aws-sdk-s3 1.159.0 → 1.163.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/bucket.rb +120 -43
- data/lib/aws-sdk-s3/client.rb +1105 -389
- data/lib/aws-sdk-s3/client_api.rb +8 -0
- data/lib/aws-sdk-s3/endpoints.rb +99 -396
- data/lib/aws-sdk-s3/object.rb +336 -129
- data/lib/aws-sdk-s3/object_summary.rb +324 -109
- data/lib/aws-sdk-s3/object_version.rb +14 -8
- data/lib/aws-sdk-s3/plugins/endpoints.rb +10 -1
- data/lib/aws-sdk-s3/types.rb +644 -306
- data/lib/aws-sdk-s3.rb +1 -1
- data/sig/client.rbs +10 -1
- data/sig/resource.rbs +1 -0
- data/sig/types.rbs +10 -2
- metadata +4 -4
data/lib/aws-sdk-s3/object.rb
CHANGED
@@ -288,11 +288,6 @@ module Aws::S3
|
|
288
288
|
|
289
289
|
# The server-side encryption algorithm used when you store this object
|
290
290
|
# in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
|
291
|
-
#
|
292
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
293
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
294
|
-
#
|
295
|
-
# </note>
|
296
291
|
# @return [String]
|
297
292
|
def server_side_encryption
|
298
293
|
data[:server_side_encryption]
|
@@ -329,13 +324,8 @@ module Aws::S3
|
|
329
324
|
data[:sse_customer_key_md5]
|
330
325
|
end
|
331
326
|
|
332
|
-
# If present, indicates the ID of the
|
333
|
-
#
|
334
|
-
# object.
|
335
|
-
#
|
336
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
337
|
-
#
|
338
|
-
# </note>
|
327
|
+
# If present, indicates the ID of the KMS key that was used for object
|
328
|
+
# encryption.
|
339
329
|
# @return [String]
|
340
330
|
def ssekms_key_id
|
341
331
|
data[:ssekms_key_id]
|
@@ -343,10 +333,6 @@ module Aws::S3
|
|
343
333
|
|
344
334
|
# Indicates whether the object uses an S3 Bucket Key for server-side
|
345
335
|
# encryption with Key Management Service (KMS) keys (SSE-KMS).
|
346
|
-
#
|
347
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
348
|
-
#
|
349
|
-
# </note>
|
350
336
|
# @return [Boolean]
|
351
337
|
def bucket_key_enabled
|
352
338
|
data[:bucket_key_enabled]
