to explicitly specify these
3601
+ # encryption settings values in Zonal endpoint API calls, and Amazon
3602
+ # S3 will use the encryption settings values from the `CreateSession`
3603
+ # request to protect new objects in the directory bucket.
3604
+ #
3605
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3606
+ # `CreateSession`, the session token refreshes automatically to avoid
3607
+ # service interruptions when a session expires. The CLI or the Amazon
3608
+ # Web Services SDKs use the bucket's default encryption configuration
3609
+ # for the `CreateSession` request. It's not supported to override the
3610
+ # encryption settings values in the `CreateSession` request. Also, in
3611
+ # the Zonal endpoint API calls (except [CopyObject][4] and
3612
+ # [UploadPartCopy][12]), it's not supported to override the values of
3613
+ # the encryption settings from the `CreateSession` request.
3614
+ #
3615
+ # </note>
3342
3616
  #
3343
3617
  # HTTP Host header syntax
3344
3618
  #
@@ -3355,21 +3629,110 @@ module Aws::S3
3355
3629
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters
3356
3630
  # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
3357
3631
  # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
3632
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3633
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3634
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations
3635
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3636
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
3637
+ # [14]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3638
+ # [15]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3358
3639
  #
3359
3640
  # @option params [String] :session_mode
3360
3641
  # Specifies the mode of the session that will be created, either
3361
3642
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3362
3643
  # created. A `ReadWrite` session is capable of executing all the Zonal
3363
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3364
- # constrained to execute the following Zonal endpoint APIs: `GetObject`,
3365
- # `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`, `ListParts`, and
3366
- # `ListMultipartUploads`.
3644
+ # endpoint API operations on a directory bucket. A `ReadOnly` session is
3645
+ # constrained to execute the following Zonal endpoint API operations:
3646
+ # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3647
+ # `ListParts`, and `ListMultipartUploads`.
3367
3648
  #
3368
3649
  # @option params [required, String] :bucket
3369
3650
  # The name of the bucket that you create a session for.
3370
3651
  #
3652
+ # @option params [String] :server_side_encryption
3653
+ # The server-side encryption algorithm to use when you store objects in
3654
+ # the directory bucket.
3655
+ #
3656
+ # For directory buckets, there are only two supported options for
3657
+ # server-side encryption: server-side encryption with Amazon S3 managed
3658
+ # keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys
3659
+ # (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3660
+ # SSE-S3. For more information, see [Protecting data with server-side
3661
+ # encryption][1] in the *Amazon S3 User Guide*.
3662
+ #
3663
+ #
3664
+ #
3665
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3666
+ #
3667
+ # @option params [String] :ssekms_key_id
3668
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you must
3669
+ # specify the ` x-amz-server-side-encryption-aws-kms-key-id` header with
3670
+ # the ID (Key ID or Key ARN) of the KMS symmetric encryption customer
3671
+ # managed key to use. Otherwise, you get an HTTP `400 Bad Request`
3672
+ # error. Only use the key ID or key ARN. The key alias format of the KMS
3673
+ # key isn't supported. Also, if the KMS key doesn't exist in the same
3674
+ # account that't issuing the command, you must use the full Key ARN not
3675
+ # the Key ID.
3676
+ #
3677
+ # Your SSE-KMS configuration can only support 1 [customer managed
3678
+ # key][1] per directory bucket for the lifetime of the bucket. [Amazon
3679
+ # Web Services managed key][2] (`aws/s3`) isn't supported.
3680
+ #
3681
+ #
3682
+ #
3683
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3684
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3685
+ #
3686
+ # @option params [String] :ssekms_encryption_context
3687
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3688
+ # additional encryption context to use for object encryption. The value
3689
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
3690
+ # which contains the encryption context as key-value pairs. This value
3691
+ # is stored as object metadata and automatically gets passed on to
3692
+ # Amazon Web Services KMS for future `GetObject` operations on this
3693
+ # object.
3694
+ #
3695
+ # **General purpose buckets** - This value must be explicitly added
3696
+ # during `CopyObject` operations if you want an additional encryption
3697
+ # context for your object. For more information, see [Encryption
3698
+ # context][1] in the *Amazon S3 User Guide*.
3699
+ #
3700
+ # **Directory buckets** - You can optionally provide an explicit
3701
+ # encryption context value. The value must match the default encryption
3702
+ # context - the bucket Amazon Resource Name (ARN). An additional
3703
+ # encryption context value is not supported.
3704
+ #
3705
+ #
3706
+ #
3707
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3708
+ #
3709
+ # @option params [Boolean] :bucket_key_enabled
3710
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3711
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3712
+ #
3713
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a
3714
+ # directory bucket and can’t be disabled. S3 Bucket Keys aren't
3715
+ # supported, when you copy SSE-KMS encrypted objects from general
3716
+ # purpose buckets to directory buckets, from directory buckets to
3717
+ # general purpose buckets, or between directory buckets, through
3718
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3719
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3 makes
3720
+ # a call to KMS every time a copy request is made for a KMS-encrypted
3721
+ # object.
3722
+ #
3723
+ #
3724
+ #
3725
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3726
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3727
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3728
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3729
+ #
3371
3730
  # @return [Types::CreateSessionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3372
3731
  #
3732
+ # * {Types::CreateSessionOutput#server_side_encryption #server_side_encryption} => String
3733
+ # * {Types::CreateSessionOutput#ssekms_key_id #ssekms_key_id} => String
3734
+ # * {Types::CreateSessionOutput#ssekms_encryption_context #ssekms_encryption_context} => String
3735
+ # * {Types::CreateSessionOutput#bucket_key_enabled #bucket_key_enabled} => Boolean
3373
3736
  # * {Types::CreateSessionOutput#credentials #credentials} => Types::SessionCredentials
3374
3737
  #
3375
3738
  # @example Request syntax with placeholder values
@@ -3377,10 +3740,18 @@ module Aws::S3
3377
3740
  # resp = client.create_session({
3378
3741
  # session_mode: "ReadOnly", # accepts ReadOnly, ReadWrite
3379
3742
  # bucket: "BucketName", # required
3743
+ # server_side_encryption: "AES256", # accepts AES256, aws:kms, aws:kms:dsse
3744
+ # ssekms_key_id: "SSEKMSKeyId",
3745
+ # ssekms_encryption_context: "SSEKMSEncryptionContext",
3746
+ # bucket_key_enabled: false,
3380
3747
  # })
3381
3748
  #
3382
3749
  # @example Response structure
3383
3750
  #
3751
+ # resp.server_side_encryption #=> String, one of "AES256", "aws:kms", "aws:kms:dsse"
3752
+ # resp.ssekms_key_id #=> String
3753
+ # resp.ssekms_encryption_context #=> String
3754
+ # resp.bucket_key_enabled #=> Boolean
3384
3755
  # resp.credentials.access_key_id #=> String
3385
3756
  # resp.credentials.secret_access_key #=> String
3386
3757
  # resp.credentials.session_token #=> String
@@ -3626,47 +3997,92 @@ module Aws::S3
3626
3997
  req.send_request(options)
3627
3998
  end
3628
3999
 
3629
- # <note markdown="1"> This operation is not supported by directory buckets.
4000
+ # This implementation of the DELETE action resets the default encryption
4001
+ # for the bucket as server-side encryption with Amazon S3 managed keys
4002
+ # (SSE-S3).
4003
+ #
4004
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
4005
+ # default encryption feature, see [Amazon S3 Bucket Default
4006
+ # Encryption][1] in the *Amazon S3 User Guide*.
4007
+ #
4008
+ # * **Directory buckets** - For directory buckets, there are only two
4009
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
4010
+ # For information about the default encryption configuration in
4011
+ # directory buckets, see [Setting default server-side encryption
4012
+ # behavior for directory buckets][2].
3630
4013
  #
3631
4014
  # </note>
3632
4015
  #
3633
- # This implementation of the DELETE action resets the default encryption
3634
- # for the bucket as server-side encryption with Amazon S3 managed keys
3635
- # (SSE-S3). For information about the bucket default encryption feature,
3636
- # see [Amazon S3 Bucket Default Encryption][1] in the *Amazon S3 User
3637
- # Guide*.
