aws-sdk-s3 1.159.0 → 1.163.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -865,11 +865,6 @@ module Aws::S3
865
865
  # @!attribute [rw] server_side_encryption
866
866
  # The server-side encryption algorithm used when storing this object
867
867
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
868
- #
869
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
870
- # managed keys (SSE-S3) (`AES256`) is supported.
871
- #
872
- # </note>
873
868
  # @return [String]
874
869
  #
875
870
  # @!attribute [rw] version_id
@@ -882,23 +877,14 @@ module Aws::S3
882
877
  # @return [String]
883
878
  #
884
879
  # @!attribute [rw] ssekms_key_id
885
- # If present, indicates the ID of the Key Management Service (KMS)
886
- # symmetric encryption customer managed key that was used for the
887
- # object.
888
- #
889
- # <note markdown="1"> This functionality is not supported for directory buckets.
890
- #
891
- # </note>
880
+ # If present, indicates the ID of the KMS key that was used for object
881
+ # encryption.
892
882
  # @return [String]
893
883
  #
894
884
  # @!attribute [rw] bucket_key_enabled
895
885
  # Indicates whether the multipart upload uses an S3 Bucket Key for
896
886
  # server-side encryption with Key Management Service (KMS) keys
897
887
  # (SSE-KMS).
898
- #
899
- # <note markdown="1"> This functionality is not supported for directory buckets.
900
- #
901
- # </note>
902
888
  # @return [Boolean]
903
889
  #
904
890
  # @!attribute [rw] request_charged
@@ -1348,11 +1334,6 @@ module Aws::S3
1348
1334
  # @!attribute [rw] server_side_encryption
1349
1335
  # The server-side encryption algorithm used when you store this object
1350
1336
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1351
- #
1352
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1353
- # managed keys (SSE-S3) (`AES256`) is supported.
1354
- #
1355
- # </note>
1356
1337
  # @return [String]
1357
1338
  #
1358
1339
  # @!attribute [rw] sse_customer_algorithm
@@ -1377,13 +1358,8 @@ module Aws::S3
1377
1358
  # @return [String]
1378
1359
  #
1379
1360
  # @!attribute [rw] ssekms_key_id
1380
- # If present, indicates the ID of the Key Management Service (KMS)
1381
- # symmetric encryption customer managed key that was used for the
1382
- # object.
1383
- #
1384
- # <note markdown="1"> This functionality is not supported for directory buckets.
1385
- #
1386
- # </note>
1361
+ # If present, indicates the ID of the KMS key that was used for object
1362
+ # encryption.
1387
1363
  # @return [String]
1388
1364
  #
1389
1365
  # @!attribute [rw] ssekms_encryption_context
@@ -1391,20 +1367,12 @@ module Aws::S3
1391
1367
  # to use for object encryption. The value of this header is a
1392
1368
  # base64-encoded UTF-8 string holding JSON with the encryption context
1393
1369
  # key-value pairs.
1394
- #
1395
- # <note markdown="1"> This functionality is not supported for directory buckets.
1396
- #
1397
- # </note>
1398
1370
  # @return [String]
1399
1371
  #
1400
1372
  # @!attribute [rw] bucket_key_enabled
1401
1373
  # Indicates whether the copied object uses an S3 Bucket Key for
1402
1374
  # server-side encryption with Key Management Service (KMS) keys
1403
1375
  # (SSE-KMS).
1404
- #
1405
- # <note markdown="1"> This functionality is not supported for directory buckets.
1406
- #
1407
- # </note>
1408
1376
  # @return [Boolean]
1409
1377
  #
1410
1378
  # @!attribute [rw] request_charged
@@ -1832,9 +1800,8 @@ module Aws::S3
1832
1800
  #
1833
1801
  # @!attribute [rw] server_side_encryption
1834
1802
  # The server-side encryption algorithm used when storing this object
1835
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1836
- # Unrecognized or unsupported values won’t write a destination object
1837
- # and will receive a `400 Bad Request` response.
1803
+ # in Amazon S3. Unrecognized or unsupported values won’t write a
1804
+ # destination object and will receive a `400 Bad Request` response.
1838
1805
  #
1839
1806
  # Amazon S3 automatically encrypts all new objects that are copied to
1840
1807
  # an S3 bucket. When copying an object, if you don't specify
@@ -1843,21 +1810,8 @@ module Aws::S3
1843
1810
  # of the destination bucket. By default, all buckets have a base level
1844
1811
  # of encryption configuration that uses server-side encryption with
1845
1812
  # Amazon S3 managed keys (SSE-S3). If the destination bucket has a
1846
- # default encryption configuration that uses server-side encryption
1847
- # with Key Management Service (KMS) keys (SSE-KMS), dual-layer
1848
- # server-side encryption with Amazon Web Services KMS keys (DSSE-KMS),
1849
- # or server-side encryption with customer-provided encryption keys
1850
- # (SSE-C), Amazon S3 uses the corresponding KMS key, or a
1851
- # customer-provided key to encrypt the target object copy.
1852
- #
1853
- # When you perform a `CopyObject` operation, if you want to use a
1854
- # different type of encryption setting for the target object, you can
1855
- # specify appropriate encryption-related headers to encrypt the target
1856
- # object with an Amazon S3 managed key, a KMS key, or a
1857
- # customer-provided key. If the encryption setting in your request is
1858
- # different from the default encryption configuration of the
1859
- # destination bucket, the encryption setting in your request takes
1860
- # precedence.
1813
+ # different default encryption configuration, Amazon S3 uses the
1814
+ # corresponding encryption key to encrypt the target object copy.
1861
1815
  #
1862
1816
  # With server-side encryption, Amazon S3 encrypts your data as it
1863
1817
  # writes your data to disks in its data centers and decrypts the data
@@ -1865,14 +1819,63 @@ module Aws::S3
1865
1819
  # encryption, see [Using Server-Side Encryption][1] in the *Amazon S3
1866
1820
  # User Guide*.
1867
1821
  #
1868
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1869
- # managed keys (SSE-S3) (`AES256`) is supported.
1870
- #
1871
- # </note>
1822
+ # <b>General purpose buckets </b>
1823
+ #
1824
+ # * For general purpose buckets, there are the following supported
1825
+ # options for server-side encryption: server-side encryption with
1826
+ # Key Management Service (KMS) keys (SSE-KMS), dual-layer
1827
+ # server-side encryption with Amazon Web Services KMS keys
1828
+ # (DSSE-KMS), and server-side encryption with customer-provided
1829
+ # encryption keys (SSE-C). Amazon S3 uses the corresponding KMS key,
1830
+ # or a customer-provided key to encrypt the target object copy.
1831
+ #
1832
+ # * When you perform a `CopyObject` operation, if you want to use a
1833
+ # different type of encryption setting for the target object, you
1834
+ # can specify appropriate encryption-related headers to encrypt the
1835
+ # target object with an Amazon S3 managed key, a KMS key, or a
1836
+ # customer-provided key. If the encryption setting in your request
1837
+ # is different from the default encryption configuration of the
1838
+ # destination bucket, the encryption setting in your request takes
1839
+ # precedence.
1840
+ #
1841
+ # <b>Directory buckets </b>
1842
+ #
1843
+ # * For directory buckets, there are only two supported options for
1844
+ # server-side encryption: server-side encryption with Amazon S3
1845
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with
1846
+ # KMS keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's
1847
+ # default encryption uses the desired encryption configuration and
1848
+ # you don't override the bucket default encryption in your
1849
+ # `CreateSession` requests or `PUT` object requests. Then, new
1850
+ # objects are automatically encrypted with the desired encryption
1851
+ # settings. For more information, see [Protecting data with
1852
+ # server-side encryption][2] in the *Amazon S3 User Guide*. For more
1853
+ # information about the encryption overriding behaviors in directory
1854
+ # buckets, see [Specifying server-side encryption with KMS for new
1855
+ # object uploads][3].
