aws-sdk-s3 1.159.0 → 1.163.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -288,11 +288,6 @@ module Aws::S3
288
288
 
289
289
  # The server-side encryption algorithm used when you store this object
290
290
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
291
- #
292
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
293
- # managed keys (SSE-S3) (`AES256`) is supported.
294
- #
295
- # </note>
296
291
  # @return [String]
297
292
  def server_side_encryption
298
293
  data[:server_side_encryption]
@@ -329,13 +324,8 @@ module Aws::S3
329
324
  data[:sse_customer_key_md5]
330
325
  end
331
326
 
332
- # If present, indicates the ID of the Key Management Service (KMS)
333
- # symmetric encryption customer managed key that was used for the
334
- # object.
335
- #
336
- # <note markdown="1"> This functionality is not supported for directory buckets.
337
- #
338
- # </note>
327
+ # If present, indicates the ID of the KMS key that was used for object
328
+ # encryption.
339
329
  # @return [String]
340
330
  def ssekms_key_id
341
331
  data[:ssekms_key_id]
@@ -343,10 +333,6 @@ module Aws::S3
343
333
 
344
334
  # Indicates whether the object uses an S3 Bucket Key for server-side
345
335
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
346
- #
347
- # <note markdown="1"> This functionality is not supported for directory buckets.
348
- #
349
- # </note>
350
336
  # @return [Boolean]
351
337
  def bucket_key_enabled
352
338
  data[:bucket_key_enabled]
@@ -1031,9 +1017,8 @@ module Aws::S3
1031
1017
  # </note>
1032
1018
  # @option options [String] :server_side_encryption
1033
1019
  # The server-side encryption algorithm used when storing this object in
1034
- # Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1035
- # Unrecognized or unsupported values won’t write a destination object
1036
- # and will receive a `400 Bad Request` response.
1020
+ # Amazon S3. Unrecognized or unsupported values won’t write a
1021
+ # destination object and will receive a `400 Bad Request` response.
1037
1022
  #
1038
1023
  # Amazon S3 automatically encrypts all new objects that are copied to an
1039
1024
  # S3 bucket. When copying an object, if you don't specify encryption
@@ -1041,35 +1026,72 @@ module Aws::S3
1041
1026
  # object is set to the default encryption configuration of the
1042
1027
  # destination bucket. By default, all buckets have a base level of
1043
1028
  # encryption configuration that uses server-side encryption with Amazon
1044
- # S3 managed keys (SSE-S3). If the destination bucket has a default
1045
- # encryption configuration that uses server-side encryption with Key
1046
- # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1047
- # encryption with Amazon Web Services KMS keys (DSSE-KMS), or
1048
- # server-side encryption with customer-provided encryption keys (SSE-C),
1049
- # Amazon S3 uses the corresponding KMS key, or a customer-provided key
1050
- # to encrypt the target object copy.
1051
- #
1052
- # When you perform a `CopyObject` operation, if you want to use a
1053
- # different type of encryption setting for the target object, you can
1054
- # specify appropriate encryption-related headers to encrypt the target
1055
- # object with an Amazon S3 managed key, a KMS key, or a
1056
- # customer-provided key. If the encryption setting in your request is
1057
- # different from the default encryption configuration of the destination
1058
- # bucket, the encryption setting in your request takes precedence.
1029
+ # S3 managed keys (SSE-S3). If the destination bucket has a different
1030
+ # default encryption configuration, Amazon S3 uses the corresponding
1031
+ # encryption key to encrypt the target object copy.
1059
1032
  #
1060
1033
  # With server-side encryption, Amazon S3 encrypts your data as it writes
1061
1034
  # your data to disks in its data centers and decrypts the data when you
1062
1035
  # access it. For more information about server-side encryption, see
1063
1036
  # [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
1064
1037
  #
1065
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1066
- # managed keys (SSE-S3) (`AES256`) is supported.
1067
- #
1068
- # </note>
1038
+ # <b>General purpose buckets </b>
1039
+ #
1040
+ # * For general purpose buckets, there are the following supported
1041
+ # options for server-side encryption: server-side encryption with Key
1042
+ # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1043
+ # encryption with Amazon Web Services KMS keys (DSSE-KMS), and
1044
+ # server-side encryption with customer-provided encryption keys
1045
+ # (SSE-C). Amazon S3 uses the corresponding KMS key, or a
1046
+ # customer-provided key to encrypt the target object copy.