|
@@ -1031,9 +1017,8 @@ module Aws::S3
|
|
1031
1017
|
# </note>
|
1032
1018
|
# @option options [String] :server_side_encryption
|
1033
1019
|
# The server-side encryption algorithm used when storing this object in
|
1034
|
-
# Amazon S3
|
1035
|
-
#
|
1036
|
-
# and will receive a `400 Bad Request` response.
|
1020
|
+
# Amazon S3. Unrecognized or unsupported values won’t write a
|
1021
|
+
# destination object and will receive a `400 Bad Request` response.
|
1037
1022
|
#
|
1038
1023
|
# Amazon S3 automatically encrypts all new objects that are copied to an
|
1039
1024
|
# S3 bucket. When copying an object, if you don't specify encryption
|
@@ -1041,35 +1026,72 @@ module Aws::S3
|
|
1041
1026
|
# object is set to the default encryption configuration of the
|
1042
1027
|
# destination bucket. By default, all buckets have a base level of
|
1043
1028
|
# encryption configuration that uses server-side encryption with Amazon
|
1044
|
-
# S3 managed keys (SSE-S3). If the destination bucket has a
|
1045
|
-
# encryption configuration
|
1046
|
-
#
|
1047
|
-
# encryption with Amazon Web Services KMS keys (DSSE-KMS), or
|
1048
|
-
# server-side encryption with customer-provided encryption keys (SSE-C),
|
1049
|
-
# Amazon S3 uses the corresponding KMS key, or a customer-provided key
|
1050
|
-
# to encrypt the target object copy.
|
1051
|
-
#
|
1052
|
-
# When you perform a `CopyObject` operation, if you want to use a
|
1053
|
-
# different type of encryption setting for the target object, you can
|
1054
|
-
# specify appropriate encryption-related headers to encrypt the target
|
1055
|
-
# object with an Amazon S3 managed key, a KMS key, or a
|
1056
|
-
# customer-provided key. If the encryption setting in your request is
|
1057
|
-
# different from the default encryption configuration of the destination
|
1058
|
-
# bucket, the encryption setting in your request takes precedence.
|
1029
|
+
# S3 managed keys (SSE-S3). If the destination bucket has a different
|
1030
|
+
# default encryption configuration, Amazon S3 uses the corresponding
|
1031
|
+
# encryption key to encrypt the target object copy.
|
1059
1032
|
#
|
1060
1033
|
# With server-side encryption, Amazon S3 encrypts your data as it writes
|
1061
1034
|
# your data to disks in its data centers and decrypts the data when you
|
1062
1035
|
# access it. For more information about server-side encryption, see
|
1063
1036
|
# [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
|
1064
1037
|
#
|
1065
|
-
# <
|
1066
|
-
#
|
1067
|
-
#
|
1068
|
-
#
|
1038
|
+
# <b>General purpose buckets </b>
|
1039
|
+
#
|
1040
|
+
# * For general purpose buckets, there are the following supported
|
1041
|
+
# options for server-side encryption: server-side encryption with Key
|
1042
|
+
# Management Service (KMS) keys (SSE-KMS), dual-layer server-side
|
1043
|
+
# encryption with Amazon Web Services KMS keys (DSSE-KMS), and
|
1044
|
+
# server-side encryption with customer-provided encryption keys
|
1045
|
+
# (SSE-C). Amazon S3 uses the corresponding KMS key, or a
|
1046
|
+
# customer-provided key to encrypt the target object copy.
|
1047
|
+
#
|
1048
|
+
# * When you perform a `CopyObject` operation, if you want to use a
|
1049
|
+
# different type of encryption setting for the target object, you can
|
1050
|
+
# specify appropriate encryption-related headers to encrypt the target
|
1051
|
+
# object with an Amazon S3 managed key, a KMS key, or a
|
1052
|
+
# customer-provided key. If the encryption setting in your request is
|
1053
|
+
# different from the default encryption configuration of the
|
1054
|
+
# destination bucket, the encryption setting in your request takes
|
1055
|
+
# precedence.
|
1056
|
+
#
|
1057
|
+
# <b>Directory buckets </b>
|
1058
|
+
#
|
1059
|
+
# * For directory buckets, there are only two supported options for
|
1060
|
+
# server-side encryption: server-side encryption with Amazon S3
|
1061
|
+
# managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
|
1062
|
+
# keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
|
1063
|
+
# encryption uses the desired encryption configuration and you don't
|
1064
|
+
# override the bucket default encryption in your `CreateSession`
|
1065
|
+
# requests or `PUT` object requests. Then, new objects are
|
1066
|
+
# automatically encrypted with the desired encryption settings. For
|
1067
|
+
# more information, see [Protecting data with server-side
|
1068
|
+
# encryption][2] in the *Amazon S3 User Guide*. For more information
|
1069
|
+
# about the encryption overriding behaviors in directory buckets, see
|
1070
|
+
# [Specifying server-side encryption with KMS for new object
|
1071
|
+
# uploads][3].
|
1072
|
+
#
|
1073
|
+
# * To encrypt new object copies to a directory bucket with SSE-KMS, we
|
1074
|
+
# recommend you specify SSE-KMS as the directory bucket's default
|
1075
|
+
# encryption configuration with a KMS key (specifically, a [customer
|
1076
|
+
# managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
|
1077
|
+
# isn't supported. Your SSE-KMS configuration can only support 1
|
1078
|
+
# [customer managed key][4] per directory bucket for the lifetime of
|
1079
|
+
# the bucket. After you specify a customer managed key for SSE-KMS,
|
1080
|
+
# you can't override the customer managed key for the bucket's
|
1081
|
+
# SSE-KMS configuration. Then, when you perform a `CopyObject`
|
1082
|
+
# operation and want to specify server-side encryption settings for
|
1083
|
+
# new object copies with SSE-KMS in the encryption-related request
|
1084
|
+
# headers, you must ensure the encryption key is the same customer
|
1085
|
+
# managed key that you specified for the directory bucket's default
|
1086
|
+
# encryption configuration.
|
1069
1087
|
#
|
1070
1088
|
#
|
1071
1089
|
#
|
1072
1090
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
|
1091
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
1092
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
1093
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
1094
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1073
1095
|
# @option options [String] :storage_class
|
1074
1096
|
# If the `x-amz-storage-class` header is not used, the copied object
|
1075
1097
|
# will be stored in the `STANDARD` Storage Class by default. The
|
@@ -1160,32 +1182,50 @@ module Aws::S3
|
|
1160
1182
|
#
|
1161
1183
|
# </note>
|
1162
1184
|
# @option options [String] :ssekms_key_id
|
1163
|
-
# Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
|
1164
|
-
# encryption. All GET and PUT requests for an object protected by
|
1165
|
-
# will fail if they're not made via SSL or using SigV4. For
|
1166
|
-
# about configuring any of the officially supported Amazon
|
1167
|
-
# SDKs and Amazon Web Services CLI, see [Specifying the
|
1168
|
-
# Version in Request Authentication][1] in the *Amazon S3 User
|
1169
|
-
#
|
1170
|
-
#
|
1171
|
-
#
|
1172
|
-
#
|
1173
|
-
#
|
1185
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
1186
|
+
# object encryption. All GET and PUT requests for an object protected by
|
1187
|
+
# KMS will fail if they're not made via SSL or using SigV4. For
|
1188
|
+
# information about configuring any of the officially supported Amazon
|
1189
|
+
# Web Services SDKs and Amazon Web Services CLI, see [Specifying the
|
1190
|
+
# Signature Version in Request Authentication][1] in the *Amazon S3 User
|
1191
|
+
# Guide*.
|
1192
|
+
#
|
1193
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
1194
|
+
# with `aws:kms`, you must specify the `
|
1195
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
1196
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
1197
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
1198
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
1199
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
1200
|
+
# managed key][2] per directory bucket for the lifetime of the bucket.
|
1201
|
+
# [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
|
1174
1202
|
#
|
1175
1203
|
#
|
1176
1204
|
#
|
1177
1205
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
1206
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
1207
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1178
1208
|
# @option options [String] :ssekms_encryption_context
|
1179
|
-
# Specifies the Amazon Web Services KMS Encryption Context
|
1180
|
-
#
|
1181
|
-
#
|
1182
|
-
#
|
1183
|
-
# `CopyObject` requests.
|
1209
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
1210
|
+
# additional encryption context to use for the destination object
|
1211
|
+
# encryption. The value of this header is a base64-encoded UTF-8 string
|
1212
|
+
# holding JSON with the encryption context key-value pairs.
|
1184
1213
|
#
|
1185
|
-
#
|
1186
|
-
#
|
1214
|
+
# **General purpose buckets** - This value must be explicitly added to
|
1215
|
+
# specify encryption context for `CopyObject` requests if you want an
|
1216
|
+
# additional encryption context for your destination object. The
|
1217
|
+
# additional encryption context of the source object won't be copied to
|
1218
|
+
# the destination object. For more information, see [Encryption
|
1219
|
+
# context][1] in the *Amazon S3 User Guide*.
|
1187
1220
|
#
|
1188
|
-
#
|
1221
|
+
# **Directory buckets** - You can optionally provide an explicit
|
1222
|
+
# encryption context value. The value must match the default encryption
|
1223
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
1224
|
+
# encryption context value is not supported.
|
1225
|
+
#
|
1226
|
+
#
|
1227
|
+
#
|
1228
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
1189
1229
|
# @option options [Boolean] :bucket_key_enabled
|
1190
1230
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
1191
1231
|
# encryption with server-side encryption using Key Management Service
|
@@ -1199,14 +1239,19 @@ module Aws::S3
|
|
1199
1239
|
# For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
|
