aws-sdk-s3 1.159.0 → 1.163.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -667,9 +667,8 @@ module Aws::S3
667
667
  # </note>
668
668
  # @option options [String] :server_side_encryption
669
669
  # The server-side encryption algorithm used when storing this object in
670
- # Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
671
- # Unrecognized or unsupported values won’t write a destination object
672
- # and will receive a `400 Bad Request` response.
670
+ # Amazon S3. Unrecognized or unsupported values won’t write a
671
+ # destination object and will receive a `400 Bad Request` response.
673
672
  #
674
673
  # Amazon S3 automatically encrypts all new objects that are copied to an
675
674
  # S3 bucket. When copying an object, if you don't specify encryption
@@ -677,35 +676,72 @@ module Aws::S3
677
676
  # object is set to the default encryption configuration of the
678
677
  # destination bucket. By default, all buckets have a base level of
679
678
  # encryption configuration that uses server-side encryption with Amazon
680
- # S3 managed keys (SSE-S3). If the destination bucket has a default
681
- # encryption configuration that uses server-side encryption with Key
682
- # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
683
- # encryption with Amazon Web Services KMS keys (DSSE-KMS), or
684
- # server-side encryption with customer-provided encryption keys (SSE-C),
685
- # Amazon S3 uses the corresponding KMS key, or a customer-provided key
686
- # to encrypt the target object copy.
687
- #
688
- # When you perform a `CopyObject` operation, if you want to use a
689
- # different type of encryption setting for the target object, you can
690
- # specify appropriate encryption-related headers to encrypt the target
691
- # object with an Amazon S3 managed key, a KMS key, or a
692
- # customer-provided key. If the encryption setting in your request is
693
- # different from the default encryption configuration of the destination
694
- # bucket, the encryption setting in your request takes precedence.
679
+ # S3 managed keys (SSE-S3). If the destination bucket has a different
680
+ # default encryption configuration, Amazon S3 uses the corresponding
681
+ # encryption key to encrypt the target object copy.
695
682
  #
696
683
  # With server-side encryption, Amazon S3 encrypts your data as it writes
697
684
  # your data to disks in its data centers and decrypts the data when you
698
685
  # access it. For more information about server-side encryption, see
699
686
  # [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
700
687
  #
701
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
702
- # managed keys (SSE-S3) (`AES256`) is supported.
703
- #
704
- # </note>
688
+ # <b>General purpose buckets </b>
689
+ #
690
+ # * For general purpose buckets, there are the following supported
691
+ # options for server-side encryption: server-side encryption with Key
692
+ # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
693
+ # encryption with Amazon Web Services KMS keys (DSSE-KMS), and
694
+ # server-side encryption with customer-provided encryption keys
695
+ # (SSE-C). Amazon S3 uses the corresponding KMS key, or a
696
+ # customer-provided key to encrypt the target object copy.
697
+ #
698
+ # * When you perform a `CopyObject` operation, if you want to use a
699
+ # different type of encryption setting for the target object, you can
700
+ # specify appropriate encryption-related headers to encrypt the target
701
+ # object with an Amazon S3 managed key, a KMS key, or a
702
+ # customer-provided key. If the encryption setting in your request is
703
+ # different from the default encryption configuration of the
704
+ # destination bucket, the encryption setting in your request takes
705
+ # precedence.
706
+ #
707
+ # <b>Directory buckets </b>
708
+ #
709
+ # * For directory buckets, there are only two supported options for
710
+ # server-side encryption: server-side encryption with Amazon S3
711
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
712
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
713
+ # encryption uses the desired encryption configuration and you don't
714
+ # override the bucket default encryption in your `CreateSession`
715
+ # requests or `PUT` object requests. Then, new objects are
716
+ # automatically encrypted with the desired encryption settings. For
717
+ # more information, see [Protecting data with server-side
718
+ # encryption][2] in the *Amazon S3 User Guide*. For more information
719
+ # about the encryption overriding behaviors in directory buckets, see
720
+ # [Specifying server-side encryption with KMS for new object
721
+ # uploads][3].