1856
+ #
1857
+ # * To encrypt new object copies to a directory bucket with SSE-KMS,
1858
+ # we recommend you specify SSE-KMS as the directory bucket's
1859
+ # default encryption configuration with a KMS key (specifically, a
1860
+ # [customer managed key][4]). [Amazon Web Services managed key][5]
1861
+ # (`aws/s3`) isn't supported. Your SSE-KMS configuration can only
1862
+ # support 1 [customer managed key][4] per directory bucket for the
1863
+ # lifetime of the bucket. After you specify a customer managed key
1864
+ # for SSE-KMS, you can't override the customer managed key for the
1865
+ # bucket's SSE-KMS configuration. Then, when you perform a
1866
+ # `CopyObject` operation and want to specify server-side encryption
1867
+ # settings for new object copies with SSE-KMS in the
1868
+ # encryption-related request headers, you must ensure the encryption
1869
+ # key is the same customer managed key that you specified for the
1870
+ # directory bucket's default encryption configuration.
1872
1871
  #
1873
1872
  #
1874
1873
  #
1875
1874
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1875
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1876
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1877
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1878
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1876
1879
  # @return [String]
1877
1880
  #
1878
1881
  # @!attribute [rw] storage_class
@@ -1978,7 +1981,7 @@ module Aws::S3
1978
1981
  # @return [String]
1979
1982
  #
1980
1983
  # @!attribute [rw] ssekms_key_id
1981
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
1984
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1982
1985
  # object encryption. All GET and PUT requests for an object protected
1983
1986
  # by KMS will fail if they're not made via SSL or using SigV4. For
1984
1987
  # information about configuring any of the officially supported Amazon
@@ -1986,27 +1989,45 @@ module Aws::S3
1986
1989
  # Signature Version in Request Authentication][1] in the *Amazon S3
1987
1990
  # User Guide*.
1988
1991
  #
1989
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1990
- # directory bucket.
1991
- #
1992
- # </note>
1992
+ # **Directory buckets** - If you specify
1993
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
1994
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
1995
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
1996
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
1997
+ # use the key ID or key ARN. The key alias format of the KMS key
1998
+ # isn't supported. Your SSE-KMS configuration can only support 1
1999
+ # [customer managed key][2] per directory bucket for the lifetime of
2000
+ # the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
2001
+ # supported.
1993
2002
  #
1994
2003
  #
1995
2004
  #
1996
2005
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2006
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2007
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1997
2008
  # @return [String]
1998
2009
  #
1999
2010
  # @!attribute [rw] ssekms_encryption_context
2000
- # Specifies the Amazon Web Services KMS Encryption Context to use for
2001
- # object encryption. The value of this header is a base64-encoded
2002
- # UTF-8 string holding JSON with the encryption context key-value
2003
- # pairs. This value must be explicitly added to specify encryption
2004
- # context for `CopyObject` requests.
2011
+ # Specifies the Amazon Web Services KMS Encryption Context as an
2012
+ # additional encryption context to use for the destination object
2013
+ # encryption. The value of this header is a base64-encoded UTF-8
2014
+ # string holding JSON with the encryption context key-value pairs.
2005
2015
  #
2006
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
2007
- # directory bucket.
2016
+ # **General purpose buckets** - This value must be explicitly added to
2017
+ # specify encryption context for `CopyObject` requests if you want an
2018
+ # additional encryption context for your destination object. The
2019
+ # additional encryption context of the source object won't be copied
2020
+ # to the destination object. For more information, see [Encryption
2021
+ # context][1] in the *Amazon S3 User Guide*.
2008
2022
  #
2009
- # </note>
2023
+ # **Directory buckets** - You can optionally provide an explicit
2024
+ # encryption context value. The value must match the default
2025
+ # encryption context - the bucket Amazon Resource Name (ARN). An
2026
+ # additional encryption context value is not supported.
2027
+ #
2028
+ #
2029
+ #
2030
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
2010
2031
  # @return [String]
2011
2032
  #
2012
2033
  # @!attribute [rw] bucket_key_enabled
@@ -2023,14 +2044,19 @@ module Aws::S3
2023
2044
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
2024
2045
  # S3 User Guide*.
2025
2046
  #
2026
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
2027
- # directory bucket.
2047
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
2048
+ # copy SSE-KMS encrypted objects from general purpose buckets to
2049
+ # directory buckets, from directory buckets to general purpose
2050
+ # buckets, or between directory buckets, through [CopyObject][2]. In
2051
+ # this case, Amazon S3 makes a call to KMS every time a copy request
2052
+ # is made for a KMS-encrypted object.
2028
2053
  #
2029
2054
  # </note>
2030
2055
  #
2031
2056
  #
2032
2057
  #
2033
2058
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
2059
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2034
2060
  # @return [Boolean]
2035
2061
  #
2036
2062
  # @!attribute [rw] copy_source_sse_customer_algorithm
@@ -2642,11 +2668,6 @@ module Aws::S3
2642
2668
  # @!attribute [rw] server_side_encryption
2643
2669
  # The server-side encryption algorithm used when you store this object
2644
2670
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
2645
- #
2646
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
2647
- # managed keys (SSE-S3) (`AES256`) is supported.
2648
- #
2649
- # </note>
2650
2671
  # @return [String]
2651
2672
  #
2652
2673
  # @!attribute [rw] sse_customer_algorithm
@@ -2671,34 +2692,21 @@ module Aws::S3
2671
2692
  # @return [String]
2672
2693
  #
2673
2694
  # @!attribute [rw] ssekms_key_id
2674
- # If present, indicates the ID of the Key Management Service (KMS)
2675
- # symmetric encryption customer managed key that was used for the
2676
- # object.
2677
- #
2678
- # <note markdown="1"> This functionality is not supported for directory buckets.
2679
- #
2680
- # </note>
2695
+ # If present, indicates the ID of the KMS key that was used for object
2696
+ # encryption.
2681
2697
  # @return [String]
2682
2698
  #
2683
2699
  # @!attribute [rw] ssekms_encryption_context
2684
2700
  # If present, indicates the Amazon Web Services KMS Encryption Context
2685
2701
  # to use for object encryption. The value of this header is a
2686
- # base64-encoded UTF-8 string holding JSON with the encryption context
2687
- # key-value pairs.
2688
- #
2689
- # <note markdown="1"> This functionality is not supported for directory buckets.
2690
- #
2691
- # </note>
2702
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
2703
+ # encryption context as key-value pairs.
2692
2704
  # @return [String]
2693
2705
  #
2694
2706
  # @!attribute [rw] bucket_key_enabled
2695
2707
  # Indicates whether the multipart upload uses an S3 Bucket Key for
2696
2708
  # server-side encryption with Key Management Service (KMS) keys
2697
2709
  # (SSE-KMS).
2698
- #
2699
- # <note markdown="1"> This functionality is not supported for directory buckets.
2700
- #
2701
- # </note>
2702
2710
  # @return [Boolean]
2703
2711
  #
2704
2712
  # @!attribute [rw] request_charged
@@ -3110,10 +3118,53 @@ module Aws::S3
3110
3118
  # The server-side encryption algorithm used when you store this object
3111
3119
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3112
3120
  #
3113
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3114
- # managed keys (SSE-S3) (`AES256`) is supported.
3121
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3122
+ # two supported options for server-side encryption: server-side
3123
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3124
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3125
+ # recommend that the bucket's default encryption uses the desired
3126
+ # encryption configuration and you don't override the bucket
3127
+ # default encryption in your `CreateSession` requests or `PUT`
3128
+ # object requests. Then, new objects are automatically encrypted
3129
+ # with the desired encryption settings. For more information, see
3130
+ # [Protecting data with server-side encryption][1] in the *Amazon S3
3131
+ # User Guide*. For more information about the encryption overriding
3132
+ # behaviors in directory buckets, see [Specifying server-side
3133
+ # encryption with KMS for new object uploads][2].