4016
+ # Permissions
4017
+ # : * **General purpose bucket permissions** - The
4018
+ # `s3:PutEncryptionConfiguration` permission is required in a
4019
+ # policy. The bucket owner has this permission by default. The
4020
+ # bucket owner can grant this permission to others. For more
4021
+ # information about permissions, see [Permissions Related to Bucket
4022
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
4023
+ # Resources][4].
3638
4024
  #
3639
- # To use this operation, you must have permissions to perform the
3640
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
3641
- # permission by default. The bucket owner can grant this permission to
3642
- # others. For more information about permissions, see [Permissions
3643
- # Related to Bucket Subresource Operations][2] and [Managing Access
3644
- # Permissions to your Amazon S3 Resources][3] in the *Amazon S3 User
3645
- # Guide*.
4025
+ # * **Directory bucket permissions** - To grant access to this API
4026
+ # operation, you must have the
4027
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
4028
+ # identity-based policy instead of a bucket policy. Cross-account
4029
+ # access to this API operation isn't supported. This operation can
4030
+ # only be performed by the Amazon Web Services account that owns the
4031
+ # resource. For more information about directory bucket policies and
4032
+ # permissions, see [Amazon Web Services Identity and Access
4033
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
4034
+ # User Guide*.
4035
+ #
4036
+ # HTTP Host header syntax
4037
+ #
4038
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
4039
+ # `s3express-control.region.amazonaws.com`.
3646
4040
  #
3647
4041
  # The following operations are related to `DeleteBucketEncryption`:
3648
4042
  #
3649
- # * [PutBucketEncryption][4]
4043
+ # * [PutBucketEncryption][6]
3650
4044
  #
3651
- # * [GetBucketEncryption][5]
4045
+ # * [GetBucketEncryption][7]
3652
4046
  #
3653
4047
  #
3654
4048
  #
3655
4049
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
3656
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
3657
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
3658
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
3659
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
4050
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
4051
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
4052
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
4053
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
4054
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
4055
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
3660
4056
  #
3661
4057
  # @option params [required, String] :bucket
3662
4058
  # The name of the bucket containing the server-side encryption
3663
4059
  # configuration to delete.
3664
4060
  #
4061
+ # <b>Directory buckets </b> - When you use this operation with a
4062
+ # directory bucket, you must use path-style requests in the format
4063
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
4064
+ # Virtual-hosted-style requests aren't supported. Directory bucket
4065
+ # names must be unique in the chosen Availability Zone. Bucket names
4066
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
4067
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
4068
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
4069
+ # the *Amazon S3 User Guide*
4070
+ #
4071
+ #
4072
+ #
4073
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
4074
+ #
3665
4075
  # @option params [String] :expected_bucket_owner
3666
4076
  # The account ID of the expected bucket owner. If the account ID that
3667
4077
  # you provide does not match the actual owner of the bucket, the request
3668
4078
  # fails with the HTTP status code `403 Forbidden` (access denied).
3669
4079
  #
4080
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
4081
+ # operation. If you specify this header, the request fails with the HTTP
4082
+ # status code `501 Not Implemented`.
4083
+ #
4084
+ # </note>
4085
+ #
3670
4086
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
3671
4087
  #
3672
4088
  # @example Request syntax with placeholder values
@@ -4660,35 +5076,35 @@ module Aws::S3
4660
5076
  # * {Types::DeleteObjectTaggingOutput#version_id #version_id} => String
4661
5077
  #
4662
5078
  #
4663
- # @example Example: To remove tag set from an object version
5079
+ # @example Example: To remove tag set from an object
4664
5080
  #
4665
- # # The following example removes tag set associated with the specified object version. The request specifies both the
4666
- # # object key and object version.
5081
+ # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
5082
+ # # operation removes tag set from the latest object version.
4667
5083
  #
4668
5084
  # resp = client.delete_object_tagging({
4669
5085
  # bucket: "examplebucket",
4670
5086
  # key: "HappyFace.jpg",
4671
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4672
5087
  # })
4673
5088
  #
4674
5089
  # resp.to_h outputs the following:
4675
5090
  # {
4676
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
5091
+ # version_id: "null",
4677
5092
  # }
4678
5093
  #
4679
- # @example Example: To remove tag set from an object
5094
+ # @example Example: To remove tag set from an object version
4680
5095
  #
4681
- # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
4682
- # # operation removes tag set from the latest object version.
5096
+ # # The following example removes tag set associated with the specified object version. The request specifies both the
5097
+ # # object key and object version.
4683
5098
  #
4684
5099
  # resp = client.delete_object_tagging({
4685
5100
  # bucket: "examplebucket",
4686
5101
  # key: "HappyFace.jpg",
5102
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4687
5103
  # })
4688
5104
  #
4689
5105
  # resp.to_h outputs the following:
4690
5106
  # {
4691
- # version_id: "null",
5107
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4692
5108
  # }
4693
5109
  #
4694
5110
  # @example Request syntax with placeholder values
@@ -4971,20 +5387,22 @@ module Aws::S3
4971
5387
  # * {Types::DeleteObjectsOutput#errors #errors} => Array&lt;Types::Error&gt;
4972
5388
  #
4973
5389
  #
4974
- # @example Example: To delete multiple objects from a versioned bucket
5390
+ # @example Example: To delete multiple object versions from a versioned bucket
4975
5391
  #
4976
- # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
4977
- # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5392
+ # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5393
+ # # versions and returns the key and versions of deleted objects in the response.
4978
5394
  #
4979
5395
  # resp = client.delete_objects({
4980
5396
  # bucket: "examplebucket",
4981
5397
  # delete: {
4982
5398
  # objects: [
4983
5399
  # {
4984
- # key: "objectkey1",
5400
+ # key: "HappyFace.jpg",
5401
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
4985
5402
  # },
4986
5403
  # {
4987
- # key: "objectkey2",
5404
+ # key: "HappyFace.jpg",
5405
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
4988
5406
  # },
4989
5407
  # ],
4990
5408
  # quiet: false,
@@ -4995,34 +5413,30 @@ module Aws::S3
4995
5413
  # {
4996
5414
  # deleted: [
4997
5415
  # {
4998
- # delete_marker: true,
4999
- # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5000
- # key: "objectkey1",
5416
+ # key: "HappyFace.jpg",
5417
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5001
5418
  # },
5002
5419
  # {
5003
- # delete_marker: true,
5004
- # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5005
- # key: "objectkey2",
5420
+ # key: "HappyFace.jpg",
5421
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5006
5422
  # },
5007
5423
  # ],
5008
5424
  # }
5009
5425
  #
5010
- # @example Example: To delete multiple object versions from a versioned bucket
5426
+ # @example Example: To delete multiple objects from a versioned bucket
5011
5427
  #
5012
- # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5013
- # # versions and returns the key and versions of deleted objects in the response.
5428
+ # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
5429
+ # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5014
5430
  #
5015
5431
  # resp = client.delete_objects({
5016
5432
  # bucket: "examplebucket",
5017
5433
  # delete: {
5018
5434
  # objects: [
5019
5435
  # {
5020
- # key: "HappyFace.jpg",
5021
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5436
+ # key: "objectkey1",
5022
5437
  # },
5023
5438
  # {
5024
- # key: "HappyFace.jpg",
5025
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5439
+ # key: "objectkey2",
5026
5440
  # },
5027
5441
  # ],
5028
5442
  # quiet: false,
@@ -5033,12 +5447,14 @@ module Aws::S3
5033
5447
  # {
5034
5448
  # deleted: [
5035
5449
  # {
5036
- # key: "HappyFace.jpg",
5037
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5450
+ # delete_marker: true,
5451
+ # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5452
+ # key: "objectkey1",
5038
5453
  # },
5039
5454
  # {
5040
- # key: "HappyFace.jpg",
5041
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5455
+ # delete_marker: true,
5456
+ # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5457
+ # key: "objectkey2",
5042
5458
  # },
5043
5459
  # ],
5044
5460
  # }
@@ -5541,46 +5957,92 @@ module Aws::S3
5541
5957
  req.send_request(options)
5542
5958
  end
5543
5959
 
5544
- # <note markdown="1"> This operation is not supported by directory buckets.
5960
+ # Returns the default encryption configuration for an Amazon S3 bucket.
5961
+ # By default, all buckets have a default encryption configuration that
5962
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
5963
+ #
5964
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
5965
+ # default encryption feature, see [Amazon S3 Bucket Default
5966
+ # Encryption][1] in the *Amazon S3 User Guide*.
