aws-sdk-s3 1.159.0 → 1.166.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -32,6 +32,7 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
32
32
  require 'aws-sdk-core/plugins/request_compression.rb'
33
33
  require 'aws-sdk-core/plugins/defaults_mode.rb'
34
34
  require 'aws-sdk-core/plugins/recursion_detection.rb'
35
+ require 'aws-sdk-core/plugins/telemetry.rb'
35
36
  require 'aws-sdk-core/plugins/sign.rb'
36
37
  require 'aws-sdk-core/plugins/protocols/rest_xml.rb'
37
38
  require 'aws-sdk-s3/plugins/accelerate.rb'
@@ -56,8 +57,6 @@ require 'aws-sdk-s3/plugins/streaming_retry.rb'
56
57
  require 'aws-sdk-s3/plugins/url_encoded_keys.rb'
57
58
  require 'aws-sdk-core/plugins/event_stream_configuration.rb'
58
59
 
59
- Aws::Plugins::GlobalConfiguration.add_identifier(:s3)
60
-
61
60
  module Aws::S3
62
61
  # An API client for S3. To construct a client, you need to configure a `:region` and `:credentials`.
63
62
  #
@@ -104,6 +103,7 @@ module Aws::S3
104
103
  add_plugin(Aws::Plugins::RequestCompression)
105
104
  add_plugin(Aws::Plugins::DefaultsMode)
106
105
  add_plugin(Aws::Plugins::RecursionDetection)
106
+ add_plugin(Aws::Plugins::Telemetry)
107
107
  add_plugin(Aws::Plugins::Sign)
108
108
  add_plugin(Aws::Plugins::Protocols::RestXml)
109
109
  add_plugin(Aws::S3::Plugins::Accelerate)
@@ -170,13 +170,15 @@ module Aws::S3
170
170
  # locations will be searched for credentials:
171
171
  #
172
172
  # * `Aws.config[:credentials]`
173
- # * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
174
- # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
173
+ # * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
174
+ # `:account_id` options.
175
+ # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
176
+ # ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
175
177
  # * `~/.aws/credentials`
176
178
  # * `~/.aws/config`
177
179
  # * EC2/ECS IMDS instance profile - When used by default, the timeouts
178
180
  # are very aggressive. Construct and pass an instance of
179
- # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
181
+ # `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
180
182
  # enable retries and extended timeouts. Instance profile credential
181
183
  # fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
182
184
  # to true.
@@ -205,6 +207,8 @@ module Aws::S3
205
207
  #
206
208
  # @option options [String] :access_key_id
207
209
  #
210
+ # @option options [String] :account_id
211
+ #
208
212
  # @option options [Boolean] :active_endpoint_cache (false)
209
213
  # When set to `true`, a thread polling for endpoints will be running in
210
214
  # the background every 60 secs (default). Defaults to `false`.
@@ -432,6 +436,16 @@ module Aws::S3
432
436
  # ** Please note ** When response stubbing is enabled, no HTTP
433
437
  # requests are made, and retries are disabled.
434
438
  #
439
+ # @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
440
+ # Allows you to provide a telemetry provider, which is used to
441
+ # emit telemetry data. By default, uses `NoOpTelemetryProvider` which
442
+ # will not record or emit any telemetry data. The SDK supports the
443
+ # following telemetry providers:
444
+ #
445
+ # * OpenTelemetry (OTel) - To use the OTel provider, install and require the
446
+ # `opentelemetry-sdk` gem and then, pass in an instance of a
447
+ # `Aws::Telemetry::OTelProvider` for telemetry provider.
448
+ #
435
449
  # @option options [Aws::TokenProvider] :token_provider
436
450
  # A Bearer Token Provider. This can be an instance of any one of the
437
451
  # following classes:
@@ -464,7 +478,9 @@ module Aws::S3
464
478
  # sending the request.
465
479
  #
466
480
  # @option options [Aws::S3::EndpointProvider] :endpoint_provider
467
- # The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::S3::EndpointParameters`
481
+ # The endpoint provider used to resolve endpoints. Any object that responds to
482
+ # `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to
483
+ # `Aws::S3::EndpointParameters`.