3134
+ #
3135
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3136
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3137
+ # headers must match the encryption settings that are specified in
3138
+ # the `CreateSession` request. You can't override the values of the
3139
+ # encryption settings (`x-amz-server-side-encryption`,
3140
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3141
+ # `x-amz-server-side-encryption-context`, and
3142
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3143
+ # specified in the `CreateSession` request. You don't need to
3144
+ # explicitly specify these encryption settings values in Zonal
3145
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3146
+ # values from the `CreateSession` request to protect new objects in
3147
+ # the directory bucket.
3148
+ #
3149
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3150
+ # `CreateSession`, the session token refreshes automatically to
3151
+ # avoid service interruptions when a session expires. The CLI or the
3152
+ # Amazon Web Services SDKs use the bucket's default encryption
3153
+ # configuration for the `CreateSession` request. It's not supported
3154
+ # to override the encryption settings values in the `CreateSession`
3155
+ # request. So in the Zonal endpoint API calls (except
3156
+ # [CopyObject][3] and [UploadPartCopy][4]), the encryption request
3157
+ # headers must match the default encryption configuration of the
3158
+ # directory bucket.
3115
3159
  #
3116
- # </note>
3160
+ # </note>
3161
+ #
3162
+ #
3163
+ #
3164
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3165
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3166
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3167
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3117
3168
  # @return [String]
3118
3169
  #
3119
3170
  # @!attribute [rw] storage_class
@@ -3179,37 +3230,75 @@ module Aws::S3
3179
3230
  # @return [String]
3180
3231
  #
3181
3232
  # @!attribute [rw] ssekms_key_id
3182
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3183
- # encryption customer managed key to use for object encryption.
3233
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3234
+ # object encryption. If the KMS key doesn't exist in the same account
3235
+ # that's issuing the command, you must use the full Key ARN not the
3236
+ # Key ID.
3237
+ #
3238
+ # **General purpose buckets** - If you specify
3239
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
3240
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
3241
+ # KMS key to use. If you specify
3242
+ # `x-amz-server-side-encryption:aws:kms` or
3243
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3244
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3245
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3184
3246
  #
3185
- # <note markdown="1"> This functionality is not supported for directory buckets.
3247
+ # **Directory buckets** - If you specify
3248
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
3249
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
3250
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
3251
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
3252
+ # use the key ID or key ARN. The key alias format of the KMS key
3253
+ # isn't supported. Your SSE-KMS configuration can only support 1
3254
+ # [customer managed key][1] per directory bucket for the lifetime of
3255
+ # the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
3256
+ # supported.
3186
3257
  #
3187
- # </note>
3258
+ #
3259
+ #
3260
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3261
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3188
3262
  # @return [String]
3189
3263
  #
3190
3264
  # @!attribute [rw] ssekms_encryption_context
3191
3265
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3192
- # object encryption. The value of this header is a base64-encoded
3193
- # UTF-8 string holding JSON with the encryption context key-value
3194
- # pairs.
3195
- #
3196
- # <note markdown="1"> This functionality is not supported for directory buckets.
3266
+ # object encryption. The value of this header is a Base64-encoded
3267
+ # string of a UTF-8 encoded JSON, which contains the encryption
3268
+ # context as key-value pairs.
3197
3269
  #
3198
- # </note>
3270
+ # **Directory buckets** - You can optionally provide an explicit
3271
+ # encryption context value. The value must match the default
3272
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3273
+ # additional encryption context value is not supported.
3199
3274
  # @return [String]
3200
3275
  #
3201
3276
  # @!attribute [rw] bucket_key_enabled
3202
3277
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3203
3278
  # encryption with server-side encryption using Key Management Service
3204
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3205
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3279
+ # (KMS) keys (SSE-KMS).
3206
3280
  #
3207
- # Specifying this header with an object action doesn’t affect
3208
- # bucket-level settings for S3 Bucket Key.
3281
+ # **General purpose buckets** - Setting this header to `true` causes
3282
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
3283
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
3284
+ # affect bucket-level settings for S3 Bucket Key.
3209
3285
  #
3210
- # <note markdown="1"> This functionality is not supported for directory buckets.
3286
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3287
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3288
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
3289
+ # objects from general purpose buckets to directory buckets, from
3290
+ # directory buckets to general purpose buckets, or between directory
3291
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
3292
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
3293
+ # case, Amazon S3 makes a call to KMS every time a copy request is
3294
+ # made for a KMS-encrypted object.
3211
3295
  #
3212
- # </note>
3296
+ #
3297
+ #
3298
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3299
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3300
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3301
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3213
3302
  # @return [Boolean]
3214
3303
  #
3215
3304
  # @!attribute [rw] request_payer
@@ -3319,6 +3408,31 @@ module Aws::S3
3319
3408
  include Aws::Structure
3320
3409
  end
3321
3410
 
3411
+ # @!attribute [rw] server_side_encryption
3412
+ # The server-side encryption algorithm used when you store objects in
3413
+ # the directory bucket.
3414
+ # @return [String]
3415
+ #
3416
+ # @!attribute [rw] ssekms_key_id
3417
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, this
3418
+ # header indicates the ID of the KMS symmetric encryption customer
3419
+ # managed key that was used for object encryption.
3420
+ # @return [String]
3421
+ #
3422
+ # @!attribute [rw] ssekms_encryption_context
3423
+ # If present, indicates the Amazon Web Services KMS Encryption Context
3424
+ # to use for object encryption. The value of this header is a
3425
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
3426
+ # encryption context as key-value pairs. This value is stored as
3427
+ # object metadata and automatically gets passed on to Amazon Web
3428
+ # Services KMS for future `GetObject` operations on this object.
3429
+ # @return [String]
3430
+ #
3431
+ # @!attribute [rw] bucket_key_enabled
3432
+ # Indicates whether to use an S3 Bucket Key for server-side encryption
3433
+ # with KMS keys (SSE-KMS).
3434
+ # @return [Boolean]
3435
+ #
3322
3436
  # @!attribute [rw] credentials
3323
3437
  # The established temporary security credentials for the created
3324
3438
  # session.
@@ -3327,8 +3441,12 @@ module Aws::S3
3327
3441
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionOutput AWS API Documentation
3328
3442
  #
3329
3443
  class CreateSessionOutput < Struct.new(
3444
+ :server_side_encryption,
3445
+ :ssekms_key_id,
3446
+ :ssekms_encryption_context,
3447
+ :bucket_key_enabled,
3330
3448
  :credentials)
3331
- SENSITIVE = []
3449
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3332
3450
  include Aws::Structure
3333
3451
  end
3334
3452
 
@@ -3336,22 +3454,108 @@ module Aws::S3
3336
3454
  # Specifies the mode of the session that will be created, either
3337
3455
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3338
3456
  # created. A `ReadWrite` session is capable of executing all the Zonal
3339
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3340
- # constrained to execute the following Zonal endpoint APIs:
3341
- # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3342
- # `ListParts`, and `ListMultipartUploads`.
3457
+ # endpoint API operations on a directory bucket. A `ReadOnly` session
3458
+ # is constrained to execute the following Zonal endpoint API
3459
+ # operations: `GetObject`, `HeadObject`, `ListObjectsV2`,
3460
+ # `GetObjectAttributes`, `ListParts`, and `ListMultipartUploads`.