5967
+ #
5968
+ # * **Directory buckets** - For directory buckets, there are only two
5969
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
5970
+ # For information about the default encryption configuration in
5971
+ # directory buckets, see [Setting default server-side encryption
5972
+ # behavior for directory buckets][2].
5545
5973
  #
5546
5974
  # </note>
5547
5975
  #
5548
- # Returns the default encryption configuration for an Amazon S3 bucket.
5549
- # By default, all buckets have a default encryption configuration that
5550
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). For
5551
- # information about the bucket default encryption feature, see [Amazon
5552
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
5976
+ # Permissions
5977
+ # : * **General purpose bucket permissions** - The
5978
+ # `s3:GetEncryptionConfiguration` permission is required in a
5979
+ # policy. The bucket owner has this permission by default. The
5980
+ # bucket owner can grant this permission to others. For more
5981
+ # information about permissions, see [Permissions Related to Bucket
5982
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
5983
+ # Resources][4].
5553
5984
  #
5554
- # To use this operation, you must have permission to perform the
5555
- # `s3:GetEncryptionConfiguration` action. The bucket owner has this
5556
- # permission by default. The bucket owner can grant this permission to
5557
- # others. For more information about permissions, see [Permissions
5558
- # Related to Bucket Subresource Operations][2] and [Managing Access
5559
- # Permissions to Your Amazon S3 Resources][3].
5985
+ # * **Directory bucket permissions** - To grant access to this API
5986
+ # operation, you must have the
5987
+ # `s3express:GetEncryptionConfiguration` permission in an IAM
5988
+ # identity-based policy instead of a bucket policy. Cross-account
5989
+ # access to this API operation isn't supported. This operation can
5990
+ # only be performed by the Amazon Web Services account that owns the
5991
+ # resource. For more information about directory bucket policies and
5992
+ # permissions, see [Amazon Web Services Identity and Access
5993
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
5994
+ # User Guide*.
5995
+ #
5996
+ # HTTP Host header syntax
5997
+ #
5998
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
5999
+ # `s3express-control.region.amazonaws.com`.
5560
6000
  #
5561
6001
  # The following operations are related to `GetBucketEncryption`:
5562
6002
  #
5563
- # * [PutBucketEncryption][4]
6003
+ # * [PutBucketEncryption][6]
5564
6004
  #
5565
- # * [DeleteBucketEncryption][5]
6005
+ # * [DeleteBucketEncryption][7]
5566
6006
  #
5567
6007
  #
5568
6008
  #
5569
6009
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
5570
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
5571
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
5572
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
5573
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6010
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
6011
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
6012
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
6013
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
6014
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
6015
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6016
+ #
6017
+ # @option params [required, String] :bucket
6018
+ # The name of the bucket from which the server-side encryption
6019
+ # configuration is retrieved.
6020
+ #
6021
+ # <b>Directory buckets </b> - When you use this operation with a
6022
+ # directory bucket, you must use path-style requests in the format
6023
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
6024
+ # Virtual-hosted-style requests aren't supported. Directory bucket
6025
+ # names must be unique in the chosen Availability Zone. Bucket names
6026
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
6027
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
6028
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
6029
+ # the *Amazon S3 User Guide*
6030
+ #
5574
6031
  #
5575
- # @option params [required, String] :bucket
5576
- # The name of the bucket from which the server-side encryption
5577
- # configuration is retrieved.
6032
+ #
6033
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5578
6034
  #
5579
6035
  # @option params [String] :expected_bucket_owner
5580
6036
  # The account ID of the expected bucket owner. If the account ID that
5581
6037
  # you provide does not match the actual owner of the bucket, the request
5582
6038
  # fails with the HTTP status code `403 Forbidden` (access denied).
5583
6039
  #
6040
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
6041
+ # operation. If you specify this header, the request fails with the HTTP
6042
+ # status code `501 Not Implemented`.
6043
+ #
6044
+ # </note>
6045
+ #
5584
6046
  # @return [Types::GetBucketEncryptionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5585
6047
  #
5586
6048
  # * {Types::GetBucketEncryptionOutput#server_side_encryption_configuration #server_side_encryption_configuration} => Types::ServerSideEncryptionConfiguration
@@ -7320,6 +7782,10 @@ module Aws::S3
7320
7782
  # interruptions when a session expires. For more information about
7321
7783
  # authorization, see [ `CreateSession` ][4].
7322
7784
  #
7785
+ # If the object is encrypted using SSE-KMS, you must also have the
7786
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
7787
+ # identity-based policies and KMS key policies for the KMS key.
7788
+ #
7323
7789
  # Storage classes
7324
7790
  #
7325
7791
  # : If the object you are retrieving is stored in the S3 Glacier
@@ -7348,6 +7814,11 @@ module Aws::S3
7348
7814
  # `GetObject` requests for the object that uses these types of keys,
7349
7815
  # you’ll get an HTTP `400 Bad Request` error.
7350
7816
  #
7817
+ # **Directory buckets** - For directory buckets, there are only two
7818
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
7819
+ # SSE-C isn't supported. For more information, see [Protecting data
7820
+ # with server-side encryption][7] in the *Amazon S3 User Guide*.
7821
+ #
7351
7822
  # Overriding response header values through the request
7352
7823
  #
7353
7824
  # : There are times when you want to override certain response header
@@ -7395,9 +7866,9 @@ module Aws::S3
7395
7866
  #
7396
7867
  # The following operations are related to `GetObject`:
7397
7868
  #
7398
- # * [ListBuckets][7]
7869
+ # * [ListBuckets][8]
7399
7870
  #
7400
- # * [GetObjectAcl][8]
7871
+ # * [GetObjectAcl][9]
7401
7872
  #
7402
7873
  #
7403
7874
  #
@@ -7407,8 +7878,9 @@ module Aws::S3
7407
7878
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
7408
7879
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
7409
7880
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html
7410
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7411
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7881
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
7882
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7883
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7412
7884
  #
7413
7885
  # @option params [String, IO] :response_target
7414
7886
  # Where to write response data, file path, or IO object.
@@ -7705,10 +8177,10 @@ module Aws::S3
7705
8177
  # @option params [String] :checksum_mode
7706
8178
  # To retrieve the checksum, this mode must be enabled.
7707
8179
  #
7708
- # In addition, if you enable checksum mode and the object is uploaded
7709
- # with a [checksum][1] and encrypted with an Key Management Service
7710
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
7711
- # retrieve the checksum.
8180
+ # **General purpose buckets** - In addition, if you enable checksum mode
8181
+ # and the object is uploaded with a [checksum][1] and encrypted with an
8182
+ # Key Management Service (KMS) key, you must have permission to use the
8183
+ # `kms:Decrypt` action to retrieve the checksum.
7712
8184
  #
7713
8185
  #
7714
8186
  #
@@ -8110,7 +8582,7 @@ module Aws::S3
8110
8582
  # Permissions
8111
8583
  # : * **General purpose bucket permissions** - To use
8112
8584
  # `GetObjectAttributes`, you must have READ access to the object.
8113
- # The permissions that you need to use this operation with depend on
8585
+ # The permissions that you need to use this operation depend on
8114
8586
  # whether the bucket is versioned. If the bucket is versioned, you
8115
8587
  # need both the `s3:GetObjectVersion` and
8116
8588
  # `s3:GetObjectVersionAttributes` permissions for this operation. If
@@ -8144,6 +8616,10 @@ module Aws::S3
8144
8616
  # interruptions when a session expires. For more information about
8145
8617
  # authorization, see [ `CreateSession` ][3].
8146
8618
  #
8619
+ # If the object is encrypted with SSE-KMS, you must also have the
8620
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
8621
+ # identity-based policies and KMS key policies for the KMS key.
8622
+ #
8147
8623
  # Encryption
8148
8624
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
8149
8625
  # should not be sent for `HEAD` requests if your object uses
@@ -8177,9 +8653,19 @@ module Aws::S3
8177
8653
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
8178
8654
  # Guide*.
8179
8655
  #
8180
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
8181
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
8182
- # (`AES256`) is supported.
8656
+ # <note markdown="1"> **Directory bucket permissions** - For directory buckets, there are
8657
+ # only two supported options for server-side encryption: server-side
8658
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
8659
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
8660
+ # recommend that the bucket's default encryption uses the desired
8661
+ # encryption configuration and you don't override the bucket default
8662
+ # encryption in your `CreateSession` requests or `PUT` object
8663
+ # requests. Then, new objects are automatically encrypted with the
8664
+ # desired encryption settings. For more information, see [Protecting
8665
+ # data with server-side encryption][5] in the *Amazon S3 User Guide*.