468
484
  #
469
485
  # @option options [Float] :http_continue_timeout (1)
470
486
  # The number of seconds to wait for a 100-continue response before sending the
@@ -520,6 +536,12 @@ module Aws::S3
520
536
  # @option options [String] :ssl_ca_store
521
537
  # Sets the X509::Store to verify peer certificate.
522
538
  #
539
+ # @option options [OpenSSL::X509::Certificate] :ssl_cert
540
+ # Sets a client certificate when creating http connections.
541
+ #
542
+ # @option options [OpenSSL::PKey] :ssl_key
543
+ # Sets a client key when creating http connections.
544
+ #
523
545
  # @option options [Float] :ssl_timeout
524
546
  # Sets the SSL timeout in seconds
525
547
  #
@@ -782,9 +804,15 @@ module Aws::S3
782
804
  # [Multipart Upload and Permissions][6] in the *Amazon S3 User
783
805
  # Guide*.
784
806
  #
807
+ # If you provide an [additional checksum value][7] in your
808
+ # `MultipartUpload` requests and the object is encrypted with Key
809
+ # Management Service, you must have permission to use the
810
+ # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
811
+ # succeed.
812
+ #
785
813
  # * **Directory bucket permissions** - To grant access to this API
786
814
  # operation on a directory bucket, we recommend that you use the [
787
- # `CreateSession` ][7] API operation for session-based
815
+ # `CreateSession` ][8] API operation for session-based
788
816
  # authorization. Specifically, you grant the
789
817
  # `s3express:CreateSession` permission to the directory bucket in a
790
818
  # bucket policy or an IAM identity-based policy. Then, you make the
@@ -795,13 +823,11 @@ module Aws::S3
795
823
  # token for use. Amazon Web Services CLI or SDKs create session and
796
824
  # refresh the session token automatically to avoid service
797
825
  # interruptions when a session expires. For more information about
798
- # authorization, see [ `CreateSession` ][7].
826
+ # authorization, see [ `CreateSession` ][8].
799
827
  #
800
- # * If you provide an [additional checksum value][8] in your
801
- # `MultipartUpload` requests and the object is encrypted with Key
802
- # Management Service, you must have permission to use the
803
- # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
804
- # succeed.
828
+ # If the object is encrypted with SSE-KMS, you must also have the
829
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
830
+ # identity-based policies and KMS key policies for the KMS key.
805
831
  #
806
832
  # Special errors
807
833
  # : * Error Code: `EntityTooSmall`
@@ -860,8 +886,8 @@ module Aws::S3
860
886
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
861
887
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
862
888
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
863
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
864
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
889
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
890
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
865
891
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
866
892
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
867
893
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
@@ -1247,6 +1273,10 @@ module Aws::S3
1247
1273
  # destination. The `s3express:SessionMode` condition key can't be
1248
1274
  # set to `ReadOnly` on the copy destination bucket.
1249
1275
  #
1276
+ # If the object is encrypted with SSE-KMS, you must also have the
1277
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
1278
+ # identity-based policies and KMS key policies for the KMS key.
1279
+ #
1250
1280
  # For example policies, see [Example bucket policies for S3 Express
1251
1281
  # One Zone][6] and [Amazon Web Services Identity and Access
1252
1282
  # Management (IAM) identity-based policies for S3 Express One
@@ -1693,9 +1723,8 @@ module Aws::S3
1693
1723
  #
1694
1724
  # @option params [String] :server_side_encryption
1695
1725
  # The server-side encryption algorithm used when storing this object in
1696
- # Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1697
- # Unrecognized or unsupported values won’t write a destination object
1698
- # and will receive a `400 Bad Request` response.
1726
+ # Amazon S3. Unrecognized or unsupported values won’t write a
1727
+ # destination object and will receive a `400 Bad Request` response.