1047
+ #
1048
+ # * When you perform a `CopyObject` operation, if you want to use a
1049
+ # different type of encryption setting for the target object, you can
1050
+ # specify appropriate encryption-related headers to encrypt the target
1051
+ # object with an Amazon S3 managed key, a KMS key, or a
1052
+ # customer-provided key. If the encryption setting in your request is
1053
+ # different from the default encryption configuration of the
1054
+ # destination bucket, the encryption setting in your request takes
1055
+ # precedence.
1056
+ #
1057
+ # <b>Directory buckets </b>
1058
+ #
1059
+ # * For directory buckets, there are only two supported options for
1060
+ # server-side encryption: server-side encryption with Amazon S3
1061
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
1062
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
1063
+ # encryption uses the desired encryption configuration and you don't
1064
+ # override the bucket default encryption in your `CreateSession`
1065
+ # requests or `PUT` object requests. Then, new objects are
1066
+ # automatically encrypted with the desired encryption settings. For
1067
+ # more information, see [Protecting data with server-side
1068
+ # encryption][2] in the *Amazon S3 User Guide*. For more information
1069
+ # about the encryption overriding behaviors in directory buckets, see
1070
+ # [Specifying server-side encryption with KMS for new object
1071
+ # uploads][3].
1072
+ #
1073
+ # * To encrypt new object copies to a directory bucket with SSE-KMS, we
1074
+ # recommend you specify SSE-KMS as the directory bucket's default
1075
+ # encryption configuration with a KMS key (specifically, a [customer
1076
+ # managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
1077
+ # isn't supported. Your SSE-KMS configuration can only support 1
1078
+ # [customer managed key][4] per directory bucket for the lifetime of
1079
+ # the bucket. After you specify a customer managed key for SSE-KMS,
1080
+ # you can't override the customer managed key for the bucket's
1081
+ # SSE-KMS configuration. Then, when you perform a `CopyObject`
1082
+ # operation and want to specify server-side encryption settings for
1083
+ # new object copies with SSE-KMS in the encryption-related request
1084
+ # headers, you must ensure the encryption key is the same customer
1085
+ # managed key that you specified for the directory bucket's default
1086
+ # encryption configuration.
1069
1087
  #
1070
1088
  #
1071
1089
  #
1072
1090
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1091
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1092
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1093
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1094
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1073
1095
  # @option options [String] :storage_class
1074
1096
  # If the `x-amz-storage-class` header is not used, the copied object
1075
1097
  # will be stored in the `STANDARD` Storage Class by default. The
@@ -1160,32 +1182,50 @@ module Aws::S3
1160
1182
  #
1161
1183
  # </note>
1162
1184
  # @option options [String] :ssekms_key_id
1163
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
1164
- # encryption. All GET and PUT requests for an object protected by KMS
1165
- # will fail if they're not made via SSL or using SigV4. For information
1166
- # about configuring any of the officially supported Amazon Web Services
1167
- # SDKs and Amazon Web Services CLI, see [Specifying the Signature
1168
- # Version in Request Authentication][1] in the *Amazon S3 User Guide*.
1169
- #
1170
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1171
- # directory bucket.
1172
- #
1173
- # </note>
1185
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1186
+ # object encryption. All GET and PUT requests for an object protected by
1187
+ # KMS will fail if they're not made via SSL or using SigV4. For
1188
+ # information about configuring any of the officially supported Amazon
1189
+ # Web Services SDKs and Amazon Web Services CLI, see [Specifying the
1190
+ # Signature Version in Request Authentication][1] in the *Amazon S3 User
1191
+ # Guide*.
1192
+ #
1193
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
1194
+ # with `aws:kms`, you must specify the `
1195
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
1196
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
1197
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
1198
+ # key ID or key ARN. The key alias format of the KMS key isn't
1199
+ # supported. Your SSE-KMS configuration can only support 1 [customer
1200
+ # managed key][2] per directory bucket for the lifetime of the bucket.
1201
+ # [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
1174
1202
  #
1175
1203
  #
1176
1204
  #
1177
1205
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
1206
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1207
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1178
1208
  # @option options [String] :ssekms_encryption_context
1179
- # Specifies the Amazon Web Services KMS Encryption Context to use for
1180
- # object encryption. The value of this header is a base64-encoded UTF-8
1181
- # string holding JSON with the encryption context key-value pairs. This
1182
- # value must be explicitly added to specify encryption context for
1183
- # `CopyObject` requests.