8666
+ # For more information about the encryption overriding behaviors in
8667
+ # directory buckets, see [Specifying server-side encryption with KMS
8668
+ # for new object uploads][6].
8183
8669
  #
8184
8670
  # </note>
8185
8671
  #
@@ -8203,7 +8689,7 @@ module Aws::S3
8203
8689
  # * `If-Unmodified-Since` condition evaluates to `false`.
8204
8690
  #
8205
8691
  # For more information about conditional requests, see [RFC
8206
- # 7232][5].
8692
+ # 7232][7].
8207
8693
  #
8208
8694
  # * If both of the `If-None-Match` and `If-Modified-Since` headers are
8209
8695
  # present in the request as follows, then Amazon S3 returns the HTTP
@@ -8214,7 +8700,7 @@ module Aws::S3
8214
8700
  # * `If-Modified-Since` condition evaluates to `true`.
8215
8701
  #
8216
8702
  # For more information about conditional requests, see [RFC
8217
- # 7232][5].
8703
+ # 7232][7].
8218
8704
  #
8219
8705
  # HTTP Host header syntax
8220
8706
  #
@@ -8223,21 +8709,21 @@ module Aws::S3
8223
8709
  #
8224
8710
  # The following actions are related to `GetObjectAttributes`:
8225
8711
  #
8226
- # * [GetObject][6]
8712
+ # * [GetObject][8]
8227
8713
  #
8228
- # * [GetObjectAcl][7]
8714
+ # * [GetObjectAcl][9]
8229
8715
  #
8230
- # * [GetObjectLegalHold][8]
8716
+ # * [GetObjectLegalHold][10]
8231
8717
  #
8232
- # * [GetObjectLockConfiguration][9]
8718
+ # * [GetObjectLockConfiguration][11]
8233
8719
  #
8234
- # * [GetObjectRetention][10]
8720
+ # * [GetObjectRetention][12]
8235
8721
  #
8236
- # * [GetObjectTagging][11]
8722
+ # * [GetObjectTagging][13]
8237
8723
  #
8238
- # * [HeadObject][12]
8724
+ # * [HeadObject][14]
8239
8725
  #
8240
- # * [ListParts][13]
8726
+ # * [ListParts][15]
8241
8727
  #
8242
8728
  #
8243
8729
  #
@@ -8245,15 +8731,17 @@ module Aws::S3
8245
8731
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
8246
8732
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
8247
8733
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
8248
- # [5]: https://tools.ietf.org/html/rfc7232
8249
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8250
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8251
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8252
- # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8253
- # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8254
- # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8255
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8256
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8734
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
8735
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
8736
+ # [7]: https://tools.ietf.org/html/rfc7232
8737
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8738
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8739
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8740
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8741
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8742
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8743
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8744
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8257
8745
  #
8258
8746
  # @option params [required, String] :bucket
8259
8747
  # The name of the bucket that contains the object.
@@ -8797,49 +9285,49 @@ module Aws::S3
8797
9285
  # * {Types::GetObjectTaggingOutput#tag_set #tag_set} => Array&lt;Types::Tag&gt;
8798
9286
  #
8799
9287
  #
8800
- # @example Example: To retrieve tag set of an object
9288
+ # @example Example: To retrieve tag set of a specific object version
8801
9289
  #
8802
- # # The following example retrieves tag set of an object.
9290
+ # # The following example retrieves tag set of an object. The request specifies object version.
8803
9291
  #
8804
9292
  # resp = client.get_object_tagging({
8805
9293
  # bucket: "examplebucket",
8806
- # key: "HappyFace.jpg",
9294
+ # key: "exampleobject",
9295
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8807
9296
  # })
8808
9297
  #
8809
9298
  # resp.to_h outputs the following:
8810
9299
  # {
8811
9300
  # tag_set: [
8812
9301
  # {
8813
- # key: "Key4",
8814
- # value: "Value4",
8815
- # },
8816
- # {
8817
- # key: "Key3",
8818
- # value: "Value3",
9302
+ # key: "Key1",
9303
+ # value: "Value1",
8819
9304
  # },
8820
9305
  # ],
8821
- # version_id: "null",
9306
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8822
9307
  # }
8823
9308
  #
8824
- # @example Example: To retrieve tag set of a specific object version
9309
+ # @example Example: To retrieve tag set of an object
8825
9310
  #
8826
- # # The following example retrieves tag set of an object. The request specifies object version.
9311
+ # # The following example retrieves tag set of an object.
8827
9312
  #
8828
9313
  # resp = client.get_object_tagging({
8829
9314
  # bucket: "examplebucket",
8830
- # key: "exampleobject",
8831
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9315
+ # key: "HappyFace.jpg",
8832
9316
  # })
8833
9317
  #
8834
9318
  # resp.to_h outputs the following:
8835
9319
  # {
8836
9320
  # tag_set: [
8837
9321
  # {
8838
- # key: "Key1",
8839
- # value: "Value1",
9322
+ # key: "Key4",
9323
+ # value: "Value4",
9324
+ # },
9325
+ # {
9326
+ # key: "Key3",
9327
+ # value: "Value3",
8840
9328
  # },
8841
9329
  # ],
8842
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9330
+ # version_id: "null",
8843
9331
  # }
8844
9332
  #
8845
9333
  # @example Request syntax with placeholder values
@@ -9272,6 +9760,13 @@ module Aws::S3
9272
9760
  # interruptions when a session expires. For more information about
9273
9761
  # authorization, see [ `CreateSession` ][3].
9274
9762
  #
9763
+ # If you enable `x-amz-checksum-mode` in the request and the object
9764
+ # is encrypted with Amazon Web Services Key Management Service
9765
+ # (Amazon Web Services KMS), you must also have the
9766
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
9767
+ # identity-based policies and KMS key policies for the KMS key to
9768
+ # retrieve the checksum of the object.
9769
+ #
9275
9770
  # Encryption
9276
9771
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
9277
9772
  # should not be sent for `HEAD` requests if your object uses
@@ -9305,9 +9800,10 @@ module Aws::S3
9305
9800
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
9306
9801
  # Guide*.
9307
9802
  #
9308
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
9309
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
9310
- # (`AES256`) is supported.
9803
+ # <note markdown="1"> <b>Directory bucket </b> - For directory buckets, there are only two
9804
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
9805
+ # SSE-C isn't supported. For more information, see [Protecting data
9806
+ # with server-side encryption][5] in the *Amazon S3 User Guide*.
9311
9807
  #
9312
9808
  # </note>
9313
9809
  #
@@ -9341,15 +9837,15 @@ module Aws::S3
9341
9837
  # requests in the format
9342
9838
  # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
9343
9839
  # `. Path-style requests are not supported. For more information, see
9344
- # [Regional and Zonal endpoints][5] in the *Amazon S3 User Guide*.
9840
+ # [Regional and Zonal endpoints][6] in the *Amazon S3 User Guide*.
9345
9841
  #
9346
9842
  # </note>
9347
9843
  #
9348
9844
  # The following actions are related to `HeadObject`:
9349
9845
  #
9350
- # * [GetObject][6]
9846
+ # * [GetObject][7]
9351
9847
  #
9352
- # * [GetObjectAttributes][7]
9848
+ # * [GetObjectAttributes][8]
9353
9849
  #
9354
9850
  #
9355
9851
  #
@@ -9357,9 +9853,10 @@ module Aws::S3
9357
9853
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
9358
9854
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
9359
9855
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
9360
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9361
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9362
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9856
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
9857
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9858
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9859
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9363
9860
  #
9364
9861
  # @option params [required, String] :bucket
9365
9862
  # The name of the bucket that contains the object.
@@ -9575,10 +10072,16 @@ module Aws::S3
9575
10072
  # @option params [String] :checksum_mode
9576
10073
  # To retrieve the checksum, this parameter must be enabled.
9577
10074
  #
9578
- # In addition, if you enable checksum mode and the object is uploaded
9579
- # with a [checksum][1] and encrypted with an Key Management Service
9580
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
9581
- # retrieve the checksum.