1200
1240
|
# User Guide*.
|
1201
1241
|
#
|
1202
|
-
# <note markdown="1">
|
1203
|
-
#
|
1242
|
+
# <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
|
1243
|
+
# copy SSE-KMS encrypted objects from general purpose buckets to
|
1244
|
+
# directory buckets, from directory buckets to general purpose buckets,
|
1245
|
+
# or between directory buckets, through [CopyObject][2]. In this case,
|
1246
|
+
# Amazon S3 makes a call to KMS every time a copy request is made for a
|
1247
|
+
# KMS-encrypted object.
|
1204
1248
|
#
|
1205
1249
|
# </note>
|
1206
1250
|
#
|
1207
1251
|
#
|
1208
1252
|
#
|
1209
1253
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
|
1254
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
1210
1255
|
# @option options [String] :copy_source_sse_customer_algorithm
|
1211
1256
|
# Specifies the algorithm to use when decrypting the source object (for
|
1212
1257
|
# example, `AES256`).
|
@@ -1663,10 +1708,10 @@ module Aws::S3
|
|
1663
1708
|
# @option options [String] :checksum_mode
|
1664
1709
|
# To retrieve the checksum, this mode must be enabled.
|
1665
1710
|
#
|
1666
|
-
# In addition, if you enable checksum mode
|
1667
|
-
# with a [checksum][1] and encrypted with an
|
1668
|
-
# (KMS) key, you must have permission to use the
|
1669
|
-
# retrieve the checksum.
|
1711
|
+
# **General purpose buckets** - In addition, if you enable checksum mode
|
1712
|
+
# and the object is uploaded with a [checksum][1] and encrypted with an
|
1713
|
+
# Key Management Service (KMS) key, you must have permission to use the
|
1714
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
1670
1715
|
#
|
1671
1716
|
#
|
1672
1717
|
#
|
@@ -2019,10 +2064,52 @@ module Aws::S3
|
|
2019
2064
|
# The server-side encryption algorithm used when you store this object
|
2020
2065
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
2021
2066
|
#
|
2022
|
-
# <
|
2023
|
-
#
|
2067
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
2068
|
+
# two supported options for server-side encryption: server-side
|
2069
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
2070
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
2071
|
+
# recommend that the bucket's default encryption uses the desired
|
2072
|
+
# encryption configuration and you don't override the bucket default
|
2073
|
+
# encryption in your `CreateSession` requests or `PUT` object
|
2074
|
+
# requests. Then, new objects are automatically encrypted with the
|
2075
|
+
# desired encryption settings. For more information, see [Protecting
|
2076
|
+
# data with server-side encryption][1] in the *Amazon S3 User Guide*.
|
2077
|
+
# For more information about the encryption overriding behaviors in
|
2078
|
+
# directory buckets, see [Specifying server-side encryption with KMS
|
2079
|
+
# for new object uploads][2].
|
2080
|
+
#
|
2081
|
+
# In the Zonal endpoint API calls (except [CopyObject][3] and
|
2082
|
+
# [UploadPartCopy][4]) using the REST API, the encryption request
|
2083
|
+
# headers must match the encryption settings that are specified in the
|
2084
|
+
# `CreateSession` request. You can't override the values of the
|
2085
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
2086
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
2087
|
+
# `x-amz-server-side-encryption-context`, and
|
2088
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
2089
|
+
# specified in the `CreateSession` request. You don't need to
|
2090
|
+
# explicitly specify these encryption settings values in Zonal
|
2091
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
2092
|
+
# values from the `CreateSession` request to protect new objects in
|
2093
|
+
# the directory bucket.
|
2094
|
+
#
|
2095
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
2096
|
+
# `CreateSession`, the session token refreshes automatically to avoid
|
2097
|
+
# service interruptions when a session expires. The CLI or the Amazon
|
2098
|
+
# Web Services SDKs use the bucket's default encryption configuration
|
2099
|
+
# for the `CreateSession` request. It's not supported to override the
|
2100
|
+
# encryption settings values in the `CreateSession` request. So in the
|
2101
|
+
# Zonal endpoint API calls (except [CopyObject][3] and
|
2102
|
+
# [UploadPartCopy][4]), the encryption request headers must match the
|
2103
|
+
# default encryption configuration of the directory bucket.
|
2024
2104
|
#
|
2025
|
-
#
|
2105
|
+
# </note>
|
2106
|
+
#
|
2107
|
+
#
|
2108
|
+
#
|
2109
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
2110
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
2111
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2112
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
2026
2113
|
# @option options [String] :storage_class
|
2027
2114
|
# By default, Amazon S3 uses the STANDARD Storage Class to store newly
|
2028
2115
|
# created objects. The STANDARD storage class provides high durability
|