3343
3461
  # @return [String]
3344
3462
  #
3345
3463
  # @!attribute [rw] bucket
3346
3464
  # The name of the bucket that you create a session for.
3347
3465
  # @return [String]
3348
3466
  #
3467
+ # @!attribute [rw] server_side_encryption
3468
+ # The server-side encryption algorithm to use when you store objects
3469
+ # in the directory bucket.
3470
+ #
3471
+ # For directory buckets, there are only two supported options for
3472
+ # server-side encryption: server-side encryption with Amazon S3
3473
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3474
+ # keys (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3475
+ # SSE-S3. For more information, see [Protecting data with server-side
3476
+ # encryption][1] in the *Amazon S3 User Guide*.
3477
+ #
3478
+ #
3479
+ #
3480
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3481
+ # @return [String]
3482
+ #
3483
+ # @!attribute [rw] ssekms_key_id
3484
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you
3485
+ # must specify the ` x-amz-server-side-encryption-aws-kms-key-id`
3486
+ # header with the ID (Key ID or Key ARN) of the KMS symmetric
3487
+ # encryption customer managed key to use. Otherwise, you get an HTTP
3488
+ # `400 Bad Request` error. Only use the key ID or key ARN. The key
3489
+ # alias format of the KMS key isn't supported. Also, if the KMS key
3490
+ # doesn't exist in the same account that't issuing the command, you
3491
+ # must use the full Key ARN not the Key ID.
3492
+ #
3493
+ # Your SSE-KMS configuration can only support 1 [customer managed
3494
+ # key][1] per directory bucket for the lifetime of the bucket. [Amazon
3495
+ # Web Services managed key][2] (`aws/s3`) isn't supported.
3496
+ #
3497
+ #
3498
+ #
3499
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3500
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3501
+ # @return [String]
3502
+ #
3503
+ # @!attribute [rw] ssekms_encryption_context
3504
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3505
+ # additional encryption context to use for object encryption. The
3506
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
3507
+ # JSON, which contains the encryption context as key-value pairs. This
3508
+ # value is stored as object metadata and automatically gets passed on
3509
+ # to Amazon Web Services KMS for future `GetObject` operations on this
3510
+ # object.
3511
+ #
3512
+ # **General purpose buckets** - This value must be explicitly added
3513
+ # during `CopyObject` operations if you want an additional encryption
3514
+ # context for your object. For more information, see [Encryption
3515
+ # context][1] in the *Amazon S3 User Guide*.
3516
+ #
3517
+ # **Directory buckets** - You can optionally provide an explicit
3518
+ # encryption context value. The value must match the default
3519
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3520
+ # additional encryption context value is not supported.
3521
+ #
3522
+ #
3523
+ #
3524
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3525
+ # @return [String]
3526
+ #
3527
+ # @!attribute [rw] bucket_key_enabled
3528
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3529
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3530
+ #
3531
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in
3532
+ # a directory bucket and can’t be disabled. S3 Bucket Keys aren't
3533
+ # supported, when you copy SSE-KMS encrypted objects from general
3534
+ # purpose buckets to directory buckets, from directory buckets to
3535
+ # general purpose buckets, or between directory buckets, through
3536
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3537
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3
3538
+ # makes a call to KMS every time a copy request is made for a
3539
+ # KMS-encrypted object.
3540
+ #
3541
+ #
3542
+ #
3543
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3544
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3545
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3546
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3547
+ # @return [Boolean]
3548
+ #
3349
3549
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionRequest AWS API Documentation
3350
3550
  #
3351
3551
  class CreateSessionRequest < Struct.new(
3352
3552
  :session_mode,
3353
- :bucket)
3354
- SENSITIVE = []
3553
+ :bucket,
3554
+ :server_side_encryption,
3555
+ :ssekms_key_id,
3556
+ :ssekms_encryption_context,
3557
+ :bucket_key_enabled)
3558
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3355
3559
  include Aws::Structure
3356
3560
  end
3357
3561
 
@@ -3470,6 +3674,20 @@ module Aws::S3
3470
3674
  # @!attribute [rw] bucket
3471
3675
  # The name of the bucket containing the server-side encryption
3472
3676
  # configuration to delete.
3677
+ #
3678
+ # <b>Directory buckets </b> - When you use this operation with a
3679
+ # directory bucket, you must use path-style requests in the format
3680
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
3681
+ # Virtual-hosted-style requests aren't supported. Directory bucket
3682
+ # names must be unique in the chosen Availability Zone. Bucket names
3683
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
3684
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
3685
+ # about bucket naming restrictions, see [Directory bucket naming
3686
+ # rules][1] in the *Amazon S3 User Guide*
3687
+ #
3688
+ #
3689
+ #
3690
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
3473
3691
  # @return [String]
3474
3692
  #
3475
3693
  # @!attribute [rw] expected_bucket_owner
@@ -3477,6 +3695,12 @@ module Aws::S3
3477
3695
  # you provide does not match the actual owner of the bucket, the
3478
3696
  # request fails with the HTTP status code `403 Forbidden` (access
3479
3697
  # denied).
3698
+ #
3699
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
3700
+ # operation. If you specify this header, the request fails with the
3701
+ # HTTP status code `501 Not Implemented`.
3702
+ #
3703
+ # </note>
3480
3704
  # @return [String]
3481
3705
  #
3482
3706
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/DeleteBucketEncryptionRequest AWS API Documentation
@@ -5326,12 +5550,16 @@ module Aws::S3
5326
5550
  class EventBridgeConfiguration < Aws::EmptyStructure; end
5327
5551
 
5328
5552
  # Optional configuration to replicate existing source bucket objects.
5329
- # For more information, see [Replicating Existing Objects][1] in the
5553
+ #
5554
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing objects,
5555
+ # see [Replicating existing objects with S3 Batch Replication][1] in the
5330
5556
  # *Amazon S3 User Guide*.
5331
5557
  #
5558
+ # </note>
5559
+ #
5332
5560
  #
5333
5561
  #
5334
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
5562
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
5335
5563
  #
5336
5564
  # @!attribute [rw] status
5337
5565
  # Specifies whether Amazon S3 replicates existing source bucket
@@ -5595,6 +5823,20 @@ module Aws::S3
5595
5823
  # @!attribute [rw] bucket
5596
5824
  # The name of the bucket from which the server-side encryption
5597
5825
  # configuration is retrieved.
5826
+ #
5827
+ # <b>Directory buckets </b> - When you use this operation with a
5828
+ # directory bucket, you must use path-style requests in the format
5829
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
5830
+ # Virtual-hosted-style requests aren't supported. Directory bucket
5831
+ # names must be unique in the chosen Availability Zone. Bucket names
5832
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
5833
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
5834
+ # about bucket naming restrictions, see [Directory bucket naming
5835
+ # rules][1] in the *Amazon S3 User Guide*
5836
+ #
5837
+ #
5838
+ #
5839
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5598
5840
  # @return [String]
5599
5841
  #
5600
5842
  # @!attribute [rw] expected_bucket_owner
@@ -5602,6 +5844,12 @@ module Aws::S3
5602
5844
  # you provide does not match the actual owner of the bucket, the
5603
5845
  # request fails with the HTTP status code `403 Forbidden` (access
5604
5846
  # denied).
5847
+ #
5848
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
5849
+ # operation. If you specify this header, the request fails with the
5850
+ # HTTP status code `501 Not Implemented`.
5851
+ #
5852
+ # </note>
5605
5853
  # @return [String]
5606
5854
  #
5607
5855
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketEncryptionRequest AWS API Documentation
@@ -6923,12 +7171,7 @@ module Aws::S3
6923
7171
  #
6924
7172
  # @!attribute [rw] server_side_encryption
6925
7173
  # The server-side encryption algorithm used when you store this object
6926
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
6927
- #
6928
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
6929
- # managed keys (SSE-S3) (`AES256`) is supported.