10075
+ # **General purpose buckets** - If you enable checksum mode and the
10076
+ # object is uploaded with a [checksum][1] and encrypted with an Key
10077
+ # Management Service (KMS) key, you must have permission to use the
10078
+ # `kms:Decrypt` action to retrieve the checksum.
10079
+ #
10080
+ # **Directory buckets** - If you enable `ChecksumMode` and the object is
10081
+ # encrypted with Amazon Web Services Key Management Service (Amazon Web
10082
+ # Services KMS), you must also have the `kms:GenerateDataKey` and
10083
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
10084
+ # policies for the KMS key to retrieve the checksum of the object.
9582
10085
  #
9583
10086
  #
9584
10087
  #
@@ -12574,24 +13077,73 @@ module Aws::S3
12574
13077
  req.send_request(options)
12575
13078
  end
12576
13079
 
12577
- # <note markdown="1"> This operation is not supported by directory buckets.
13080
+ # This operation configures default encryption and Amazon S3 Bucket Keys
13081
+ # for an existing bucket.
12578
13082
  #
12579
- # </note>
13083
+ # <note markdown="1"> <b>Directory buckets </b> - For directory buckets, you must make
13084
+ # requests for this API operation to the Regional endpoint. These
13085
+ # endpoints support path-style requests in the format
13086
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13087
+ # Virtual-hosted-style requests aren't supported. For more information,
13088
+ # see [Regional and Zonal endpoints][1] in the *Amazon S3 User Guide*.
12580
13089
  #
12581
- # This action uses the `encryption` subresource to configure default
12582
- # encryption and Amazon S3 Bucket Keys for an existing bucket.
13090
+ # </note>
12583
13091
  #
12584
13092
  # By default, all buckets have a default encryption configuration that
12585
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). You
12586
- # can optionally configure default encryption for a bucket by using
12587
- # server-side encryption with Key Management Service (KMS) keys
12588
- # (SSE-KMS) or dual-layer server-side encryption with Amazon Web
12589
- # Services KMS keys (DSSE-KMS). If you specify default encryption by
12590
- # using SSE-KMS, you can also configure [Amazon S3 Bucket Keys][1]. If
12591
- # you use PutBucketEncryption to set your [default bucket encryption][2]
12592
- # to SSE-KMS, you should verify that your KMS key ID is correct. Amazon
12593
- # S3 does not validate the KMS key ID provided in PutBucketEncryption
12594
- # requests.
13093
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
13094
+ #
13095
+ # <note markdown="1"> * **General purpose buckets**
13096
+ #
13097
+ # * You can optionally configure default encryption for a bucket by
13098
+ # using server-side encryption with Key Management Service (KMS)
13099
+ # keys (SSE-KMS) or dual-layer server-side encryption with Amazon
13100
+ # Web Services KMS keys (DSSE-KMS). If you specify default
13101
+ # encryption by using SSE-KMS, you can also configure [Amazon S3
13102
+ # Bucket Keys][2]. For information about the bucket default
13103
+ # encryption feature, see [Amazon S3 Bucket Default Encryption][3]
13104
+ # in the *Amazon S3 User Guide*.
13105
+ #
13106
+ # * If you use PutBucketEncryption to set your [default bucket
13107
+ # encryption][3] to SSE-KMS, you should verify that your KMS key ID
13108
+ # is correct. Amazon S3 doesn't validate the KMS key ID provided in
13109
+ # PutBucketEncryption requests.
13110
+ #
13111
+ # * <b>Directory buckets </b> - You can optionally configure default
13112
+ # encryption for a bucket by using server-side encryption with Key
13113
+ # Management Service (KMS) keys (SSE-KMS).
13114
+ #
13115
+ # * We recommend that the bucket's default encryption uses the
13116
+ # desired encryption configuration and you don't override the
13117
+ # bucket default encryption in your `CreateSession` requests or
13118
+ # `PUT` object requests. Then, new objects are automatically
13119
+ # encrypted with the desired encryption settings. For more
13120
+ # information about the encryption overriding behaviors in directory
13121
+ # buckets, see [Specifying server-side encryption with KMS for new
13122
+ # object uploads][4].
13123
+ #
13124
+ # * Your SSE-KMS configuration can only support 1 [customer managed
13125
+ # key][5] per directory bucket for the lifetime of the bucket.
13126
+ # [Amazon Web Services managed key][6] (`aws/s3`) isn't supported.
13127
+ #
13128
+ # * S3 Bucket Keys are always enabled for `GET` and `PUT` operations
13129
+ # in a directory bucket and can’t be disabled. S3 Bucket Keys
13130
+ # aren't supported, when you copy SSE-KMS encrypted objects from
13131
+ # general purpose buckets to directory buckets, from directory
13132
+ # buckets to general purpose buckets, or between directory buckets,
13133
+ # through [CopyObject][7], [UploadPartCopy][8], [the Copy operation
13134
+ # in Batch Operations][9], or [the import jobs][10]. In this case,
13135
+ # Amazon S3 makes a call to KMS every time a copy request is made
13136
+ # for a KMS-encrypted object.
13137
+ #
13138
+ # * When you specify an [KMS customer managed key][5] for encryption
13139
+ # in your directory bucket, only use the key ID or key ARN. The key
13140
+ # alias format of the KMS key isn't supported.
13141
+ #
13142
+ # * For directory buckets, if you use PutBucketEncryption to set your
13143
+ # [default bucket encryption][3] to SSE-KMS, Amazon S3 validates the
13144
+ # KMS key ID provided in PutBucketEncryption requests.
13145
+ #
13146
+ # </note>
12595
13147
  #
12596
13148
  # If you're specifying a customer managed KMS key, we recommend using a
12597
13149
  # fully qualified KMS key ARN. If you use a KMS key alias instead, then
@@ -12601,45 +13153,80 @@ module Aws::S3
12601
13153
  #
12602
13154
  # Also, this action requires Amazon Web Services Signature Version 4.
12603
13155
  # For more information, see [ Authenticating Requests (Amazon Web
12604
- # Services Signature Version 4)][3].
13156
+ # Services Signature Version 4)][11].
12605
13157
  #
12606
- # To use this operation, you must have permission to perform the
12607
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
12608
- # permission by default. The bucket owner can grant this permission to
12609
- # others. For more information about permissions, see [Permissions
12610
- # Related to Bucket Subresource Operations][4] and [Managing Access
12611
- # Permissions to Your Amazon S3 Resources][5] in the *Amazon S3 User
12612
- # Guide*.
13158
+ # Permissions
13159
+ # : * **General purpose bucket permissions** - The
13160
+ # `s3:PutEncryptionConfiguration` permission is required in a
13161
+ # policy. The bucket owner has this permission by default. The
13162
+ # bucket owner can grant this permission to others. For more
13163
+ # information about permissions, see [Permissions Related to Bucket
13164
+ # Operations][12] and [Managing Access Permissions to Your Amazon S3
13165
+ # Resources][13] in the *Amazon S3 User Guide*.
13166
+ #
13167
+ # * **Directory bucket permissions** - To grant access to this API
13168
+ # operation, you must have the
13169
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
13170
+ # identity-based policy instead of a bucket policy. Cross-account
13171
+ # access to this API operation isn't supported. This operation can
13172
+ # only be performed by the Amazon Web Services account that owns the
13173
+ # resource. For more information about directory bucket policies and
13174
+ # permissions, see [Amazon Web Services Identity and Access
13175
+ # Management (IAM) for S3 Express One Zone][14] in the *Amazon S3
13176
+ # User Guide*.
13177
+ #
13178
+ # To set a directory bucket default encryption with SSE-KMS, you
13179
+ # must also have the `kms:GenerateDataKey` and the `kms:Decrypt`
13180
+ # permissions in IAM identity-based policies and KMS key policies
13181
+ # for the target KMS key.
13182
+ #
13183
+ # HTTP Host header syntax
13184
+ #
13185
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
13186
+ # `s3express-control.region.amazonaws.com`.