1209
+ # Specifies the Amazon Web Services KMS Encryption Context as an
1210
+ # additional encryption context to use for the destination object
1211
+ # encryption. The value of this header is a base64-encoded UTF-8 string
1212
+ # holding JSON with the encryption context key-value pairs.
1184
1213
  #
1185
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1186
- # directory bucket.
1214
+ # **General purpose buckets** - This value must be explicitly added to
1215
+ # specify encryption context for `CopyObject` requests if you want an
1216
+ # additional encryption context for your destination object. The
1217
+ # additional encryption context of the source object won't be copied to
1218
+ # the destination object. For more information, see [Encryption
1219
+ # context][1] in the *Amazon S3 User Guide*.
1187
1220
  #
1188
- # </note>
1221
+ # **Directory buckets** - You can optionally provide an explicit
1222
+ # encryption context value. The value must match the default encryption
1223
+ # context - the bucket Amazon Resource Name (ARN). An additional
1224
+ # encryption context value is not supported.
1225
+ #
1226
+ #
1227
+ #
1228
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
1189
1229
  # @option options [Boolean] :bucket_key_enabled
1190
1230
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
1191
1231
  # encryption with server-side encryption using Key Management Service
@@ -1199,14 +1239,19 @@ module Aws::S3
1199
1239
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
1200
1240
  # User Guide*.
1201
1241
  #
1202
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1203
- # directory bucket.
1242
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
1243
+ # copy SSE-KMS encrypted objects from general purpose buckets to
1244
+ # directory buckets, from directory buckets to general purpose buckets,
1245
+ # or between directory buckets, through [CopyObject][2]. In this case,
1246
+ # Amazon S3 makes a call to KMS every time a copy request is made for a
1247
+ # KMS-encrypted object.
1204
1248
  #
1205
1249
  # </note>
1206
1250
  #
1207
1251
  #
1208
1252
  #
1209
1253
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
1254
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1210
1255
  # @option options [String] :copy_source_sse_customer_algorithm
1211
1256
  # Specifies the algorithm to use when decrypting the source object (for
1212
1257
  # example, `AES256`).
@@ -1663,10 +1708,10 @@ module Aws::S3
1663
1708
  # @option options [String] :checksum_mode
1664
1709
  # To retrieve the checksum, this mode must be enabled.
1665
1710
  #
1666
- # In addition, if you enable checksum mode and the object is uploaded
1667
- # with a [checksum][1] and encrypted with an Key Management Service
1668
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
1669
- # retrieve the checksum.
1711
+ # **General purpose buckets** - In addition, if you enable checksum mode
1712
+ # and the object is uploaded with a [checksum][1] and encrypted with an
1713
+ # Key Management Service (KMS) key, you must have permission to use the
1714
+ # `kms:Decrypt` action to retrieve the checksum.
1670
1715
  #
1671
1716
  #
1672
1717
  #
@@ -2019,10 +2064,52 @@ module Aws::S3
2019
2064
  # The server-side encryption algorithm used when you store this object
2020
2065
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
2021
2066
  #
2022
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
2023
- # managed keys (SSE-S3) (`AES256`) is supported.
2067
+ # * <b>Directory buckets </b> - For directory buckets, there are only
2068
+ # two supported options for server-side encryption: server-side
2069
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2070
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2071
+ # recommend that the bucket's default encryption uses the desired
2072
+ # encryption configuration and you don't override the bucket default
2073
+ # encryption in your `CreateSession` requests or `PUT` object
2074
+ # requests. Then, new objects are automatically encrypted with the
2075
+ # desired encryption settings. For more information, see [Protecting
2076
+ # data with server-side encryption][1] in the *Amazon S3 User Guide*.
2077
+ # For more information about the encryption overriding behaviors in
2078
+ # directory buckets, see [Specifying server-side encryption with KMS
2079
+ # for new object uploads][2].
2080
+ #
2081
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
2082
+ # [UploadPartCopy][4]) using the REST API, the encryption request
2083
+ # headers must match the encryption settings that are specified in the
2084
+ # `CreateSession` request. You can't override the values of the
2085
+ # encryption settings (`x-amz-server-side-encryption`,
2086
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2087
+ # `x-amz-server-side-encryption-context`, and
2088
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2089
+ # specified in the `CreateSession` request. You don't need to
2090
+ # explicitly specify these encryption settings values in Zonal
2091
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2092
+ # values from the `CreateSession` request to protect new objects in
2093
+ # the directory bucket.