6930
- #
6931
- # </note>
7174
+ # in Amazon S3.
6932
7175
  # @return [String]
6933
7176
  #
6934
7177
  # @!attribute [rw] metadata
@@ -6957,22 +7200,13 @@ module Aws::S3
6957
7200
  # @return [String]
6958
7201
  #
6959
7202
  # @!attribute [rw] ssekms_key_id
6960
- # If present, indicates the ID of the Key Management Service (KMS)
6961
- # symmetric encryption customer managed key that was used for the
6962
- # object.
6963
- #
6964
- # <note markdown="1"> This functionality is not supported for directory buckets.
6965
- #
6966
- # </note>
7203
+ # If present, indicates the ID of the KMS key that was used for object
7204
+ # encryption.
6967
7205
  # @return [String]
6968
7206
  #
6969
7207
  # @!attribute [rw] bucket_key_enabled
6970
7208
  # Indicates whether the object uses an S3 Bucket Key for server-side
6971
7209
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
6972
- #
6973
- # <note markdown="1"> This functionality is not supported for directory buckets.
6974
- #
6975
- # </note>
6976
7210
  # @return [Boolean]
6977
7211
  #
6978
7212
  # @!attribute [rw] storage_class
@@ -7413,10 +7647,10 @@ module Aws::S3
7413
7647
  # @!attribute [rw] checksum_mode
7414
7648
  # To retrieve the checksum, this mode must be enabled.
7415
7649
  #
7416
- # In addition, if you enable checksum mode and the object is uploaded
7417
- # with a [checksum][1] and encrypted with an Key Management Service
7418
- # (KMS) key, you must have permission to use the `kms:Decrypt` action
7419
- # to retrieve the checksum.
7650
+ # **General purpose buckets** - In addition, if you enable checksum
7651
+ # mode and the object is uploaded with a [checksum][1] and encrypted
7652
+ # with an Key Management Service (KMS) key, you must have permission
7653
+ # to use the `kms:Decrypt` action to retrieve the checksum.
7420
7654
  #
7421
7655
  #
7422
7656
  #
@@ -8137,11 +8371,6 @@ module Aws::S3
8137
8371
  # @!attribute [rw] server_side_encryption
8138
8372
  # The server-side encryption algorithm used when you store this object
8139
8373
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
8140
- #
8141
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
8142
- # managed keys (SSE-S3) (`AES256`) is supported.
8143
- #
8144
- # </note>
8145
8374
  # @return [String]
8146
8375
  #
8147
8376
  # @!attribute [rw] metadata
@@ -8170,22 +8399,13 @@ module Aws::S3
8170
8399
  # @return [String]
8171
8400
  #
8172
8401
  # @!attribute [rw] ssekms_key_id
8173
- # If present, indicates the ID of the Key Management Service (KMS)
8174
- # symmetric encryption customer managed key that was used for the
8175
- # object.
8176
- #
8177
- # <note markdown="1"> This functionality is not supported for directory buckets.
8178
- #
8179
- # </note>
8402
+ # If present, indicates the ID of the KMS key that was used for object
8403
+ # encryption.
8180
8404
  # @return [String]
8181
8405
  #
8182
8406
  # @!attribute [rw] bucket_key_enabled
8183
8407
  # Indicates whether the object uses an S3 Bucket Key for server-side
8184
8408
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
8185
- #
8186
- # <note markdown="1"> This functionality is not supported for directory buckets.
8187
- #
8188
- # </note>
8189
8409
  # @return [Boolean]
8190
8410
  #
8191
8411
  # @!attribute [rw] storage_class
@@ -8587,10 +8807,16 @@ module Aws::S3
8587
8807
  # @!attribute [rw] checksum_mode
8588
8808
  # To retrieve the checksum, this parameter must be enabled.
8589
8809
  #
8590
- # In addition, if you enable checksum mode and the object is uploaded
8591
- # with a [checksum][1] and encrypted with an Key Management Service
8592
- # (KMS) key, you must have permission to use the `kms:Decrypt` action
8593
- # to retrieve the checksum.
8810
+ # **General purpose buckets** - If you enable checksum mode and the
8811
+ # object is uploaded with a [checksum][1] and encrypted with an Key
8812
+ # Management Service (KMS) key, you must have permission to use the
8813
+ # `kms:Decrypt` action to retrieve the checksum.
8814
+ #
8815
+ # **Directory buckets** - If you enable `ChecksumMode` and the object
8816
+ # is encrypted with Amazon Web Services Key Management Service (Amazon
8817
+ # Web Services KMS), you must also have the `kms:GenerateDataKey` and
8818
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
8819
+ # policies for the KMS key to retrieve the checksum of the object.
8594
8820
  #
8595
8821
  #
8596
8822
  #
@@ -12490,18 +12716,21 @@ module Aws::S3
12490
12716
 
12491
12717
  # @!attribute [rw] bucket
12492
12718
  # Specifies default encryption for a bucket using server-side
12493
- # encryption with different key options. By default, all buckets have
12494
- # a default encryption configuration that uses server-side encryption
12495
- # with Amazon S3 managed keys (SSE-S3). You can optionally configure
12496
- # default encryption for a bucket by using server-side encryption with
12497
- # an Amazon Web Services KMS key (SSE-KMS) or a customer-provided key
12498
- # (SSE-C). For information about the bucket default encryption
12499
- # feature, see [Amazon S3 Bucket Default Encryption][1] in the *Amazon
12500
- # S3 User Guide*.
12719
+ # encryption with different key options.
12720
+ #
12721
+ # <b>Directory buckets </b> - When you use this operation with a
12722
+ # directory bucket, you must use path-style requests in the format
12723
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
12724
+ # Virtual-hosted-style requests aren't supported. Directory bucket
12725
+ # names must be unique in the chosen Availability Zone. Bucket names
12726
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
12727
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
12728
+ # about bucket naming restrictions, see [Directory bucket naming
12729
+ # rules][1] in the *Amazon S3 User Guide*
12501
12730
  #
12502
12731
  #
12503
12732
  #
12504
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12733
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12505
12734
  # @return [String]
12506
12735
  #
12507
12736
  # @!attribute [rw] content_md5
@@ -12511,6 +12740,10 @@ module Aws::S3
12511
12740
  # For requests made using the Amazon Web Services Command Line
12512
12741
  # Interface (CLI) or Amazon Web Services SDKs, this field is
12513
12742
  # calculated automatically.
12743
+ #
12744
+ # <note markdown="1"> This functionality is not supported for directory buckets.
12745
+ #
12746
+ # </note>
12514
12747
  # @return [String]
12515
12748
  #
12516
12749
  # @!attribute [rw] checksum_algorithm
@@ -12525,6 +12758,12 @@ module Aws::S3
12525
12758
  # If you provide an individual checksum, Amazon S3 ignores any
12526
12759
  # provided `ChecksumAlgorithm` parameter.
12527
12760
  #
12761
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs,
12762
+ # `CRC32` is the default checksum algorithm that's used for
12763
+ # performance.
12764
+ #
12765
+ # </note>
12766
+ #
12528
12767
  #
12529
12768
  #
12530
12769
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12539,6 +12778,12 @@ module Aws::S3
12539
12778
  # you provide does not match the actual owner of the bucket, the
12540
12779
  # request fails with the HTTP status code `403 Forbidden` (access
12541
12780
  # denied).
12781
+ #
12782
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
12783
+ # operation. If you specify this header, the request fails with the
12784
+ # HTTP status code `501 Not Implemented`.
12785
+ #
12786
+ # </note>
12542
12787
  # @return [String]
12543
12788
  #
12544
12789
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketEncryptionRequest AWS API Documentation
@@ -13807,12 +14052,7 @@ module Aws::S3
13807
14052
  #
13808
14053
  # @!attribute [rw] server_side_encryption
13809
14054
  # The server-side encryption algorithm used when you store this object
13810
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
13811
- #
13812
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
13813
- # managed keys (SSE-S3) (`AES256`) is supported.