1699
1728
  #
1700
1729
  # Amazon S3 automatically encrypts all new objects that are copied to an
1701
1730
  # S3 bucket. When copying an object, if you don't specify encryption
@@ -1703,35 +1732,72 @@ module Aws::S3
1703
1732
  # object is set to the default encryption configuration of the
1704
1733
  # destination bucket. By default, all buckets have a base level of
1705
1734
  # encryption configuration that uses server-side encryption with Amazon
1706
- # S3 managed keys (SSE-S3). If the destination bucket has a default
1707
- # encryption configuration that uses server-side encryption with Key
1708
- # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1709
- # encryption with Amazon Web Services KMS keys (DSSE-KMS), or
1710
- # server-side encryption with customer-provided encryption keys (SSE-C),
1711
- # Amazon S3 uses the corresponding KMS key, or a customer-provided key
1712
- # to encrypt the target object copy.
1713
- #
1714
- # When you perform a `CopyObject` operation, if you want to use a
1715
- # different type of encryption setting for the target object, you can
1716
- # specify appropriate encryption-related headers to encrypt the target
1717
- # object with an Amazon S3 managed key, a KMS key, or a
1718
- # customer-provided key. If the encryption setting in your request is
1719
- # different from the default encryption configuration of the destination
1720
- # bucket, the encryption setting in your request takes precedence.
1735
+ # S3 managed keys (SSE-S3). If the destination bucket has a different
1736
+ # default encryption configuration, Amazon S3 uses the corresponding
1737
+ # encryption key to encrypt the target object copy.
1721
1738
  #
1722
1739
  # With server-side encryption, Amazon S3 encrypts your data as it writes
1723
1740
  # your data to disks in its data centers and decrypts the data when you
1724
1741
  # access it. For more information about server-side encryption, see
1725
1742
  # [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
1726
1743
  #
1727
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1728
- # managed keys (SSE-S3) (`AES256`) is supported.
1729
- #
1730
- # </note>
1744
+ # <b>General purpose buckets </b>
1745
+ #
1746
+ # * For general purpose buckets, there are the following supported
1747
+ # options for server-side encryption: server-side encryption with Key
1748
+ # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1749
+ # encryption with Amazon Web Services KMS keys (DSSE-KMS), and
1750
+ # server-side encryption with customer-provided encryption keys
1751
+ # (SSE-C). Amazon S3 uses the corresponding KMS key, or a
1752
+ # customer-provided key to encrypt the target object copy.
1753
+ #
1754
+ # * When you perform a `CopyObject` operation, if you want to use a
1755
+ # different type of encryption setting for the target object, you can
1756
+ # specify appropriate encryption-related headers to encrypt the target
1757
+ # object with an Amazon S3 managed key, a KMS key, or a
1758
+ # customer-provided key. If the encryption setting in your request is
1759
+ # different from the default encryption configuration of the
1760
+ # destination bucket, the encryption setting in your request takes
1761
+ # precedence.
1762
+ #
1763
+ # <b>Directory buckets </b>
1764
+ #
1765
+ # * For directory buckets, there are only two supported options for
1766
+ # server-side encryption: server-side encryption with Amazon S3
1767
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
1768
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
1769
+ # encryption uses the desired encryption configuration and you don't
1770
+ # override the bucket default encryption in your `CreateSession`
1771
+ # requests or `PUT` object requests. Then, new objects are
1772
+ # automatically encrypted with the desired encryption settings. For
1773
+ # more information, see [Protecting data with server-side
1774
+ # encryption][2] in the *Amazon S3 User Guide*. For more information
1775
+ # about the encryption overriding behaviors in directory buckets, see
1776
+ # [Specifying server-side encryption with KMS for new object
1777
+ # uploads][3].
1778
+ #
1779
+ # * To encrypt new object copies to a directory bucket with SSE-KMS, we
1780
+ # recommend you specify SSE-KMS as the directory bucket's default
1781
+ # encryption configuration with a KMS key (specifically, a [customer
1782
+ # managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
1783
+ # isn't supported. Your SSE-KMS configuration can only support 1
1784
+ # [customer managed key][4] per directory bucket for the lifetime of
1785
+ # the bucket. After you specify a customer managed key for SSE-KMS,
1786
+ # you can't override the customer managed key for the bucket's
1787
+ # SSE-KMS configuration. Then, when you perform a `CopyObject`
1788
+ # operation and want to specify server-side encryption settings for
1789
+ # new object copies with SSE-KMS in the encryption-related request
1790
+ # headers, you must ensure the encryption key is the same customer
1791
+ # managed key that you specified for the directory bucket's default
1792
+ # encryption configuration.