@@ -2075,32 +2162,69 @@ module Aws::S3
|
|
2075
2162
|
#
|
2076
2163
|
# </note>
|
2077
2164
|
# @option options [String] :ssekms_key_id
|
2078
|
-
# Specifies the ID (Key ID, Key ARN, or Key Alias)
|
2079
|
-
# encryption
|
2080
|
-
#
|
2081
|
-
#
|
2082
|
-
#
|
2083
|
-
#
|
2165
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
2166
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
2167
|
+
# that's issuing the command, you must use the full Key ARN not the Key
|
2168
|
+
# ID.
|
2169
|
+
#
|
2170
|
+
# **General purpose buckets** - If you specify
|
2171
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
|
2172
|
+
# header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
|
2173
|
+
# to use. If you specify `x-amz-server-side-encryption:aws:kms` or
|
2174
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
2175
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
2176
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
2177
|
+
#
|
2178
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
2179
|
+
# with `aws:kms`, you must specify the `
|
2180
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
2181
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
2182
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
2183
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
2184
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
2185
|
+
# managed key][1] per directory bucket for the lifetime of the bucket.
|
2186
|
+
# [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
|
2187
|
+
#
|
2188
|
+
#
|
2189
|
+
#
|
2190
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
2191
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
2084
2192
|
# @option options [String] :ssekms_encryption_context
|
2085
2193
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
2086
|
-
# object encryption. The value of this header is a
|
2087
|
-
#
|
2088
|
-
#
|
2089
|
-
#
|
2090
|
-
#
|
2091
|
-
#
|
2194
|
+
# object encryption. The value of this header is a Base64-encoded string
|
2195
|
+
# of a UTF-8 encoded JSON, which contains the encryption context as
|
2196
|
+
# key-value pairs.
|
2197
|
+
#
|
2198
|
+
# **Directory buckets** - You can optionally provide an explicit
|
2199
|
+
# encryption context value. The value must match the default encryption
|
2200
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
2201
|
+
# encryption context value is not supported.
|
2092
2202
|
# @option options [Boolean] :bucket_key_enabled
|
2093
2203
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
2094
2204
|
# encryption with server-side encryption using Key Management Service
|
2095
|
-
# (KMS) keys (SSE-KMS).
|
2096
|
-
# to use an S3 Bucket Key for object encryption with SSE-KMS.
|
2205
|
+
# (KMS) keys (SSE-KMS).
|
2097
2206
|
#
|
2098
|
-
#
|
2207
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
2208
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
|
2209
|
+
# Also, specifying this header with a PUT action doesn't affect
|
2099
2210
|
# bucket-level settings for S3 Bucket Key.
|
2100
2211
|
#
|
2101
|
-
#
|
2212
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
2213
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
2214
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
|
2215
|
+
# from general purpose buckets to directory buckets, from directory
|
2216
|
+
# buckets to general purpose buckets, or between directory buckets,
|
2217
|
+
# through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
|
2218
|
+
# Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
|
2219
|
+
# makes a call to KMS every time a copy request is made for a
|
2220
|
+
# KMS-encrypted object.
|
2102
2221
|
#
|
2103
|
-
#
|
2222
|
+
#
|
2223
|
+
#
|
2224
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2225
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
2226
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
2227
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
2104
2228
|
# @option options [String] :request_payer
|
2105
2229
|
# Confirms that the requester knows that they will be charged for the
|
2106
2230
|
# request. Bucket owners need not specify this parameter in their
|
@@ -2464,25 +2588,65 @@ module Aws::S3
|
|
2464
2588
|
# object in Amazon S3 (for example, `AES256`, `aws:kms`,
|
2465
2589
|
# `aws:kms:dsse`).
|
2466
2590
|
#
|
2467
|
-
# <b>General purpose buckets </b> - You have four mutually exclusive
|
2468
|
-
#
|
2469
|
-
#
|
2470
|
-
#
|
2471
|
-
#
|
2472
|
-
#
|
2473
|
-
#
|
2474
|
-
#
|
2475
|
-
#
|
2476
|
-
#
|
2477
|
-
#
|
2591
|
+
# * <b>General purpose buckets </b> - You have four mutually exclusive
|
2592
|
+
# options to protect data using server-side encryption in Amazon S3,
|
2593
|
+
# depending on how you choose to manage the encryption keys.
|
2594
|
+
# Specifically, the encryption key options are Amazon S3 managed keys
|
2595
|
+
# (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
|
2596
|
+
# customer-provided keys (SSE-C). Amazon S3 encrypts data with
|