722
+ #
723
+ # * To encrypt new object copies to a directory bucket with SSE-KMS, we
724
+ # recommend you specify SSE-KMS as the directory bucket's default
725
+ # encryption configuration with a KMS key (specifically, a [customer
726
+ # managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
727
+ # isn't supported. Your SSE-KMS configuration can only support 1
728
+ # [customer managed key][4] per directory bucket for the lifetime of
729
+ # the bucket. After you specify a customer managed key for SSE-KMS,
730
+ # you can't override the customer managed key for the bucket's
731
+ # SSE-KMS configuration. Then, when you perform a `CopyObject`
732
+ # operation and want to specify server-side encryption settings for
733
+ # new object copies with SSE-KMS in the encryption-related request
734
+ # headers, you must ensure the encryption key is the same customer
735
+ # managed key that you specified for the directory bucket's default
736
+ # encryption configuration.
705
737
  #
706
738
  #
707
739
  #
708
740
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
741
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
742
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
743
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
744
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
709
745
  # @option options [String] :storage_class
710
746
  # If the `x-amz-storage-class` header is not used, the copied object
711
747
  # will be stored in the `STANDARD` Storage Class by default. The
@@ -796,32 +832,50 @@ module Aws::S3
796
832
  #
797
833
  # </note>
798
834
  # @option options [String] :ssekms_key_id
799
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
800
- # encryption. All GET and PUT requests for an object protected by KMS
801
- # will fail if they're not made via SSL or using SigV4. For information
802
- # about configuring any of the officially supported Amazon Web Services
803
- # SDKs and Amazon Web Services CLI, see [Specifying the Signature
804
- # Version in Request Authentication][1] in the *Amazon S3 User Guide*.
805
- #
806
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
807
- # directory bucket.
808
- #
809
- # </note>
835
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
836
+ # object encryption. All GET and PUT requests for an object protected by
837
+ # KMS will fail if they're not made via SSL or using SigV4. For
838
+ # information about configuring any of the officially supported Amazon
839
+ # Web Services SDKs and Amazon Web Services CLI, see [Specifying the
840
+ # Signature Version in Request Authentication][1] in the *Amazon S3 User
841
+ # Guide*.
842
+ #
843
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
844
+ # with `aws:kms`, you must specify the `
845
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
846
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
847
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
848
+ # key ID or key ARN. The key alias format of the KMS key isn't
849
+ # supported. Your SSE-KMS configuration can only support 1 [customer
850
+ # managed key][2] per directory bucket for the lifetime of the bucket.
851
+ # [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
810
852
  #
811
853
  #
812
854
  #
813
855
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
856
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
857
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
814
858
  # @option options [String] :ssekms_encryption_context
815
- # Specifies the Amazon Web Services KMS Encryption Context to use for
816
- # object encryption. The value of this header is a base64-encoded UTF-8
817
- # string holding JSON with the encryption context key-value pairs. This
818
- # value must be explicitly added to specify encryption context for
819
- # `CopyObject` requests.
859
+ # Specifies the Amazon Web Services KMS Encryption Context as an
860
+ # additional encryption context to use for the destination object
861
+ # encryption. The value of this header is a base64-encoded UTF-8 string
862
+ # holding JSON with the encryption context key-value pairs.
820
863
  #
821
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
822
- # directory bucket.
864
+ # **General purpose buckets** - This value must be explicitly added to
865
+ # specify encryption context for `CopyObject` requests if you want an
866
+ # additional encryption context for your destination object. The
867
+ # additional encryption context of the source object won't be copied to
868
+ # the destination object. For more information, see [Encryption
869
+ # context][1] in the *Amazon S3 User Guide*.
823
870
  #
824
- # </note>
871
+ # **Directory buckets** - You can optionally provide an explicit
872
+ # encryption context value. The value must match the default encryption
873
+ # context - the bucket Amazon Resource Name (ARN). An additional
874
+ # encryption context value is not supported.
875
+ #
876
+ #
877
+ #
878
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
825
879
  # @option options [Boolean] :bucket_key_enabled
826
880
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
827
881
  # encryption with server-side encryption using Key Management Service
@@ -835,14 +889,19 @@ module Aws::S3
835
889
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
836
890
  # User Guide*.
837
891
  #
838
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
839
- # directory bucket.
892
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
893
+ # copy SSE-KMS encrypted objects from general purpose buckets to
894
+ # directory buckets, from directory buckets to general purpose buckets,
895
+ # or between directory buckets, through [CopyObject][2]. In this case,
896
+ # Amazon S3 makes a call to KMS every time a copy request is made for a
897
+ # KMS-encrypted object.