2094
+ #
2095
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2096
+ # `CreateSession`, the session token refreshes automatically to avoid
2097
+ # service interruptions when a session expires. The CLI or the Amazon
2098
+ # Web Services SDKs use the bucket's default encryption configuration
2099
+ # for the `CreateSession` request. It's not supported to override the
2100
+ # encryption settings values in the `CreateSession` request. So in the
2101
+ # Zonal endpoint API calls (except [CopyObject][3] and
2102
+ # [UploadPartCopy][4]), the encryption request headers must match the
2103
+ # default encryption configuration of the directory bucket.
2024
2104
  #
2025
- # </note>
2105
+ # </note>
2106
+ #
2107
+ #
2108
+ #
2109
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2110
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2111
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2112
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2026
2113
  # @option options [String] :storage_class
2027
2114
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
2028
2115
  # created objects. The STANDARD storage class provides high durability
@@ -2075,32 +2162,69 @@ module Aws::S3
2075
2162
  #
2076
2163
  # </note>
2077
2164
  # @option options [String] :ssekms_key_id
2078
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
2079
- # encryption customer managed key to use for object encryption.
2080
- #
2081
- # <note markdown="1"> This functionality is not supported for directory buckets.
2082
- #
2083
- # </note>
2165
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
2166
+ # object encryption. If the KMS key doesn't exist in the same account
2167
+ # that's issuing the command, you must use the full Key ARN not the Key
2168
+ # ID.
2169
+ #
2170
+ # **General purpose buckets** - If you specify
2171
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
2172
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
2173
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
2174
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
2175
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
2176
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
2177
+ #
2178
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
2179
+ # with `aws:kms`, you must specify the `
2180
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
2181
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
2182
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
2183
+ # key ID or key ARN. The key alias format of the KMS key isn't
2184
+ # supported. Your SSE-KMS configuration can only support 1 [customer
2185
+ # managed key][1] per directory bucket for the lifetime of the bucket.
2186
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
2187
+ #
2188
+ #
2189
+ #
2190
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2191
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
2084
2192
  # @option options [String] :ssekms_encryption_context
2085
2193
  # Specifies the Amazon Web Services KMS Encryption Context to use for
2086
- # object encryption. The value of this header is a base64-encoded UTF-8
2087
- # string holding JSON with the encryption context key-value pairs.
2088
- #
2089
- # <note markdown="1"> This functionality is not supported for directory buckets.
2090
- #
2091
- # </note>
2194
+ # object encryption. The value of this header is a Base64-encoded string
2195
+ # of a UTF-8 encoded JSON, which contains the encryption context as
2196
+ # key-value pairs.
2197
+ #
2198
+ # **Directory buckets** - You can optionally provide an explicit
2199
+ # encryption context value. The value must match the default encryption
2200
+ # context - the bucket Amazon Resource Name (ARN). An additional
2201
+ # encryption context value is not supported.
2092
2202
  # @option options [Boolean] :bucket_key_enabled
2093
2203
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
2094
2204
  # encryption with server-side encryption using Key Management Service
2095
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
2096
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
2205
+ # (KMS) keys (SSE-KMS).
2097
2206
  #
2098
- # Specifying this header with an object action doesn’t affect
2207
+ # **General purpose buckets** - Setting this header to `true` causes
2208
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
2209
+ # Also, specifying this header with a PUT action doesn't affect
2099
2210
  # bucket-level settings for S3 Bucket Key.
2100
2211
  #
2101
- # <note markdown="1"> This functionality is not supported for directory buckets.
2212
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
2213
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
2214
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
2215
+ # from general purpose buckets to directory buckets, from directory
2216
+ # buckets to general purpose buckets, or between directory buckets,
2217
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
2218
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
2219
+ # makes a call to KMS every time a copy request is made for a
2220
+ # KMS-encrypted object.
2102
2221
  #
2103
- # </note>
2222
+ #
2223
+ #
2224
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2225
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2226
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
2227
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
2104
2228
  # @option options [String] :request_payer
2105
2229
  # Confirms that the requester knows that they will be charged for the
2106
2230
  # request. Bucket owners need not specify this parameter in their
@@ -2464,25 +2588,65 @@ module Aws::S3
2464
2588
  # object in Amazon S3 (for example, `AES256`, `aws:kms`,
2465
2589
  # `aws:kms:dsse`).
2466
2590
  #
2467
- # <b>General purpose buckets </b> - You have four mutually exclusive
2468
- # options to protect data using server-side encryption in Amazon S3,
2469
- # depending on how you choose to manage the encryption keys.