1731
1793
  #
1732
1794
  #
1733
1795
  #
1734
1796
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1797
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1798
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1799
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1800
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1735
1801
  #
1736
1802
  # @option params [String] :storage_class
1737
1803
  # If the `x-amz-storage-class` header is not used, the copied object
@@ -1828,33 +1894,51 @@ module Aws::S3
1828
1894
  # </note>
1829
1895
  #
1830
1896
  # @option params [String] :ssekms_key_id
1831
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
1832
- # encryption. All GET and PUT requests for an object protected by KMS
1833
- # will fail if they're not made via SSL or using SigV4. For information
1834
- # about configuring any of the officially supported Amazon Web Services
1835
- # SDKs and Amazon Web Services CLI, see [Specifying the Signature
1836
- # Version in Request Authentication][1] in the *Amazon S3 User Guide*.
1837
- #
1838
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1839
- # directory bucket.
1897
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1898
+ # object encryption. All GET and PUT requests for an object protected by
1899
+ # KMS will fail if they're not made via SSL or using SigV4. For
1900
+ # information about configuring any of the officially supported Amazon
1901
+ # Web Services SDKs and Amazon Web Services CLI, see [Specifying the
1902
+ # Signature Version in Request Authentication][1] in the *Amazon S3 User
1903
+ # Guide*.
1840
1904
  #
1841
- # </note>
1905
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
1906
+ # with `aws:kms`, you must specify the `
1907
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
1908
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
1909
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
1910
+ # key ID or key ARN. The key alias format of the KMS key isn't
1911
+ # supported. Your SSE-KMS configuration can only support 1 [customer
1912
+ # managed key][2] per directory bucket for the lifetime of the bucket.
1913
+ # [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
1842
1914
  #
1843
1915
  #
1844
1916
  #
1845
1917
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
1918
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1919
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1846
1920
  #
1847
1921
  # @option params [String] :ssekms_encryption_context
1848
- # Specifies the Amazon Web Services KMS Encryption Context to use for
1849
- # object encryption. The value of this header is a base64-encoded UTF-8
1850
- # string holding JSON with the encryption context key-value pairs. This
1851
- # value must be explicitly added to specify encryption context for
1852
- # `CopyObject` requests.
1922
+ # Specifies the Amazon Web Services KMS Encryption Context as an
1923
+ # additional encryption context to use for the destination object
1924
+ # encryption. The value of this header is a base64-encoded UTF-8 string
1925
+ # holding JSON with the encryption context key-value pairs.
1926
+ #
1927
+ # **General purpose buckets** - This value must be explicitly added to
1928
+ # specify encryption context for `CopyObject` requests if you want an
1929
+ # additional encryption context for your destination object. The
1930
+ # additional encryption context of the source object won't be copied to
1931
+ # the destination object. For more information, see [Encryption
1932
+ # context][1] in the *Amazon S3 User Guide*.
1933
+ #
1934
+ # **Directory buckets** - You can optionally provide an explicit
1935
+ # encryption context value. The value must match the default encryption
1936
+ # context - the bucket Amazon Resource Name (ARN). An additional
1937
+ # encryption context value is not supported.
1853
1938
  #
1854
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1855
- # directory bucket.
1856
1939
  #
1857
- # </note>
1940
+ #
1941
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
1858
1942
  #
1859
1943
  # @option params [Boolean] :bucket_key_enabled
1860
1944
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
@@ -1869,14 +1953,19 @@ module Aws::S3
1869
1953
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
1870
1954
  # User Guide*.
1871
1955
  #
1872
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1873
- # directory bucket.
1956
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
1957
+ # copy SSE-KMS encrypted objects from general purpose buckets to
1958
+ # directory buckets, from directory buckets to general purpose buckets,
1959
+ # or between directory buckets, through [CopyObject][2]. In this case,
1960
+ # Amazon S3 makes a call to KMS every time a copy request is made for a
1961
+ # KMS-encrypted object.