840
898
  #
841
899
  # </note>
842
900
  #
843
901
  #
844
902
  #
845
903
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
904
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
846
905
  # @option options [String] :copy_source_sse_customer_algorithm
847
906
  # Specifies the algorithm to use when decrypting the source object (for
848
907
  # example, `AES256`).
@@ -1299,10 +1358,10 @@ module Aws::S3
1299
1358
  # @option options [String] :checksum_mode
1300
1359
  # To retrieve the checksum, this mode must be enabled.
1301
1360
  #
1302
- # In addition, if you enable checksum mode and the object is uploaded
1303
- # with a [checksum][1] and encrypted with an Key Management Service
1304
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
1305
- # retrieve the checksum.
1361
+ # **General purpose buckets** - In addition, if you enable checksum mode
1362
+ # and the object is uploaded with a [checksum][1] and encrypted with an
1363
+ # Key Management Service (KMS) key, you must have permission to use the
1364
+ # `kms:Decrypt` action to retrieve the checksum.
1306
1365
  #
1307
1366
  #
1308
1367
  #
@@ -1655,10 +1714,52 @@ module Aws::S3
1655
1714
  # The server-side encryption algorithm used when you store this object
1656
1715
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
1657
1716
  #
1658
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1659
- # managed keys (SSE-S3) (`AES256`) is supported.
1717
+ # * <b>Directory buckets </b> - For directory buckets, there are only
1718
+ # two supported options for server-side encryption: server-side
1719
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
1720
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
1721
+ # recommend that the bucket's default encryption uses the desired
1722
+ # encryption configuration and you don't override the bucket default
1723
+ # encryption in your `CreateSession` requests or `PUT` object
1724
+ # requests. Then, new objects are automatically encrypted with the
1725
+ # desired encryption settings. For more information, see [Protecting
1726
+ # data with server-side encryption][1] in the *Amazon S3 User Guide*.
1727
+ # For more information about the encryption overriding behaviors in
1728
+ # directory buckets, see [Specifying server-side encryption with KMS
1729
+ # for new object uploads][2].
1730
+ #
1731
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
1732
+ # [UploadPartCopy][4]) using the REST API, the encryption request
1733
+ # headers must match the encryption settings that are specified in the
1734
+ # `CreateSession` request. You can't override the values of the
1735
+ # encryption settings (`x-amz-server-side-encryption`,
1736
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
1737
+ # `x-amz-server-side-encryption-context`, and
1738
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
1739
+ # specified in the `CreateSession` request. You don't need to
1740
+ # explicitly specify these encryption settings values in Zonal
1741
+ # endpoint API calls, and Amazon S3 will use the encryption settings
1742
+ # values from the `CreateSession` request to protect new objects in
1743
+ # the directory bucket.
1744
+ #
1745
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
1746
+ # `CreateSession`, the session token refreshes automatically to avoid
1747
+ # service interruptions when a session expires. The CLI or the Amazon
1748
+ # Web Services SDKs use the bucket's default encryption configuration
1749
+ # for the `CreateSession` request. It's not supported to override the
1750
+ # encryption settings values in the `CreateSession` request. So in the
1751
+ # Zonal endpoint API calls (except [CopyObject][3] and
1752
+ # [UploadPartCopy][4]), the encryption request headers must match the
1753
+ # default encryption configuration of the directory bucket.
1660
1754
  #
1661
- # </note>
1755
+ # </note>
1756
+ #
1757
+ #
1758
+ #
1759
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1760
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1761
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1762
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
1662
1763
  # @option options [String] :storage_class
1663
1764
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
1664
1765
  # created objects. The STANDARD storage class provides high durability
@@ -1711,32 +1812,69 @@ module Aws::S3
1711
1812
  #
1712
1813
  # </note>
1713
1814
  # @option options [String] :ssekms_key_id
1714
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
1715
- # encryption customer managed key to use for object encryption.
1716
- #
1717
- # <note markdown="1"> This functionality is not supported for directory buckets.
1718
- #
1719
- # </note>
1815
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1816
+ # object encryption. If the KMS key doesn't exist in the same account
1817
+ # that's issuing the command, you must use the full Key ARN not the Key
1818
+ # ID.
1819
+ #
1820
+ # **General purpose buckets** - If you specify
1821
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
1822
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
1823
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
1824
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
1825
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
1826
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
1827
+ #
1828
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
1829
+ # with `aws:kms`, you must specify the `
1830
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
1831
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
1832
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
1833
+ # key ID or key ARN. The key alias format of the KMS key isn't
1834
+ # supported. Your SSE-KMS configuration can only support 1 [customer
1835
+ # managed key][1] per directory bucket for the lifetime of the bucket.