13814
- #
13815
- # </note>
14055
+ # in Amazon S3.
13816
14056
  # @return [String]
13817
14057
  #
13818
14058
  # @!attribute [rw] version_id
@@ -13860,37 +14100,23 @@ module Aws::S3
13860
14100
  # @return [String]
13861
14101
  #
13862
14102
  # @!attribute [rw] ssekms_key_id
13863
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
13864
- # `aws:kms:dsse`, this header indicates the ID of the Key Management
13865
- # Service (KMS) symmetric encryption customer managed key that was
13866
- # used for the object.
13867
- #
13868
- # <note markdown="1"> This functionality is not supported for directory buckets.
13869
- #
13870
- # </note>
14103
+ # If present, indicates the ID of the KMS key that was used for object
14104
+ # encryption.
13871
14105
  # @return [String]
13872
14106
  #
13873
14107
  # @!attribute [rw] ssekms_encryption_context
13874
14108
  # If present, indicates the Amazon Web Services KMS Encryption Context
13875
14109
  # to use for object encryption. The value of this header is a
13876
- # base64-encoded UTF-8 string holding JSON with the encryption context
13877
- # key-value pairs. This value is stored as object metadata and
13878
- # automatically gets passed on to Amazon Web Services KMS for future
13879
- # `GetObject` or `CopyObject` operations on this object.
13880
- #
13881
- # <note markdown="1"> This functionality is not supported for directory buckets.
13882
- #
13883
- # </note>
14110
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
14111
+ # encryption context as key-value pairs. This value is stored as
14112
+ # object metadata and automatically gets passed on to Amazon Web
14113
+ # Services KMS for future `GetObject` operations on this object.
13884
14114
  # @return [String]
13885
14115
  #
13886
14116
  # @!attribute [rw] bucket_key_enabled
13887
14117
  # Indicates whether the uploaded object uses an S3 Bucket Key for
13888
14118
  # server-side encryption with Key Management Service (KMS) keys
13889
14119
  # (SSE-KMS).
13890
- #
13891
- # <note markdown="1"> This functionality is not supported for directory buckets.
13892
- #
13893
- # </note>
13894
14120
  # @return [Boolean]
13895
14121
  #
13896
14122
  # @!attribute [rw] request_charged
@@ -14266,25 +14492,66 @@ module Aws::S3
14266
14492
  # this object in Amazon S3 (for example, `AES256`, `aws:kms`,
14267
14493
  # `aws:kms:dsse`).
14268
14494
  #
14269
- # <b>General purpose buckets </b> - You have four mutually exclusive
14270
- # options to protect data using server-side encryption in Amazon S3,
14271
- # depending on how you choose to manage the encryption keys.
14272
- # Specifically, the encryption key options are Amazon S3 managed keys
14273
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
14274
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
14275
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14276
- # default. You can optionally tell Amazon S3 to encrypt data at rest
14277
- # by using server-side encryption with other key options. For more
14278
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
14279
- # User Guide*.
14495
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
14496
+ # options to protect data using server-side encryption in Amazon S3,
14497
+ # depending on how you choose to manage the encryption keys.
14498
+ # Specifically, the encryption key options are Amazon S3 managed
14499
+ # keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS),
14500
+ # and customer-provided keys (SSE-C). Amazon S3 encrypts data with
14501
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14502
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
14503
+ # by using server-side encryption with other key options. For more
14504
+ # information, see [Using Server-Side Encryption][1] in the *Amazon
14505
+ # S3 User Guide*.
14506
+ #
14507
+ # * <b>Directory buckets </b> - For directory buckets, there are only
14508
+ # two supported options for server-side encryption: server-side
14509
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
14510
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
14511
+ # recommend that the bucket's default encryption uses the desired
14512
+ # encryption configuration and you don't override the bucket
14513
+ # default encryption in your `CreateSession` requests or `PUT`
14514
+ # object requests. Then, new objects are automatically encrypted
14515
+ # with the desired encryption settings. For more information, see
14516
+ # [Protecting data with server-side encryption][2] in the *Amazon S3
14517
+ # User Guide*. For more information about the encryption overriding
14518
+ # behaviors in directory buckets, see [Specifying server-side
14519
+ # encryption with KMS for new object uploads][3].
14520
+ #
14521
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
14522
+ # [UploadPartCopy][5]) using the REST API, the encryption request
14523
+ # headers must match the encryption settings that are specified in
14524
+ # the `CreateSession` request. You can't override the values of the
14525
+ # encryption settings (`x-amz-server-side-encryption`,
14526
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
14527
+ # `x-amz-server-side-encryption-context`, and
14528
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
14529
+ # specified in the `CreateSession` request. You don't need to
14530
+ # explicitly specify these encryption settings values in Zonal
14531
+ # endpoint API calls, and Amazon S3 will use the encryption settings
14532
+ # values from the `CreateSession` request to protect new objects in
14533
+ # the directory bucket.
14534
+ #
14535
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
14536
+ # `CreateSession`, the session token refreshes automatically to
14537
+ # avoid service interruptions when a session expires. The CLI or the
14538
+ # Amazon Web Services SDKs use the bucket's default encryption
14539
+ # configuration for the `CreateSession` request. It's not supported
14540
+ # to override the encryption settings values in the `CreateSession`
14541
+ # request. So in the Zonal endpoint API calls (except
14542
+ # [CopyObject][4] and [UploadPartCopy][5]), the encryption request
14543
+ # headers must match the default encryption configuration of the
14544
+ # directory bucket.
14280
14545
  #
14281
- # <b>Directory buckets </b> - For directory buckets, only the
14282
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
14283
- # (`AES256`) value is supported.
14546
+ # </note>
14284
14547
  #
14285
14548
  #
14286
14549
  #
14287
14550
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
14551
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
14552
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
14553
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14554
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14288
14555
  # @return [String]
14289
14556
  #
14290
14557
  # @!attribute [rw] storage_class
@@ -14370,48 +14637,87 @@ module Aws::S3
14370
14637
  # @return [String]
14371
14638
  #
14372
14639
  # @!attribute [rw] ssekms_key_id
14373
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
14374
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or
14375
- # Key Alias) of the Key Management Service (KMS) symmetric encryption
14376
- # customer managed key that was used for the object. If you specify
14640
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
14641
+ # object encryption. If the KMS key doesn't exist in the same account
14642
+ # that's issuing the command, you must use the full Key ARN not the
14643
+ # Key ID.
14644
+ #
14645
+ # **General purpose buckets** - If you specify
14646
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
14647
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
14648
+ # KMS key to use. If you specify
14377
14649
  # `x-amz-server-side-encryption:aws:kms` or
14378
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
14379
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14380
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If
14381
- # the KMS key does not exist in the same account that's issuing the
14382
- # command, you must use the full ARN and not just the ID.
14650
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
14651
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14652
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
14383
14653
  #
14384
- # <note markdown="1"> This functionality is not supported for directory buckets.
14654
+ # **Directory buckets** - If you specify
14655
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
14656
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
14657
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
14658
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
14659
+ # use the key ID or key ARN. The key alias format of the KMS key
14660
+ # isn't supported. Your SSE-KMS configuration can only support 1
14661
+ # [customer managed key][1] per directory bucket for the lifetime of
14662
+ # the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
14663
+ # supported.