1874
1962
  #
1875
1963
  # </note>
1876
1964
  #
1877
1965
  #
1878
1966
  #
1879
1967
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
1968
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1880
1969
  #
1881
1970
  # @option params [String] :copy_source_sse_customer_algorithm
1882
1971
  # Specifies the algorithm to use when decrypting the source object (for
@@ -2618,9 +2707,53 @@ module Aws::S3
2618
2707
  # using server-side encryption with customer-provided encryption
2619
2708
  # keys (SSE-C)][11] in the *Amazon S3 User Guide*.
2620
2709
  #
2621
- # * **Directory buckets** -For directory buckets, only server-side
2622
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
2623
- # supported.
2710
+ # * **Directory buckets** - For directory buckets, there are only two
2711
+ # supported options for server-side encryption: server-side
2712
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2713
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2714
+ # recommend that the bucket's default encryption uses the desired
2715
+ # encryption configuration and you don't override the bucket
2716
+ # default encryption in your `CreateSession` requests or `PUT`
2717
+ # object requests. Then, new objects are automatically encrypted
2718
+ # with the desired encryption settings. For more information, see
2719
+ # [Protecting data with server-side encryption][12] in the *Amazon
2720
+ # S3 User Guide*. For more information about the encryption
2721
+ # overriding behaviors in directory buckets, see [Specifying
2722
+ # server-side encryption with KMS for new object uploads][13].
2723
+ #
2724
+ # In the Zonal endpoint API calls (except [CopyObject][14] and
2725
+ # [UploadPartCopy][9]) using the REST API, the encryption request
2726
+ # headers must match the encryption settings that are specified in
2727
+ # the `CreateSession` request. You can't override the values of the
2728
+ # encryption settings (`x-amz-server-side-encryption`,
2729
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2730
+ # `x-amz-server-side-encryption-context`, and
2731
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2732
+ # specified in the `CreateSession` request. You don't need to
2733
+ # explicitly specify these encryption settings values in Zonal
2734
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2735
+ # values from the `CreateSession` request to protect new objects in
2736
+ # the directory bucket.
2737
+ #
2738
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2739
+ # `CreateSession`, the session token refreshes automatically to
2740
+ # avoid service interruptions when a session expires. The CLI or the
2741
+ # Amazon Web Services SDKs use the bucket's default encryption
2742
+ # configuration for the `CreateSession` request. It's not supported
2743
+ # to override the encryption settings values in the `CreateSession`
2744
+ # request. So in the Zonal endpoint API calls (except
2745
+ # [CopyObject][14] and [UploadPartCopy][9]), the encryption request
2746
+ # headers must match the default encryption configuration of the
2747
+ # directory bucket.
2748
+ #
2749
+ # </note>
2750
+ #
2751
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
2752
+ # operation and an `UploadPartCopy` operation, the request headers
2753
+ # you provide in the `CreateMultipartUpload` request must match the
2754
+ # default encryption configuration of the destination bucket.
2755
+ #
2756
+ # </note>
2624
2757
  #
2625
2758
  # HTTP Host header syntax
2626
2759
  #
@@ -2631,13 +2764,13 @@ module Aws::S3
2631
2764
  #
2632
2765
  # * [UploadPart][1]
2633
2766
  #
2634
- # * [CompleteMultipartUpload][12]
2767
+ # * [CompleteMultipartUpload][15]
2635
2768
  #
2636
- # * [AbortMultipartUpload][13]
2769
+ # * [AbortMultipartUpload][16]
2637
2770
  #
2638
- # * [ListParts][14]
2771
+ # * [ListParts][17]
2639
2772
  #
2640
- # * [ListMultipartUploads][15]
2773
+ # * [ListMultipartUploads][18]
2641
2774
  #
2642
2775
  #
2643
2776
  #
@@ -2652,10 +2785,13 @@ module Aws::S3
2652
2785
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2653
2786
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2654
2787
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
2655
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2656
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2657
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2658
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2788
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2789
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2790
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2791
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2792
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2793
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2794
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2659
2795
  #
2660
2796
  # @option params [String] :acl
2661
2797
  # The canned ACL to apply to the object. Amazon S3 supports a set of
@@ -3018,10 +3154,52 @@ module Aws::S3
3018
3154
  # The server-side encryption algorithm used when you store this object
3019
3155
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3020
3156
  #
3021
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3022
- # managed keys (SSE-S3) (`AES256`) is supported.