12613
13187
  #
12614
13188
  # The following operations are related to `PutBucketEncryption`:
12615
13189
  #
12616
- # * [GetBucketEncryption][6]
13190
+ # * [GetBucketEncryption][15]
12617
13191
  #
12618
- # * [DeleteBucketEncryption][7]
13192
+ # * [DeleteBucketEncryption][16]
12619
13193
  #
12620
13194
  #
12621
13195
  #
12622
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
12623
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12624
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
12625
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
12626
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
12627
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
12628
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
13196
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
13197
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
13198
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13199
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
13200
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
13201
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
13202
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
13203
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
13204
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
13205
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
13206
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
13207
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
13208
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
13209
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
13210
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
13211
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
12629
13212
  #
12630
13213
  # @option params [required, String] :bucket
12631
13214
  # Specifies default encryption for a bucket using server-side encryption
12632
- # with different key options. By default, all buckets have a default
12633
- # encryption configuration that uses server-side encryption with Amazon
12634
- # S3 managed keys (SSE-S3). You can optionally configure default
12635
- # encryption for a bucket by using server-side encryption with an Amazon
12636
- # Web Services KMS key (SSE-KMS) or a customer-provided key (SSE-C). For
12637
- # information about the bucket default encryption feature, see [Amazon
12638
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
13215
+ # with different key options.
13216
+ #
13217
+ # <b>Directory buckets </b> - When you use this operation with a
13218
+ # directory bucket, you must use path-style requests in the format
13219
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13220
+ # Virtual-hosted-style requests aren't supported. Directory bucket
13221
+ # names must be unique in the chosen Availability Zone. Bucket names
13222
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
13223
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
13224
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
13225
+ # the *Amazon S3 User Guide*
12639
13226
  #
12640
13227
  #
12641
13228
  #
12642
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13229
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12643
13230
  #
12644
13231
  # @option params [String] :content_md5
12645
13232
  # The base64-encoded 128-bit MD5 digest of the server-side encryption
@@ -12649,6 +13236,10 @@ module Aws::S3
12649
13236
  # (CLI) or Amazon Web Services SDKs, this field is calculated
12650
13237
  # automatically.
12651
13238
  #
13239
+ # <note markdown="1"> This functionality is not supported for directory buckets.
13240
+ #
13241
+ # </note>
13242
+ #
12652
13243
  # @option params [String] :checksum_algorithm
12653
13244
  # Indicates the algorithm used to create the checksum for the object
12654
13245
  # when you use the SDK. This header will not provide any additional
@@ -12661,6 +13252,11 @@ module Aws::S3
12661
13252
  # If you provide an individual checksum, Amazon S3 ignores any provided
12662
13253
  # `ChecksumAlgorithm` parameter.
12663
13254
  #
13255
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
13256
+ # is the default checksum algorithm that's used for performance.
13257
+ #
13258
+ # </note>
13259
+ #
12664
13260
  #
12665
13261
  #
12666
13262
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12673,6 +13269,12 @@ module Aws::S3
12673
13269
  # you provide does not match the actual owner of the bucket, the request
12674
13270
  # fails with the HTTP status code `403 Forbidden` (access denied).
12675
13271
  #
13272
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
13273
+ # operation. If you specify this header, the request fails with the HTTP
13274
+ # status code `501 Not Implemented`.
13275
+ #
13276
+ # </note>
13277
+ #
12676
13278
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
12677
13279
  #
12678
13280
  # @example Request syntax with placeholder values
@@ -15070,6 +15672,10 @@ module Aws::S3
15070
15672
  # interruptions when a session expires. For more information about
15071
15673
  # authorization, see [ `CreateSession` ][5].
15072
15674
  #
15675
+ # If the object is encrypted with SSE-KMS, you must also have the
15676
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
15677
+ # identity-based policies and KMS key policies for the KMS key.
15678
+ #
15073
15679
  # Data integrity with Content-MD5
15074
15680
  # : * **General purpose bucket** - To ensure that data is not corrupted
15075
15681
  # traversing the network, use the `Content-MD5` header. When you use
@@ -15419,25 +16025,65 @@ module Aws::S3
15419
16025
  # object in Amazon S3 (for example, `AES256`, `aws:kms`,
15420
16026
  # `aws:kms:dsse`).
15421
16027
  #
15422
- # <b>General purpose buckets </b> - You have four mutually exclusive
15423
- # options to protect data using server-side encryption in Amazon S3,
15424
- # depending on how you choose to manage the encryption keys.
15425
- # Specifically, the encryption key options are Amazon S3 managed keys
15426
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
15427
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
15428
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
15429
- # default. You can optionally tell Amazon S3 to encrypt data at rest by
15430
- # using server-side encryption with other key options. For more
15431
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
15432
- # User Guide*.
16028
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
16029
+ # options to protect data using server-side encryption in Amazon S3,
16030
+ # depending on how you choose to manage the encryption keys.
16031
+ # Specifically, the encryption key options are Amazon S3 managed keys
16032
+ # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
16033
+ # customer-provided keys (SSE-C). Amazon S3 encrypts data with
16034
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
16035
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
16036
+ # by using server-side encryption with other key options. For more
16037
+ # information, see [Using Server-Side Encryption][1] in the *Amazon S3
16038
+ # User Guide*.
15433
16039
  #
15434
- # <b>Directory buckets </b> - For directory buckets, only the
15435
- # server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
15436
- # value is supported.
16040
+ # * <b>Directory buckets </b> - For directory buckets, there are only
16041
+ # two supported options for server-side encryption: server-side
16042
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
16043
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
16044
+ # recommend that the bucket's default encryption uses the desired
16045
+ # encryption configuration and you don't override the bucket default
16046
+ # encryption in your `CreateSession` requests or `PUT` object
16047
+ # requests. Then, new objects are automatically encrypted with the
16048
+ # desired encryption settings. For more information, see [Protecting
16049
+ # data with server-side encryption][2] in the *Amazon S3 User Guide*.
16050
+ # For more information about the encryption overriding behaviors in
16051
+ # directory buckets, see [Specifying server-side encryption with KMS
16052
+ # for new object uploads][3].
16053
+ #
16054
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
16055
+ # [UploadPartCopy][5]) using the REST API, the encryption request
16056
+ # headers must match the encryption settings that are specified in the
16057
+ # `CreateSession` request. You can't override the values of the
16058
+ # encryption settings (`x-amz-server-side-encryption`,
16059
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
16060
+ # `x-amz-server-side-encryption-context`, and
16061
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
16062
+ # specified in the `CreateSession` request. You don't need to
16063
+ # explicitly specify these encryption settings values in Zonal
16064
+ # endpoint API calls, and Amazon S3 will use the encryption settings
16065
+ # values from the `CreateSession` request to protect new objects in
16066
+ # the directory bucket.
16067
+ #
16068
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
16069
+ # `CreateSession`, the session token refreshes automatically to avoid
16070
+ # service interruptions when a session expires. The CLI or the Amazon
16071
+ # Web Services SDKs use the bucket's default encryption configuration
16072
+ # for the `CreateSession` request. It's not supported to override the
16073
+ # encryption settings values in the `CreateSession` request. So in the
16074
+ # Zonal endpoint API calls (except [CopyObject][4] and
16075
+ # [UploadPartCopy][5]), the encryption request headers must match the
16076
+ # default encryption configuration of the directory bucket.
16077
+ #
16078
+ # </note>
15437
16079
  #
15438
16080
  #
15439
16081
  #
15440
16082
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
16083
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
16084
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
16085
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16086
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
15441
16087
  #
15442
16088
  # @option params [String] :storage_class
15443
16089
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -15517,46 +16163,83 @@ module Aws::S3
15517
16163
  # </note>
15518
16164
  #
15519
16165
  # @option params [String] :ssekms_key_id
15520
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
15521
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
15522
- # Alias) of the Key Management Service (KMS) symmetric encryption
15523
- # customer managed key that was used for the object. If you specify
15524
- # `x-amz-server-side-encryption:aws:kms` or
15525
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
15526
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
15527
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If the
15528
- # KMS key does not exist in the same account that's issuing the
15529
- # command, you must use the full ARN and not just the ID.
16166
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
16167
+ # object encryption. If the KMS key doesn't exist in the same account
16168
+ # that's issuing the command, you must use the full Key ARN not the Key
16169
+ # ID.
16170
+ #
16171
+ # **General purpose buckets** - If you specify
16172
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
16173
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
16174
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
16175
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
16176
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
16177
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
16178
+ #
16179
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
16180
+ # with `aws:kms`, you must specify the `
16181
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
16182
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
16183
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
16184
+ # key ID or key ARN. The key alias format of the KMS key isn't
16185
+ # supported. Your SSE-KMS configuration can only support 1 [customer
16186
+ # managed key][1] per directory bucket for the lifetime of the bucket.