14385
14664
  #
14386
- # </note>
14665
+ #
14666
+ #
14667
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
14668
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
14387
14669
  # @return [String]
14388
14670
  #
14389
14671
  # @!attribute [rw] ssekms_encryption_context
14390
- # Specifies the Amazon Web Services KMS Encryption Context to use for
14391
- # object encryption. The value of this header is a base64-encoded
14392
- # UTF-8 string holding JSON with the encryption context key-value
14393
- # pairs. This value is stored as object metadata and automatically
14394
- # gets passed on to Amazon Web Services KMS for future `GetObject` or
14395
- # `CopyObject` operations on this object. This value must be
14396
- # explicitly added during `CopyObject` operations.
14672
+ # Specifies the Amazon Web Services KMS Encryption Context as an
14673
+ # additional encryption context to use for object encryption. The
14674
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
14675
+ # JSON, which contains the encryption context as key-value pairs. This
14676
+ # value is stored as object metadata and automatically gets passed on
14677
+ # to Amazon Web Services KMS for future `GetObject` operations on this
14678
+ # object.
14397
14679
  #
14398
- # <note markdown="1"> This functionality is not supported for directory buckets.
14680
+ # **General purpose buckets** - This value must be explicitly added
14681
+ # during `CopyObject` operations if you want an additional encryption
14682
+ # context for your object. For more information, see [Encryption
14683
+ # context][1] in the *Amazon S3 User Guide*.
14399
14684
  #
14400
- # </note>
14685
+ # **Directory buckets** - You can optionally provide an explicit
14686
+ # encryption context value. The value must match the default
14687
+ # encryption context - the bucket Amazon Resource Name (ARN). An
14688
+ # additional encryption context value is not supported.
14689
+ #
14690
+ #
14691
+ #
14692
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
14401
14693
  # @return [String]
14402
14694
  #
14403
14695
  # @!attribute [rw] bucket_key_enabled
14404
14696
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
14405
14697
  # encryption with server-side encryption using Key Management Service
14406
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
14407
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
14698
+ # (KMS) keys (SSE-KMS).
14408
14699
  #
14409
- # Specifying this header with a PUT action doesn’t affect bucket-level
14410
- # settings for S3 Bucket Key.
14700
+ # **General purpose buckets** - Setting this header to `true` causes
14701
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
14702
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
14703
+ # affect bucket-level settings for S3 Bucket Key.
14411
14704
  #
14412
- # <note markdown="1"> This functionality is not supported for directory buckets.
14705
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
14706
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
14707
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
14708
+ # objects from general purpose buckets to directory buckets, from
14709
+ # directory buckets to general purpose buckets, or between directory
14710
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
14711
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
14712
+ # case, Amazon S3 makes a call to KMS every time a copy request is
14713
+ # made for a KMS-encrypted object.
14413
14714
  #
14414
- # </note>
14715
+ #
14716
+ #
14717
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14718
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14719
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
14720
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
14415
14721
  # @return [Boolean]
14416
14722
  #
14417
14723
  # @!attribute [rw] request_payer
@@ -15125,12 +15431,16 @@ module Aws::S3
15125
15431
  #
15126
15432
  # @!attribute [rw] existing_object_replication
15127
15433
  # Optional configuration to replicate existing source bucket objects.
15128
- # For more information, see [Replicating Existing Objects][1] in the
15129
- # *Amazon S3 User Guide*.
15434
+ #
15435
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing
15436
+ # objects, see [Replicating existing objects with S3 Batch
15437
+ # Replication][1] in the *Amazon S3 User Guide*.
15438
+ #
15439
+ # </note>
15130
15440
  #
15131
15441
  #
15132
15442
  #
15133
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
15443
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
15134
15444
  # @return [Types::ExistingObjectReplication]
15135
15445
  #
15136
15446
  # @!attribute [rw] destination
@@ -16002,35 +16312,51 @@ module Aws::S3
16002
16312
 
16003
16313
  # Describes the default server-side encryption to apply to new objects
16004
16314
  # in the bucket. If a PUT Object request doesn't specify any
16005
- # server-side encryption, this default encryption will be applied. If
16006
- # you don't specify a customer managed key at configuration, Amazon S3
16007
- # automatically creates an Amazon Web Services KMS key in your Amazon
16008
- # Web Services account the first time that you add an object encrypted
16009
- # with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for
16010
- # SSE-KMS. For more information, see [PUT Bucket encryption][1] in the
16011
- # *Amazon S3 API Reference*.
16315
+ # server-side encryption, this default encryption will be applied. For
16316
+ # more information, see [PutBucketEncryption][1].
16012
16317
  #
16013
- # <note markdown="1"> If you're specifying a customer managed KMS key, we recommend using a
16014
- # fully qualified KMS key ARN. If you use a KMS key alias instead, then
16015
- # KMS resolves the key within the requester’s account. This behavior can
16016
- # result in data that's encrypted with a KMS key that belongs to the
16017
- # requester, and not the bucket owner.
16318
+ # <note markdown="1"> * **General purpose buckets** - If you don't specify a customer
16319
+ # managed key at configuration, Amazon S3 automatically creates an
16320
+ # Amazon Web Services KMS key (`aws/s3`) in your Amazon Web Services
16321
+ # account the first time that you add an object encrypted with SSE-KMS
16322
+ # to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
16323
+ #
16324
+ # * **Directory buckets** - Your SSE-KMS configuration can only support
16325
+ # 1 [customer managed key][2] per directory bucket for the lifetime of
16326
+ # the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
16327
+ # supported.
16328
+ #
16329
+ # * **Directory buckets** - For directory buckets, there are only two
16330
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
16018
16331
  #
16019
16332
  # </note>
16020
16333
  #
16021
16334
  #
16022
16335
  #
16023
16336
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html
16337
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16338
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
16024
16339
  #
16025
16340
  # @!attribute [rw] sse_algorithm
16026
16341
  # Server-side encryption algorithm to use for the default encryption.
16342
+ #
16343
+ # <note markdown="1"> For directory buckets, there are only two supported values for
16344
+ # server-side encryption: `AES256` and `aws:kms`.
16345
+ #
16346
+ # </note>
16027
16347
  # @return [String]
16028
16348
  #
16029
16349
  # @!attribute [rw] kms_master_key_id
16030
- # Amazon Web Services Key Management Service (KMS) customer Amazon Web
16031
- # Services KMS key ID to use for the default encryption. This
16032
- # parameter is allowed if and only if `SSEAlgorithm` is set to
16033
- # `aws:kms` or `aws:kms:dsse`.
16350
+ # Amazon Web Services Key Management Service (KMS) customer managed
16351
+ # key ID to use for the default encryption.
16352
+ #
16353
+ # <note markdown="1"> * **General purpose buckets** - This parameter is allowed if and
16354
+ # only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`.
16355
+ #
16356
+ # * **Directory buckets** - This parameter is allowed if and only if
16357
+ # `SSEAlgorithm` is set to `aws:kms`.
16358
+ #
16359
+ # </note>
16034
16360
  #
16035
16361
  # You can specify the key ID, key alias, or the Amazon Resource Name
16036
16362
  # (ARN) of the KMS key.
@@ -16042,22 +16368,36 @@ module Aws::S3
16042
16368
  #
16043
16369
  # * Key Alias: `alias/alias-name`
16044
16370
  #
16045
- # If you use a key ID, you can run into a LogDestination undeliverable
16046
- # error when creating a VPC flow log.
16047
- #
16048
16371
  # If you are using encryption with cross-account or Amazon Web
16049
- # Services service operations you must use a fully qualified KMS key
16372
+ # Services service operations, you must use a fully qualified KMS key
16050
16373
  # ARN. For more information, see [Using encryption for cross-account
16051
16374
  # operations][1].
16052
16375
  #
16376
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16377
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16378
+ # If you use a KMS key alias instead, then KMS resolves the key
16379
+ # within the requester’s account. This behavior can result in data
16380
+ # that's encrypted with a KMS key that belongs to the requester,
16381
+ # and not the bucket owner. Also, if you use a key ID, you can run
16382
+ # into a LogDestination undeliverable error when creating a VPC flow
16383
+ # log.