2470
- # Specifically, the encryption key options are Amazon S3 managed keys
2471
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
2472
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
2473
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
2474
- # default. You can optionally tell Amazon S3 to encrypt data at rest by
2475
- # using server-side encryption with other key options. For more
2476
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
2477
- # User Guide*.
2591
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
2592
+ # options to protect data using server-side encryption in Amazon S3,
2593
+ # depending on how you choose to manage the encryption keys.
2594
+ # Specifically, the encryption key options are Amazon S3 managed keys
2595
+ # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
2596
+ # customer-provided keys (SSE-C). Amazon S3 encrypts data with
2597
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
2598
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
2599
+ # by using server-side encryption with other key options. For more
2600
+ # information, see [Using Server-Side Encryption][1] in the *Amazon S3
2601
+ # User Guide*.
2602
+ #
2603
+ # * <b>Directory buckets </b> - For directory buckets, there are only
2604
+ # two supported options for server-side encryption: server-side
2605
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2606
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2607
+ # recommend that the bucket's default encryption uses the desired
2608
+ # encryption configuration and you don't override the bucket default
2609
+ # encryption in your `CreateSession` requests or `PUT` object
2610
+ # requests. Then, new objects are automatically encrypted with the
2611
+ # desired encryption settings. For more information, see [Protecting
2612
+ # data with server-side encryption][2] in the *Amazon S3 User Guide*.
2613
+ # For more information about the encryption overriding behaviors in
2614
+ # directory buckets, see [Specifying server-side encryption with KMS
2615
+ # for new object uploads][3].
2616
+ #
2617
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
2618
+ # [UploadPartCopy][5]) using the REST API, the encryption request
2619
+ # headers must match the encryption settings that are specified in the
2620
+ # `CreateSession` request. You can't override the values of the
2621
+ # encryption settings (`x-amz-server-side-encryption`,
2622
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2623
+ # `x-amz-server-side-encryption-context`, and
2624
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2625
+ # specified in the `CreateSession` request. You don't need to
2626
+ # explicitly specify these encryption settings values in Zonal
2627
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2628
+ # values from the `CreateSession` request to protect new objects in
2629
+ # the directory bucket.
2630
+ #
2631
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2632
+ # `CreateSession`, the session token refreshes automatically to avoid
2633
+ # service interruptions when a session expires. The CLI or the Amazon
2634
+ # Web Services SDKs use the bucket's default encryption configuration
2635
+ # for the `CreateSession` request. It's not supported to override the
2636
+ # encryption settings values in the `CreateSession` request. So in the
2637
+ # Zonal endpoint API calls (except [CopyObject][4] and
2638
+ # [UploadPartCopy][5]), the encryption request headers must match the
2639
+ # default encryption configuration of the directory bucket.
2478
2640
  #
2479
- # <b>Directory buckets </b> - For directory buckets, only the
2480
- # server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
2481
- # value is supported.
2641
+ # </note>
2482
2642
  #
2483
2643
  #
2484
2644
  #
2485
2645
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
2646
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2647
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2648
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2649
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2486
2650
  # @option options [String] :storage_class
2487
2651
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
2488
2652
  # created objects. The STANDARD storage class provides high durability
@@ -2556,44 +2720,81 @@ module Aws::S3
2556
2720
  #
2557
2721
  # </note>
2558
2722
  # @option options [String] :ssekms_key_id
2559
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
2560
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
2561
- # Alias) of the Key Management Service (KMS) symmetric encryption
2562
- # customer managed key that was used for the object. If you specify
2563
- # `x-amz-server-side-encryption:aws:kms` or
2564
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
2565
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
2566
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If the
2567
- # KMS key does not exist in the same account that's issuing the
2568
- # command, you must use the full ARN and not just the ID.
2723
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
2724
+ # object encryption. If the KMS key doesn't exist in the same account
2725
+ # that's issuing the command, you must use the full Key ARN not the Key
2726
+ # ID.
2727
+ #
2728
+ # **General purpose buckets** - If you specify
2729
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
2730
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
2731
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
2732
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
2733
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
2734
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
2735
+ #
2736
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
2737
+ # with `aws:kms`, you must specify the `
2738
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
2739
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
2740
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
2741
+ # key ID or key ARN. The key alias format of the KMS key isn't
2742
+ # supported. Your SSE-KMS configuration can only support 1 [customer
2743
+ # managed key][1] per directory bucket for the lifetime of the bucket.