1836
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
1837
+ #
1838
+ #
1839
+ #
1840
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1841
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1720
1842
  # @option options [String] :ssekms_encryption_context
1721
1843
  # Specifies the Amazon Web Services KMS Encryption Context to use for
1722
- # object encryption. The value of this header is a base64-encoded UTF-8
1723
- # string holding JSON with the encryption context key-value pairs.
1724
- #
1725
- # <note markdown="1"> This functionality is not supported for directory buckets.
1726
- #
1727
- # </note>
1844
+ # object encryption. The value of this header is a Base64-encoded string
1845
+ # of a UTF-8 encoded JSON, which contains the encryption context as
1846
+ # key-value pairs.
1847
+ #
1848
+ # **Directory buckets** - You can optionally provide an explicit
1849
+ # encryption context value. The value must match the default encryption
1850
+ # context - the bucket Amazon Resource Name (ARN). An additional
1851
+ # encryption context value is not supported.
1728
1852
  # @option options [Boolean] :bucket_key_enabled
1729
1853
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
1730
1854
  # encryption with server-side encryption using Key Management Service
1731
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
1732
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
1855
+ # (KMS) keys (SSE-KMS).
1733
1856
  #
1734
- # Specifying this header with an object action doesn’t affect
1857
+ # **General purpose buckets** - Setting this header to `true` causes
1858
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
1859
+ # Also, specifying this header with a PUT action doesn't affect
1735
1860
  # bucket-level settings for S3 Bucket Key.
1736
1861
  #
1737
- # <note markdown="1"> This functionality is not supported for directory buckets.
1862
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
1863
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
1864
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
1865
+ # from general purpose buckets to directory buckets, from directory
1866
+ # buckets to general purpose buckets, or between directory buckets,
1867
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
1868
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
1869
+ # makes a call to KMS every time a copy request is made for a
1870
+ # KMS-encrypted object.
1738
1871
  #
1739
- # </note>
1872
+ #
1873
+ #
1874
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1875
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
1876
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
1877
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
1740
1878
  # @option options [String] :request_payer
1741
1879
  # Confirms that the requester knows that they will be charged for the
1742
1880
  # request. Bucket owners need not specify this parameter in their
@@ -2100,25 +2238,65 @@ module Aws::S3
2100
2238
  # object in Amazon S3 (for example, `AES256`, `aws:kms`,
2101
2239
  # `aws:kms:dsse`).
2102
2240
  #
2103
- # <b>General purpose buckets </b> - You have four mutually exclusive
2104
- # options to protect data using server-side encryption in Amazon S3,
2105
- # depending on how you choose to manage the encryption keys.
2106
- # Specifically, the encryption key options are Amazon S3 managed keys
2107
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
2108
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
2109
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
2110
- # default. You can optionally tell Amazon S3 to encrypt data at rest by
2111
- # using server-side encryption with other key options. For more
2112
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
2113
- # User Guide*.
2241
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
2242
+ # options to protect data using server-side encryption in Amazon S3,
2243
+ # depending on how you choose to manage the encryption keys.
2244
+ # Specifically, the encryption key options are Amazon S3 managed keys
2245
+ # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
2246
+ # customer-provided keys (SSE-C). Amazon S3 encrypts data with
2247
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
2248
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
2249
+ # by using server-side encryption with other key options. For more
2250
+ # information, see [Using Server-Side Encryption][1] in the *Amazon S3
2251
+ # User Guide*.
2252
+ #
2253
+ # * <b>Directory buckets </b> - For directory buckets, there are only
2254
+ # two supported options for server-side encryption: server-side
2255
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2256
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2257
+ # recommend that the bucket's default encryption uses the desired
2258
+ # encryption configuration and you don't override the bucket default
2259
+ # encryption in your `CreateSession` requests or `PUT` object
2260
+ # requests. Then, new objects are automatically encrypted with the
2261
+ # desired encryption settings. For more information, see [Protecting
2262
+ # data with server-side encryption][2] in the *Amazon S3 User Guide*.
2263
+ # For more information about the encryption overriding behaviors in
2264
+ # directory buckets, see [Specifying server-side encryption with KMS
2265
+ # for new object uploads][3].