16187
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
16188
+ #
16189
+ #
16190
+ #
16191
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16192
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
15530
16193
  #
15531
- # <note markdown="1"> This functionality is not supported for directory buckets.
16194
+ # @option params [String] :ssekms_encryption_context
16195
+ # Specifies the Amazon Web Services KMS Encryption Context as an
16196
+ # additional encryption context to use for object encryption. The value
16197
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
16198
+ # which contains the encryption context as key-value pairs. This value
16199
+ # is stored as object metadata and automatically gets passed on to
16200
+ # Amazon Web Services KMS for future `GetObject` operations on this
16201
+ # object.
15532
16202
  #
15533
- # </note>
16203
+ # **General purpose buckets** - This value must be explicitly added
16204
+ # during `CopyObject` operations if you want an additional encryption
16205
+ # context for your object. For more information, see [Encryption
16206
+ # context][1] in the *Amazon S3 User Guide*.
15534
16207
  #
15535
- # @option params [String] :ssekms_encryption_context
15536
- # Specifies the Amazon Web Services KMS Encryption Context to use for
15537
- # object encryption. The value of this header is a base64-encoded UTF-8
15538
- # string holding JSON with the encryption context key-value pairs. This
15539
- # value is stored as object metadata and automatically gets passed on to
15540
- # Amazon Web Services KMS for future `GetObject` or `CopyObject`
15541
- # operations on this object. This value must be explicitly added during
15542
- # `CopyObject` operations.
16208
+ # **Directory buckets** - You can optionally provide an explicit
16209
+ # encryption context value. The value must match the default encryption
16210
+ # context - the bucket Amazon Resource Name (ARN). An additional
16211
+ # encryption context value is not supported.
15543
16212
  #
15544
- # <note markdown="1"> This functionality is not supported for directory buckets.
15545
16213
  #
15546
- # </note>
16214
+ #
16215
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
15547
16216
  #
15548
16217
  # @option params [Boolean] :bucket_key_enabled
15549
16218
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
15550
16219
  # encryption with server-side encryption using Key Management Service
15551
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
15552
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
16220
+ # (KMS) keys (SSE-KMS).
16221
+ #
16222
+ # **General purpose buckets** - Setting this header to `true` causes
16223
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
16224
+ # Also, specifying this header with a PUT action doesn't affect
16225
+ # bucket-level settings for S3 Bucket Key.
15553
16226
  #
15554
- # Specifying this header with a PUT action doesn’t affect bucket-level
15555
- # settings for S3 Bucket Key.
16227
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
16228
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
16229
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
16230
+ # from general purpose buckets to directory buckets, from directory
16231
+ # buckets to general purpose buckets, or between directory buckets,
16232
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
16233
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
16234
+ # makes a call to KMS every time a copy request is made for a
16235
+ # KMS-encrypted object.
15556
16236
  #
15557
- # <note markdown="1"> This functionality is not supported for directory buckets.
15558
16237
  #
15559
- # </note>
16238
+ #
16239
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16240
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16241
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16242
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
15560
16243
  #
15561
16244
  # @option params [String] :request_payer
15562
16245
  # Confirms that the requester knows that they will be charged for the
@@ -15634,24 +16317,22 @@ module Aws::S3
15634
16317
  # * {Types::PutObjectOutput#request_charged #request_charged} => String
15635
16318
  #
15636
16319
  #
15637
- # @example Example: To upload an object (specify optional headers)
16320
+ # @example Example: To upload an object and specify optional tags
15638
16321
  #
15639
- # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
15640
- # # storage class and use server-side encryption.
16322
+ # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
16323
+ # # S3 returns version ID of the newly created object.
15641
16324
  #
15642
16325
  # resp = client.put_object({
15643
- # body: "HappyFace.jpg",
16326
+ # body: "c:\\HappyFace.jpg",
15644
16327
  # bucket: "examplebucket",
15645
16328
  # key: "HappyFace.jpg",
15646
- # server_side_encryption: "AES256",
15647
- # storage_class: "STANDARD_IA",
16329
+ # tagging: "key1=value1&key2=value2",
15648
16330
  # })
15649
16331
  #
15650
16332
  # resp.to_h outputs the following:
15651
16333
  # {
15652
16334
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15653
- # server_side_encryption: "AES256",
15654
- # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
16335
+ # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
15655
16336
  # }
15656
16337
  #
15657
16338
  # @example Example: To create an object.
@@ -15670,98 +16351,100 @@ module Aws::S3
15670
16351
  # version_id: "Bvq0EDKxOcXLJXNo_Lkz37eM3R4pfzyQ",
15671
16352
  # }
15672
16353
  #
15673
- # @example Example: To upload an object
16354
+ # @example Example: To upload object and specify user-defined metadata
15674
16355
  #
15675
- # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
15676
- # # syntax. S3 returns VersionId of the newly created object.
16356
+ # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
16357
+ # # enabled, S3 returns version ID in response.
15677
16358
  #
15678
16359
  # resp = client.put_object({
15679
- # body: "HappyFace.jpg",
16360
+ # body: "filetoupload",
15680
16361
  # bucket: "examplebucket",
15681
- # key: "HappyFace.jpg",
16362
+ # key: "exampleobject",
16363
+ # metadata: {
16364
+ # "metadata1" => "value1",
16365
+ # "metadata2" => "value2",
16366
+ # },
15682
16367
  # })
15683
16368
  #
15684
16369
  # resp.to_h outputs the following:
15685
16370
  # {
15686
16371
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15687
- # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
16372
+ # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
15688
16373
  # }
15689
16374
  #
15690
- # @example Example: To upload an object and specify optional tags
16375
+ # @example Example: To upload an object
15691
16376
  #
15692
- # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
15693
- # # S3 returns version ID of the newly created object.
16377
+ # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
16378
+ # # syntax. S3 returns VersionId of the newly created object.
15694
16379
  #
15695
16380
  # resp = client.put_object({
15696
- # body: "c:\\HappyFace.jpg",
16381
+ # body: "HappyFace.jpg",
15697
16382
  # bucket: "examplebucket",
15698
16383
  # key: "HappyFace.jpg",
15699
- # tagging: "key1=value1&key2=value2",
15700
16384
  # })
15701
16385
  #
15702
16386
  # resp.to_h outputs the following:
15703
16387
  # {
15704
16388
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15705
- # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
16389
+ # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
15706
16390
  # }
15707
16391
  #
15708
- # @example Example: To upload an object and specify canned ACL.
16392
+ # @example Example: To upload an object and specify server-side encryption and object tags
15709
16393
  #
15710
- # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
15711
- # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
16394
+ # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
16395
+ # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
15712
16396
  #
15713
16397
  # resp = client.put_object({
15714
- # acl: "authenticated-read",
15715
16398
  # body: "filetoupload",
15716
16399
  # bucket: "examplebucket",
15717
16400
  # key: "exampleobject",
16401
+ # server_side_encryption: "AES256",
16402
+ # tagging: "key1=value1&key2=value2",
15718
16403
  # })
15719
16404
  #
15720
16405
  # resp.to_h outputs the following:
15721
16406
  # {
15722
16407
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15723
- # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
16408
+ # server_side_encryption: "AES256",
16409
+ # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
15724
16410
  # }
15725
16411
  #
15726
- # @example Example: To upload object and specify user-defined metadata
16412
+ # @example Example: To upload an object and specify canned ACL.
15727
16413
  #
15728
- # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
15729
- # # enabled, S3 returns version ID in response.
16414
+ # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
16415
+ # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
15730
16416
  #
15731
16417
  # resp = client.put_object({
16418
+ # acl: "authenticated-read",
15732
16419
  # body: "filetoupload",
15733
16420
  # bucket: "examplebucket",
15734
16421
  # key: "exampleobject",
15735
- # metadata: {
15736
- # "metadata1" => "value1",
15737
- # "metadata2" => "value2",
15738
- # },
15739
16422
  # })
15740
16423
  #
15741
16424
  # resp.to_h outputs the following:
15742
16425
  # {
15743
16426
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15744
- # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
16427
+ # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
15745
16428
  # }
15746
16429
  #
15747
- # @example Example: To upload an object and specify server-side encryption and object tags
16430
+ # @example Example: To upload an object (specify optional headers)
15748
16431
  #
15749
- # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
15750
- # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
16432
+ # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
16433
+ # # storage class and use server-side encryption.