3157
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3158
+ # two supported options for server-side encryption: server-side
3159
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3160
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3161
+ # recommend that the bucket's default encryption uses the desired
3162
+ # encryption configuration and you don't override the bucket default
3163
+ # encryption in your `CreateSession` requests or `PUT` object
3164
+ # requests. Then, new objects are automatically encrypted with the
3165
+ # desired encryption settings. For more information, see [Protecting
3166
+ # data with server-side encryption][1] in the *Amazon S3 User Guide*.
3167
+ # For more information about the encryption overriding behaviors in
3168
+ # directory buckets, see [Specifying server-side encryption with KMS
3169
+ # for new object uploads][2].
3170
+ #
3171
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3172
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3173
+ # headers must match the encryption settings that are specified in the
3174
+ # `CreateSession` request. You can't override the values of the
3175
+ # encryption settings (`x-amz-server-side-encryption`,
3176
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3177
+ # `x-amz-server-side-encryption-context`, and
3178
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3179
+ # specified in the `CreateSession` request. You don't need to
3180
+ # explicitly specify these encryption settings values in Zonal
3181
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3182
+ # values from the `CreateSession` request to protect new objects in
3183
+ # the directory bucket.
3184
+ #
3185
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3186
+ # `CreateSession`, the session token refreshes automatically to avoid
3187
+ # service interruptions when a session expires. The CLI or the Amazon
3188
+ # Web Services SDKs use the bucket's default encryption configuration
3189
+ # for the `CreateSession` request. It's not supported to override the
3190
+ # encryption settings values in the `CreateSession` request. So in the
3191
+ # Zonal endpoint API calls (except [CopyObject][3] and
3192
+ # [UploadPartCopy][4]), the encryption request headers must match the
3193
+ # default encryption configuration of the directory bucket.
3023
3194
  #
3024
- # </note>
3195
+ # </note>
3196
+ #
3197
+ #
3198
+ #
3199
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3200
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3201
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3202
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3025
3203
  #
3026
3204
  # @option params [String] :storage_class
3027
3205
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -3080,34 +3258,71 @@ module Aws::S3
3080
3258
  # </note>
3081
3259
  #
3082
3260
  # @option params [String] :ssekms_key_id
3083
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3084
- # encryption customer managed key to use for object encryption.
3085
- #
3086
- # <note markdown="1"> This functionality is not supported for directory buckets.
3087
- #
3088
- # </note>
3261
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3262
+ # object encryption. If the KMS key doesn't exist in the same account
3263
+ # that's issuing the command, you must use the full Key ARN not the Key
3264
+ # ID.
3265
+ #
3266
+ # **General purpose buckets** - If you specify
3267
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
3268
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
3269
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
3270
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3271
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3272
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3273
+ #
3274
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
3275
+ # with `aws:kms`, you must specify the `
3276
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
3277
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
3278
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
3279
+ # key ID or key ARN. The key alias format of the KMS key isn't
3280
+ # supported. Your SSE-KMS configuration can only support 1 [customer
3281
+ # managed key][1] per directory bucket for the lifetime of the bucket.
3282
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
3283
+ #
3284
+ #
3285
+ #
3286
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3287
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3089
3288
  #
3090
3289
  # @option params [String] :ssekms_encryption_context
3091
3290
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3092
- # object encryption. The value of this header is a base64-encoded UTF-8
3093
- # string holding JSON with the encryption context key-value pairs.
3291
+ # object encryption. The value of this header is a Base64-encoded string
3292
+ # of a UTF-8 encoded JSON, which contains the encryption context as
3293
+ # key-value pairs.
3094
3294
  #
3095
- # <note markdown="1"> This functionality is not supported for directory buckets.
3096
- #
3097
- # </note>
3295
+ # **Directory buckets** - You can optionally provide an explicit
3296
+ # encryption context value. The value must match the default encryption
3297
+ # context - the bucket Amazon Resource Name (ARN). An additional
3298
+ # encryption context value is not supported.