2266
+ #
2267
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
2268
+ # [UploadPartCopy][5]) using the REST API, the encryption request
2269
+ # headers must match the encryption settings that are specified in the
2270
+ # `CreateSession` request. You can't override the values of the
2271
+ # encryption settings (`x-amz-server-side-encryption`,
2272
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2273
+ # `x-amz-server-side-encryption-context`, and
2274
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2275
+ # specified in the `CreateSession` request. You don't need to
2276
+ # explicitly specify these encryption settings values in Zonal
2277
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2278
+ # values from the `CreateSession` request to protect new objects in
2279
+ # the directory bucket.
2280
+ #
2281
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2282
+ # `CreateSession`, the session token refreshes automatically to avoid
2283
+ # service interruptions when a session expires. The CLI or the Amazon
2284
+ # Web Services SDKs use the bucket's default encryption configuration
2285
+ # for the `CreateSession` request. It's not supported to override the
2286
+ # encryption settings values in the `CreateSession` request. So in the
2287
+ # Zonal endpoint API calls (except [CopyObject][4] and
2288
+ # [UploadPartCopy][5]), the encryption request headers must match the
2289
+ # default encryption configuration of the directory bucket.
2114
2290
  #
2115
- # <b>Directory buckets </b> - For directory buckets, only the
2116
- # server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
2117
- # value is supported.
2291
+ # </note>
2118
2292
  #
2119
2293
  #
2120
2294
  #
2121
2295
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
2296
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2297
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2298
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2299
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2122
2300
  # @option options [String] :storage_class
2123
2301
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
2124
2302
  # created objects. The STANDARD storage class provides high durability
@@ -2192,44 +2370,81 @@ module Aws::S3
2192
2370
  #
2193
2371
  # </note>
2194
2372
  # @option options [String] :ssekms_key_id
2195
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
2196
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
2197
- # Alias) of the Key Management Service (KMS) symmetric encryption
2198
- # customer managed key that was used for the object. If you specify
2199
- # `x-amz-server-side-encryption:aws:kms` or
2200
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
2201
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
2202
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If the
2203
- # KMS key does not exist in the same account that's issuing the
2204
- # command, you must use the full ARN and not just the ID.
2373
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
2374
+ # object encryption. If the KMS key doesn't exist in the same account
2375
+ # that's issuing the command, you must use the full Key ARN not the Key
2376
+ # ID.
2377
+ #
2378
+ # **General purpose buckets** - If you specify
2379
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
2380
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
2381
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
2382
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
2383
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
2384
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
2385
+ #
2386
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
2387
+ # with `aws:kms`, you must specify the `
2388
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
2389
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
2390
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
2391
+ # key ID or key ARN. The key alias format of the KMS key isn't
2392
+ # supported. Your SSE-KMS configuration can only support 1 [customer
2393
+ # managed key][1] per directory bucket for the lifetime of the bucket.
2394
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
2395
+ #
2396
+ #
2397
+ #
2398
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2399
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
2400
+ # @option options [String] :ssekms_encryption_context
2401
+ # Specifies the Amazon Web Services KMS Encryption Context as an
2402
+ # additional encryption context to use for object encryption. The value
2403
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
2404
+ # which contains the encryption context as key-value pairs. This value
2405
+ # is stored as object metadata and automatically gets passed on to
2406
+ # Amazon Web Services KMS for future `GetObject` operations on this
2407
+ # object.
2205
2408
  #
2206
- # <note markdown="1"> This functionality is not supported for directory buckets.
2409
+ # **General purpose buckets** - This value must be explicitly added
2410
+ # during `CopyObject` operations if you want an additional encryption
2411
+ # context for your object. For more information, see [Encryption
2412
+ # context][1] in the *Amazon S3 User Guide*.
2207
2413
  #
2208
- # </note>
2209
- # @option options [String] :ssekms_encryption_context
2210
- # Specifies the Amazon Web Services KMS Encryption Context to use for
2211
- # object encryption. The value of this header is a base64-encoded UTF-8
2212
- # string holding JSON with the encryption context key-value pairs. This
2213
- # value is stored as object metadata and automatically gets passed on to
2214
- # Amazon Web Services KMS for future `GetObject` or `CopyObject`
2215
- # operations on this object. This value must be explicitly added during
2216
- # `CopyObject` operations.