15751
16434
  #
15752
16435
  # resp = client.put_object({
15753
- # body: "filetoupload",
16436
+ # body: "HappyFace.jpg",
15754
16437
  # bucket: "examplebucket",
15755
- # key: "exampleobject",
16438
+ # key: "HappyFace.jpg",
15756
16439
  # server_side_encryption: "AES256",
15757
- # tagging: "key1=value1&key2=value2",
16440
+ # storage_class: "STANDARD_IA",
15758
16441
  # })
15759
16442
  #
15760
16443
  # resp.to_h outputs the following:
15761
16444
  # {
15762
16445
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15763
16446
  # server_side_encryption: "AES256",
15764
- # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
16447
+ # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
15765
16448
  # }
15766
16449
  #
15767
16450
  # @example Streaming a file from disk
@@ -17774,6 +18457,10 @@ module Aws::S3
17774
18457
  # interruptions when a session expires. For more information about
17775
18458
  # authorization, see [ `CreateSession` ][9].
17776
18459
  #
18460
+ # If the object is encrypted with SSE-KMS, you must also have the
18461
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18462
+ # identity-based policies and KMS key policies for the KMS key.
18463
+ #
17777
18464
  # Data integrity
17778
18465
  #
17779
18466
  # : **General purpose bucket** - To ensure that data is not corrupted
@@ -17825,12 +18512,13 @@ module Aws::S3
17825
18512
  #
17826
18513
  # * x-amz-server-side-encryption-customer-key-MD5
17827
18514
  #
17828
- # * **Directory bucket** - For directory buckets, only server-side
17829
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
17830
- # supported.
18515
+ # For more information, see [Using Server-Side Encryption][11] in
18516
+ # the *Amazon S3 User Guide*.
17831
18517
  #
17832
- # For more information, see [Using Server-Side Encryption][11] in the
17833
- # *Amazon S3 User Guide*.
18518
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18519
+ # two supported options for server-side encryption: server-side
18520
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18521
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`).
17834
18522
  #
17835
18523
  # Special errors
17836
18524
  # : * Error Code: `NoSuchUpload`
@@ -18243,6 +18931,10 @@ module Aws::S3
18243
18931
  # destination. The `s3express:SessionMode` condition key cannot be
18244
18932
  # set to `ReadOnly` on the copy destination.
18245
18933
  #
18934
+ # If the object is encrypted with SSE-KMS, you must also have the
18935
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18936
+ # identity-based policies and KMS key policies for the KMS key.
18937
+ #
18246
18938
  # For example policies, see [Example bucket policies for S3 Express
18247
18939
  # One Zone][10] and [Amazon Web Services Identity and Access
18248
18940
  # Management (IAM) identity-based policies for S3 Express One
@@ -18254,9 +18946,26 @@ module Aws::S3
18254
18946
  # the `UploadPartCopy` operation, see [CopyObject][12] and
18255
18947
  # [UploadPart][2].
18256
18948
  #
18257
- # * <b>Directory buckets </b> - For directory buckets, only
18258
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
18259
- # (`AES256`) is supported.
18949
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18950
+ # two supported options for server-side encryption: server-side
18951
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18952
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). For
18953
+ # more information, see [Protecting data with server-side
18954
+ # encryption][13] in the *Amazon S3 User Guide*.
18955
+ #
18956
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
18957
+ # operation and an `UploadPartCopy` operation, the request headers
18958
+ # you provide in the `CreateMultipartUpload` request must match the
18959
+ # default encryption configuration of the destination bucket.
18960
+ #
18961
+ # </note>
18962
+ #
18963
+ # S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted
18964
+ # objects from general purpose buckets to directory buckets, from
18965
+ # directory buckets to general purpose buckets, or between directory
18966
+ # buckets, through [UploadPartCopy][14]. In this case, Amazon S3
18967
+ # makes a call to KMS every time a copy request is made for a
18968
+ # KMS-encrypted object.
18260
18969
  #
18261
18970
  # Special errors
18262
18971
  # : * Error Code: `NoSuchUpload`
@@ -18281,17 +18990,17 @@ module Aws::S3
18281
18990
  #
18282
18991
  # The following operations are related to `UploadPartCopy`:
18283
18992
  #
18284
- # * [CreateMultipartUpload][13]
18993
+ # * [CreateMultipartUpload][15]
18285
18994
  #
18286
18995
  # * [UploadPart][2]
18287
18996
  #
18288
- # * [CompleteMultipartUpload][14]
18997
+ # * [CompleteMultipartUpload][16]
18289
18998
  #
18290
- # * [AbortMultipartUpload][15]
18999
+ # * [AbortMultipartUpload][17]
18291
19000
  #
18292
- # * [ListParts][16]
19001
+ # * [ListParts][18]
18293
19002
  #
18294
- # * [ListMultipartUploads][17]
19003
+ # * [ListMultipartUploads][19]
18295
19004
  #
18296
19005
  #
18297
19006
  #
@@ -18307,11 +19016,13 @@ module Aws::S3
18307
19016
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
18308
19017
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
18309
19018
  # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
18310
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
18311
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
18312
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
18313
- # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
18314
- # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
19019
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
19020
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
19021
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
19022
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
19023
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
19024
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
19025
+ # [19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
18315
19026
  #
18316
19027
  # @option params [required, String] :bucket
18317
19028
  # The bucket name.
@@ -18597,45 +19308,45 @@ module Aws::S3
18597
19308
  # * {Types::UploadPartCopyOutput#request_charged #request_charged} => String
18598
19309
  #
18599
19310
  #
18600
- # @example Example: To upload a part by copying data from an existing object as data source
19311
+ # @example Example: To upload a part by copying byte range from an existing object as data source
18601
19312
  #
18602
- # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
19313
+ # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
19314
+ # # data source.
18603
19315
  #
18604
19316
  # resp = client.upload_part_copy({
18605
19317
  # bucket: "examplebucket",
18606
19318
  # copy_source: "/bucketname/sourceobjectkey",
19319
+ # copy_source_range: "bytes=1-100000",
18607
19320
  # key: "examplelargeobject",
18608
- # part_number: 1,
19321
+ # part_number: 2,
18609
19322
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18610
19323
  # })
18611
19324
  #
18612
19325
  # resp.to_h outputs the following:
18613
19326
  # {
18614
19327
  # copy_part_result: {
18615
- # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
18616
- # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
19328
+ # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
19329
+ # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
18617
19330
  # },
18618
19331
  # }
18619
19332
  #
18620
- # @example Example: To upload a part by copying byte range from an existing object as data source
19333
+ # @example Example: To upload a part by copying data from an existing object as data source
18621
19334
  #
18622
- # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
18623
- # # data source.
19335
+ # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
18624
19336
  #
18625
19337
  # resp = client.upload_part_copy({
18626
19338
  # bucket: "examplebucket",
18627
19339
  # copy_source: "/bucketname/sourceobjectkey",
18628
- # copy_source_range: "bytes=1-100000",
18629
19340
  # key: "examplelargeobject",
18630
- # part_number: 2,
19341
+ # part_number: 1,
18631
19342
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18632
19343
  # })
18633
19344
  #
18634
19345
  # resp.to_h outputs the following:
18635
19346
  # {
18636
19347
  # copy_part_result: {
18637
- # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
18638
- # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
19348
+ # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
19349
+ # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
18639
19350
  # },
18640
19351
  # }
18641
19352
  #
@@ -19085,14 +19796,19 @@ module Aws::S3
19085
19796
  # @api private
19086
19797
  def build_request(operation_name, params = {})
19087
19798
  handlers = @handlers.for(operation_name)
19799
+ tracer = config.telemetry_provider.tracer_provider.tracer(
19800
+ Aws::Telemetry.module_to_tracer_name('Aws::S3')
19801
+ )
19088
19802
  context = Seahorse::Client::RequestContext.new(
19089
19803
  operation_name: operation_name,
19090
19804
  operation: config.api.operation(operation_name),
19091
19805
  client: self,
19092
19806
  params: params,
19093
- config: config)
19807
+ config: config,
19808
+ tracer: tracer
19809
+ )
19094
19810
  context[:gem_name] = 'aws-sdk-s3'
19095
- context[:gem_version] = '1.159.0'
19811
+ context[:gem_version] = '1.163.0'
19096
19812
  Seahorse::Client::Request.new(handlers, context)
19097
19813
  end
19098
19814