16384
+ #
16385
+ # * **Directory buckets** - When you specify an [KMS customer managed
16386
+ # key][2] for encryption in your directory bucket, only use the key
16387
+ # ID or key ARN. The key alias format of the KMS key isn't
16388
+ # supported.
16389
+ #
16390
+ # </note>
16391
+ #
16053
16392
  # Amazon S3 only supports symmetric encryption KMS keys. For more
16054
- # information, see [Asymmetric keys in Amazon Web Services KMS][2] in
16393
+ # information, see [Asymmetric keys in Amazon Web Services KMS][3] in
16055
16394
  # the *Amazon Web Services Key Management Service Developer Guide*.
16056
16395
  #
16057
16396
  #
16058
16397
  #
16059
16398
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy
16060
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
16399
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16400
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
16061
16401
  # @return [String]
16062
16402
  #
16063
16403
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionByDefault AWS API Documentation
@@ -16086,14 +16426,23 @@ module Aws::S3
16086
16426
 
16087
16427
  # Specifies the default server-side encryption configuration.
16088
16428
  #
16089
- # <note markdown="1"> If you're specifying a customer managed KMS key, we recommend using a
16090
- # fully qualified KMS key ARN. If you use a KMS key alias instead, then
16091
- # KMS resolves the key within the requester’s account. This behavior can
16092
- # result in data that's encrypted with a KMS key that belongs to the
16093
- # requester, and not the bucket owner.
16429
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16430
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16431
+ # If you use a KMS key alias instead, then KMS resolves the key within
16432
+ # the requester’s account. This behavior can result in data that's
16433
+ # encrypted with a KMS key that belongs to the requester, and not the
16434
+ # bucket owner.
16435
+ #
16436
+ # * **Directory buckets** - When you specify an [KMS customer managed
16437
+ # key][1] for encryption in your directory bucket, only use the key ID
16438
+ # or key ARN. The key alias format of the KMS key isn't supported.
16094
16439
  #
16095
16440
  # </note>
16096
16441
  #
16442
+ #
16443
+ #
16444
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16445
+ #
16097
16446
  # @!attribute [rw] apply_server_side_encryption_by_default
16098
16447
  # Specifies the default server-side encryption to apply to new objects
16099
16448
  # in the bucket. If a PUT Object request doesn't specify any
@@ -16105,14 +16454,31 @@ module Aws::S3
16105
16454
  # server-side encryption using KMS (SSE-KMS) for new objects in the
16106
16455
  # bucket. Existing objects are not affected. Setting the
16107
16456
  # `BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3
16108
- # Bucket Key. By default, S3 Bucket Key is not enabled.
16457
+ # Bucket Key.
16109
16458
  #
16110
- # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
16111
- # S3 User Guide*.
16459
+ # <note markdown="1"> * **General purpose buckets** - By default, S3 Bucket Key is not
16460
+ # enabled. For more information, see [Amazon S3 Bucket Keys][1] in
16461
+ # the *Amazon S3 User Guide*.
16462
+ #
16463
+ # * **Directory buckets** - S3 Bucket Keys are always enabled for
16464
+ # `GET` and `PUT` operations in a directory bucket and can’t be
16465
+ # disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS
16466
+ # encrypted objects from general purpose buckets to directory
16467
+ # buckets, from directory buckets to general purpose buckets, or
16468
+ # between directory buckets, through [CopyObject][2],
16469
+ # [UploadPartCopy][3], [the Copy operation in Batch Operations][4],
16470
+ # or [the import jobs][5]. In this case, Amazon S3 makes a call to
16471
+ # KMS every time a copy request is made for a KMS-encrypted object.
16472
+ #
16473
+ # </note>
16112
16474
  #
16113
16475
  #
16114
16476
  #
16115
16477
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
16478
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16479
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16480
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16481
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
16116
16482
  # @return [Boolean]
16117
16483
  #
16118
16484
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionRule AWS API Documentation
@@ -16127,8 +16493,8 @@ module Aws::S3
16127
16493
  # The established temporary security credentials of the session.
16128
16494
  #
16129
16495
  # <note markdown="1"> **Directory buckets** - These session credentials are only supported
16130
- # for the authentication and authorization of Zonal endpoint APIs on
16131
- # directory buckets.
16496
+ # for the authentication and authorization of Zonal endpoint API
16497
+ # operations on directory buckets.
16132
16498
  #
16133
16499
  # </note>
16134
16500
  #
@@ -16562,11 +16928,6 @@ module Aws::S3
16562
16928
  # @!attribute [rw] server_side_encryption
16563
16929
  # The server-side encryption algorithm used when you store this object
16564
16930
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16565
- #
16566
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16567
- # managed keys (SSE-S3) (`AES256`) is supported.
16568
- #
16569
- # </note>
16570
16931
  # @return [String]
16571
16932
  #
16572
16933
  # @!attribute [rw] sse_customer_algorithm
@@ -16591,23 +16952,14 @@ module Aws::S3
16591
16952
  # @return [String]
16592
16953
  #
16593
16954
  # @!attribute [rw] ssekms_key_id
16594
- # If present, indicates the ID of the Key Management Service (KMS)
16595
- # symmetric encryption customer managed key that was used for the
16596
- # object.
16597
- #
16598
- # <note markdown="1"> This functionality is not supported for directory buckets.
16599
- #
16600
- # </note>
16955
+ # If present, indicates the ID of the KMS key that was used for object
16956
+ # encryption.
16601
16957
  # @return [String]
16602
16958
  #
16603
16959
  # @!attribute [rw] bucket_key_enabled
16604
16960
  # Indicates whether the multipart upload uses an S3 Bucket Key for
16605
16961
  # server-side encryption with Key Management Service (KMS) keys
16606
16962
  # (SSE-KMS).
16607
- #
16608
- # <note markdown="1"> This functionality is not supported for directory buckets.
16609
- #
16610
- # </note>
16611
16963
  # @return [Boolean]
16612
16964
  #
16613
16965
  # @!attribute [rw] request_charged
@@ -16958,11 +17310,6 @@ module Aws::S3
16958
17310
  # @!attribute [rw] server_side_encryption
16959
17311
  # The server-side encryption algorithm used when you store this object
16960
17312
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16961
- #
16962
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16963
- # managed keys (SSE-S3) (`AES256`) is supported.
16964
- #
16965
- # </note>
16966
17313
  # @return [String]
16967
17314
  #
16968
17315
  # @!attribute [rw] etag
@@ -17051,23 +17398,14 @@ module Aws::S3
17051
17398
  # @return [String]
17052
17399
  #
17053
17400
  # @!attribute [rw] ssekms_key_id
17054
- # If present, indicates the ID of the Key Management Service (KMS)
17055
- # symmetric encryption customer managed key that was used for the
17056
- # object.
17057
- #
17058
- # <note markdown="1"> This functionality is not supported for directory buckets.
17059
- #
17060
- # </note>
17401
+ # If present, indicates the ID of the KMS key that was used for object
17402
+ # encryption.
17061
17403
  # @return [String]
17062
17404
  #
17063
17405
  # @!attribute [rw] bucket_key_enabled
17064
17406
  # Indicates whether the multipart upload uses an S3 Bucket Key for
17065
17407
  # server-side encryption with Key Management Service (KMS) keys
17066
17408
  # (SSE-KMS).
17067
- #
17068
- # <note markdown="1"> This functionality is not supported for directory buckets.
17069
- #
17070
- # </note>
17071
17409
  # @return [Boolean]
17072
17410
  #
17073
17411
  # @!attribute [rw] request_charged