2744
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
2745
+ #
2746
+ #
2747
+ #
2748
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2749
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
2750
+ # @option options [String] :ssekms_encryption_context
2751
+ # Specifies the Amazon Web Services KMS Encryption Context as an
2752
+ # additional encryption context to use for object encryption. The value
2753
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
2754
+ # which contains the encryption context as key-value pairs. This value
2755
+ # is stored as object metadata and automatically gets passed on to
2756
+ # Amazon Web Services KMS for future `GetObject` operations on this
2757
+ # object.
2569
2758
  #
2570
- # <note markdown="1"> This functionality is not supported for directory buckets.
2759
+ # **General purpose buckets** - This value must be explicitly added
2760
+ # during `CopyObject` operations if you want an additional encryption
2761
+ # context for your object. For more information, see [Encryption
2762
+ # context][1] in the *Amazon S3 User Guide*.
2571
2763
  #
2572
- # </note>
2573
- # @option options [String] :ssekms_encryption_context
2574
- # Specifies the Amazon Web Services KMS Encryption Context to use for
2575
- # object encryption. The value of this header is a base64-encoded UTF-8
2576
- # string holding JSON with the encryption context key-value pairs. This
2577
- # value is stored as object metadata and automatically gets passed on to
2578
- # Amazon Web Services KMS for future `GetObject` or `CopyObject`
2579
- # operations on this object. This value must be explicitly added during
2580
- # `CopyObject` operations.
2764
+ # **Directory buckets** - You can optionally provide an explicit
2765
+ # encryption context value. The value must match the default encryption
2766
+ # context - the bucket Amazon Resource Name (ARN). An additional
2767
+ # encryption context value is not supported.
2581
2768
  #
2582
- # <note markdown="1"> This functionality is not supported for directory buckets.
2583
2769
  #
2584
- # </note>
2770
+ #
2771
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
2585
2772
  # @option options [Boolean] :bucket_key_enabled
2586
2773
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
2587
2774
  # encryption with server-side encryption using Key Management Service
2588
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
2589
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
2775
+ # (KMS) keys (SSE-KMS).
2590
2776
  #
2591
- # Specifying this header with a PUT action doesn’t affect bucket-level
2592
- # settings for S3 Bucket Key.
2777
+ # **General purpose buckets** - Setting this header to `true` causes
2778
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
2779
+ # Also, specifying this header with a PUT action doesn't affect
2780
+ # bucket-level settings for S3 Bucket Key.
2593
2781
  #
2594
- # <note markdown="1"> This functionality is not supported for directory buckets.
2782
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
2783
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
2784
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
2785
+ # from general purpose buckets to directory buckets, from directory
2786
+ # buckets to general purpose buckets, or between directory buckets,
2787
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
2788
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
2789
+ # makes a call to KMS every time a copy request is made for a
2790
+ # KMS-encrypted object.
2595
2791
  #
2596
- # </note>
2792
+ #
2793
+ #
2794
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2795
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2796
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
2797
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
2597
2798
  # @option options [String] :request_payer
2598
2799
  # Confirms that the requester knows that they will be charged for the
2599
2800
  # request. Bucket owners need not specify this parameter in their
@@ -2972,10 +3173,16 @@ module Aws::S3
2972
3173
  # @option options [String] :checksum_mode
2973
3174
  # To retrieve the checksum, this parameter must be enabled.
2974
3175
  #
2975
- # In addition, if you enable checksum mode and the object is uploaded
2976
- # with a [checksum][1] and encrypted with an Key Management Service
2977
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
2978
- # retrieve the checksum.
3176
+ # **General purpose buckets** - If you enable checksum mode and the
3177
+ # object is uploaded with a [checksum][1] and encrypted with an Key
3178
+ # Management Service (KMS) key, you must have permission to use the
3179
+ # `kms:Decrypt` action to retrieve the checksum.
3180
+ #
3181
+ # **Directory buckets** - If you enable `ChecksumMode` and the object is
3182
+ # encrypted with Amazon Web Services Key Management Service (Amazon Web
3183
+ # Services KMS), you must also have the `kms:GenerateDataKey` and
3184
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
3185
+ # policies for the KMS key to retrieve the checksum of the object.
2979
3186
  #
2980
3187
  #
2981
3188
  #