2597
|
+
# server-side encryption by using Amazon S3 managed keys (SSE-S3) by
|
2598
|
+
# default. You can optionally tell Amazon S3 to encrypt data at rest
|
2599
|
+
# by using server-side encryption with other key options. For more
|
2600
|
+
# information, see [Using Server-Side Encryption][1] in the *Amazon S3
|
2601
|
+
# User Guide*.
|
2602
|
+
#
|
2603
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
2604
|
+
# two supported options for server-side encryption: server-side
|
2605
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
2606
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
2607
|
+
# recommend that the bucket's default encryption uses the desired
|
2608
|
+
# encryption configuration and you don't override the bucket default
|
2609
|
+
# encryption in your `CreateSession` requests or `PUT` object
|
2610
|
+
# requests. Then, new objects are automatically encrypted with the
|
2611
|
+
# desired encryption settings. For more information, see [Protecting
|
2612
|
+
# data with server-side encryption][2] in the *Amazon S3 User Guide*.
|
2613
|
+
# For more information about the encryption overriding behaviors in
|
2614
|
+
# directory buckets, see [Specifying server-side encryption with KMS
|
2615
|
+
# for new object uploads][3].
|
2616
|
+
#
|
2617
|
+
# In the Zonal endpoint API calls (except [CopyObject][4] and
|
2618
|
+
# [UploadPartCopy][5]) using the REST API, the encryption request
|
2619
|
+
# headers must match the encryption settings that are specified in the
|
2620
|
+
# `CreateSession` request. You can't override the values of the
|
2621
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
2622
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
2623
|
+
# `x-amz-server-side-encryption-context`, and
|
2624
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
2625
|
+
# specified in the `CreateSession` request. You don't need to
|
2626
|
+
# explicitly specify these encryption settings values in Zonal
|
2627
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
2628
|
+
# values from the `CreateSession` request to protect new objects in
|
2629
|
+
# the directory bucket.
|
2630
|
+
#
|
2631
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
2632
|
+
# `CreateSession`, the session token refreshes automatically to avoid
|
2633
|
+
# service interruptions when a session expires. The CLI or the Amazon
|
2634
|
+
# Web Services SDKs use the bucket's default encryption configuration
|
2635
|
+
# for the `CreateSession` request. It's not supported to override the
|
2636
|
+
# encryption settings values in the `CreateSession` request. So in the
|
2637
|
+
# Zonal endpoint API calls (except [CopyObject][4] and
|
2638
|
+
# [UploadPartCopy][5]), the encryption request headers must match the
|
2639
|
+
# default encryption configuration of the directory bucket.
|
2478
2640
|
#
|
2479
|
-
#
|
2480
|
-
# server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
|
2481
|
-
# value is supported.
|
2641
|
+
# </note>
|
2482
2642
|
#
|
2483
2643
|
#
|
2484
2644
|
#
|
2485
2645
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
|
2646
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
2647
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
2648
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2649
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
2486
2650
|
# @option options [String] :storage_class
|
2487
2651
|
# By default, Amazon S3 uses the STANDARD Storage Class to store newly
|
2488
2652
|
# created objects. The STANDARD storage class provides high durability
|
@@ -2556,44 +2720,81 @@ module Aws::S3
|
|
2556
2720
|
#
|
2557
2721
|
# </note>
|
2558
2722
|
# @option options [String] :ssekms_key_id
|
2559
|
-
#
|
2560
|
-
#
|
2561
|
-
#
|
2562
|
-
#
|
2563
|
-
#
|
2564
|
-
#
|
2565
|
-
# x-amz-server-side-encryption
|
2566
|
-
#
|
2567
|
-
#
|
2568
|
-
#
|
2723
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
2724
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
2725
|
+
# that's issuing the command, you must use the full Key ARN not the Key
|
2726
|
+
# ID.
|
2727
|
+
#
|
2728
|
+
# **General purpose buckets** - If you specify
|
2729
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
|
2730
|
+
# header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
|
2731
|
+
# to use. If you specify `x-amz-server-side-encryption:aws:kms` or
|
2732
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
2733
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
2734
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
2735
|
+
#
|
2736
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
2737
|
+
# with `aws:kms`, you must specify the `
|
2738
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
2739
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
2740
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
2741
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
2742