2414
+ # **Directory buckets** - You can optionally provide an explicit
2415
+ # encryption context value. The value must match the default encryption
2416
+ # context - the bucket Amazon Resource Name (ARN). An additional
2417
+ # encryption context value is not supported.
2217
2418
  #
2218
- # <note markdown="1"> This functionality is not supported for directory buckets.
2219
2419
  #
2220
- # </note>
2420
+ #
2421
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
2221
2422
  # @option options [Boolean] :bucket_key_enabled
2222
2423
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
2223
2424
  # encryption with server-side encryption using Key Management Service
2224
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
2225
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
2425
+ # (KMS) keys (SSE-KMS).
2226
2426
  #
2227
- # Specifying this header with a PUT action doesn’t affect bucket-level
2228
- # settings for S3 Bucket Key.
2427
+ # **General purpose buckets** - Setting this header to `true` causes
2428
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
2429
+ # Also, specifying this header with a PUT action doesn't affect
2430
+ # bucket-level settings for S3 Bucket Key.
2229
2431
  #
2230
- # <note markdown="1"> This functionality is not supported for directory buckets.
2432
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
2433
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
2434
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
2435
+ # from general purpose buckets to directory buckets, from directory
2436
+ # buckets to general purpose buckets, or between directory buckets,
2437
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
2438
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
2439
+ # makes a call to KMS every time a copy request is made for a
2440
+ # KMS-encrypted object.
2231
2441
  #
2232
- # </note>
2442
+ #
2443
+ #
2444
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2445
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2446
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
2447
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
2233
2448
  # @option options [String] :request_payer
2234
2449
  # Confirms that the requester knows that they will be charged for the
2235
2450
  # request. Bucket owners need not specify this parameter in their
@@ -524,10 +524,10 @@ module Aws::S3
524
524
  # @option options [String] :checksum_mode
525
525
  # To retrieve the checksum, this mode must be enabled.
526
526
  #
527
- # In addition, if you enable checksum mode and the object is uploaded
528
- # with a [checksum][1] and encrypted with an Key Management Service
529
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
530
- # retrieve the checksum.
527
+ # **General purpose buckets** - In addition, if you enable checksum mode
528
+ # and the object is uploaded with a [checksum][1] and encrypted with an
529
+ # Key Management Service (KMS) key, you must have permission to use the
530
+ # `kms:Decrypt` action to retrieve the checksum.
531
531
  #
532
532
  #
533
533
  #
@@ -710,10 +710,16 @@ module Aws::S3
710
710
  # @option options [String] :checksum_mode
711
711
  # To retrieve the checksum, this parameter must be enabled.
712
712
  #
713
- # In addition, if you enable checksum mode and the object is uploaded
714
- # with a [checksum][1] and encrypted with an Key Management Service
715
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
716
- # retrieve the checksum.
713
+ # **General purpose buckets** - If you enable checksum mode and the
714
+ # object is uploaded with a [checksum][1] and encrypted with an Key
715
+ # Management Service (KMS) key, you must have permission to use the
716
+ # `kms:Decrypt` action to retrieve the checksum.
717
+ #
718
+ # **Directory buckets** - If you enable `ChecksumMode` and the object is
719
+ # encrypted with Amazon Web Services Key Management Service (Amazon Web
720
+ # Services KMS), you must also have the `kms:GenerateDataKey` and
721
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
722
+ # policies for the KMS key to retrieve the checksum of the object.
717
723
  #
718
724
  #
719
725
  #
@@ -46,11 +46,20 @@ module Aws::S3
46
46
  context[:auth_scheme] =
47
47
  Aws::Endpoints.resolve_auth_scheme(context, endpoint)
48
48
 
49
- @handler.call(context)
49
+ with_metrics(context) { @handler.call(context) }
50
50
  end
51
51
 
52
52
  private
53
53
 
54
+ def with_metrics(context, &block)
55
+ metrics = []
56
+ metrics << 'ENDPOINT_OVERRIDE' unless context.config.regional_endpoint
57
+ if context[:auth_scheme] && context[:auth_scheme]['name'] == 'sigv4a'
58
+ metrics << 'SIGV4A_SIGNING'
59
+ end
60
+ Aws::Plugins::UserAgent.metric(*metrics, &block)
61
+ end
62
+
54
63
  def apply_endpoint_headers(context, headers)
55
64
  headers.each do |key, values|
56
65
  value = values