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
2743
|
+
# managed key][1] per directory bucket for the lifetime of the bucket.
|
2744
|
+
# [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
|
2745
|
+
#
|
2746
|
+
#
|
2747
|
+
#
|
2748
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
2749
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
2750
|
+
# @option options [String] :ssekms_encryption_context
|
2751
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
2752
|
+
# additional encryption context to use for object encryption. The value
|
2753
|
+
# of this header is a Base64-encoded string of a UTF-8 encoded JSON,
|
2754
|
+
# which contains the encryption context as key-value pairs. This value
|
2755
|
+
# is stored as object metadata and automatically gets passed on to
|
2756
|
+
# Amazon Web Services KMS for future `GetObject` operations on this
|
2757
|
+
# object.
|
2569
2758
|
#
|
2570
|
-
#
|
2759
|
+
# **General purpose buckets** - This value must be explicitly added
|
2760
|
+
# during `CopyObject` operations if you want an additional encryption
|
2761
|
+
# context for your object. For more information, see [Encryption
|
2762
|
+
# context][1] in the *Amazon S3 User Guide*.
|
2571
2763
|
#
|
2572
|
-
#
|
2573
|
-
#
|
2574
|
-
#
|
2575
|
-
#
|
2576
|
-
# string holding JSON with the encryption context key-value pairs. This
|
2577
|
-
# value is stored as object metadata and automatically gets passed on to
|
2578
|
-
# Amazon Web Services KMS for future `GetObject` or `CopyObject`
|
2579
|
-
# operations on this object. This value must be explicitly added during
|
2580
|
-
# `CopyObject` operations.
|
2764
|
+
# **Directory buckets** - You can optionally provide an explicit
|
2765
|
+
# encryption context value. The value must match the default encryption
|
2766
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
2767
|
+
# encryption context value is not supported.
|
2581
2768
|
#
|
2582
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
2583
2769
|
#
|
2584
|
-
#
|
2770
|
+
#
|
2771
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
2585
2772
|
# @option options [Boolean] :bucket_key_enabled
|
2586
2773
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
2587
2774
|
# encryption with server-side encryption using Key Management Service
|
2588
|
-
# (KMS) keys (SSE-KMS).
|
2589
|
-
# to use an S3 Bucket Key for object encryption with SSE-KMS.
|
2775
|
+
# (KMS) keys (SSE-KMS).
|
2590
2776
|
#
|
2591
|
-
#
|
2592
|
-
#
|
2777
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
2778
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
|
2779
|
+
# Also, specifying this header with a PUT action doesn't affect
|
2780
|
+
# bucket-level settings for S3 Bucket Key.
|
2593
2781
|
#
|
2594
|
-
#
|
2782
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
2783
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
2784
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
|
2785
|
+
# from general purpose buckets to directory buckets, from directory
|
2786
|
+
# buckets to general purpose buckets, or between directory buckets,
|
2787
|
+
# through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
|
2788
|
+
# Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
|
2789
|
+
# makes a call to KMS every time a copy request is made for a
|
2790
|
+
# KMS-encrypted object.
|
2595
2791
|
#
|
2596
|
-
#
|
2792
|
+
#
|
2793
|
+
#
|
2794
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2795
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
2796
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
2797
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
2597
2798
|
# @option options [String] :request_payer
|
2598
2799
|
# Confirms that the requester knows that they will be charged for the
|
2599
2800
|
# request. Bucket owners need not specify this parameter in their
|
@@ -2972,10 +3173,16 @@ module Aws::S3
|
|
2972
3173
|
# @option options [String] :checksum_mode
|
2973
3174
|
# To retrieve the checksum, this parameter must be enabled.
|
2974
3175
|
#
|
2975
|
-
#
|
2976
|
-
# with a [checksum][1] and encrypted with an Key
|
2977
|
-
# (KMS) key, you must have permission to use the
|
2978
|
-
# retrieve the checksum.
|
3176
|
+
# **General purpose buckets** - If you enable checksum mode and the
|
3177
|
+
# object is uploaded with a [checksum][1] and encrypted with an Key
|
3178
|
+
# Management Service (KMS) key, you must have permission to use the
|
3179
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
3180
|
+
#
|
3181
|
+
# **Directory buckets** - If you enable `ChecksumMode` and the object is
|
3182
|
+
# encrypted with Amazon Web Services Key Management Service (Amazon Web
|
3183
|
+
# Services KMS), you must also have the `kms:GenerateDataKey` and
|
3184
|
+
# `kms:Decrypt` permissions in IAM identity-based policies and KMS key
|
3185
|
+
# policies for the KMS key to retrieve the checksum of the object.
|
2979
3186
|
#
|
2980
3187
|
#
|
2981
3188
|
#
|