3098
3299
  #
3099
3300
  # @option params [Boolean] :bucket_key_enabled
3100
3301
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3101
3302
  # encryption with server-side encryption using Key Management Service
3102
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3103
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3303
+ # (KMS) keys (SSE-KMS).
3104
3304
  #
3105
- # Specifying this header with an object action doesn’t affect
3305
+ # **General purpose buckets** - Setting this header to `true` causes
3306
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
3307
+ # Also, specifying this header with a PUT action doesn't affect
3106
3308
  # bucket-level settings for S3 Bucket Key.
3107
3309
  #
3108
- # <note markdown="1"> This functionality is not supported for directory buckets.
3310
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3311
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3312
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
3313
+ # from general purpose buckets to directory buckets, from directory
3314
+ # buckets to general purpose buckets, or between directory buckets,
3315
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
3316
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
3317
+ # makes a call to KMS every time a copy request is made for a
3318
+ # KMS-encrypted object.
3109
3319
  #
3110
- # </note>
3320
+ #
3321
+ #
3322
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3323
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3324
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3325
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3111
3326
  #
3112
3327
  # @option params [String] :request_payer
3113
3328
  # Confirms that the requester knows that they will be charged for the
@@ -3268,9 +3483,10 @@ module Aws::S3
3268
3483
 
3269
3484
  # Creates a session that establishes temporary security credentials to
3270
3485
  # support fast authentication and authorization for the Zonal endpoint
3271
- # APIs on directory buckets. For more information about Zonal endpoint
3272
- # APIs that include the Availability Zone in the request endpoint, see
3273
- # [S3 Express One Zone APIs][1] in the *Amazon S3 User Guide*.
3486
+ # API operations on directory buckets. For more information about Zonal
3487
+ # endpoint API operations that include the Availability Zone in the
3488
+ # request endpoint, see [S3 Express One Zone APIs][1] in the *Amazon S3
3489
+ # User Guide*.
3274
3490
  #
3275
3491
  # To make Zonal endpoint API requests on a directory bucket, use the
3276
3492
  # `CreateSession` API operation. Specifically, you grant
@@ -3279,13 +3495,13 @@ module Aws::S3
3279
3495
  # the `CreateSession` API request on the bucket, which returns temporary
3280
3496
  # security credentials that include the access key ID, secret access
3281
3497
  # key, session token, and expiration. These credentials have associated
3282
- # permissions to access the Zonal endpoint APIs. After the session is
3283
- # created, you don’t need to use other policies to grant permissions to
3284
- # each Zonal endpoint API individually. Instead, in your Zonal endpoint
3285
- # API requests, you sign your requests by applying the temporary
3286
- # security credentials of the session to the request headers and
3287
- # following the SigV4 protocol for authentication. You also apply the
3288
- # session token to the `x-amz-s3session-token` request header for
3498
+ # permissions to access the Zonal endpoint API operations. After the
3499
+ # session is created, you don’t need to use other policies to grant
3500
+ # permissions to each Zonal endpoint API individually. Instead, in your
3501
+ # Zonal endpoint API requests, you sign your requests by applying the
3502
+ # temporary security credentials of the session to the request headers
3503
+ # and following the SigV4 protocol for authentication. You also apply
3504
+ # the session token to the `x-amz-s3session-token` request header for
3289
3505
  # authorization. Temporary security credentials are scoped to the bucket
3290
3506
  # and expire after 5 minutes. After the expiration time, any calls that
3291
3507
  # you make with those credentials will fail. You must use IAM
@@ -3308,16 +3524,16 @@ module Aws::S3
3308
3524
  # [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
3309
3525
  #
3310
3526
  # * <b> <code>CopyObject</code> API operation</b> - Unlike other Zonal
3311
- # endpoint APIs, the `CopyObject` API operation doesn't use the
3312
- # temporary security credentials returned from the `CreateSession` API
3313
- # operation for authentication and authorization. For information
3527
+ # endpoint API operations, the `CopyObject` API operation doesn't use
3528
+ # the temporary security credentials returned from the `CreateSession`
3529
+ # API operation for authentication and authorization. For information
3314
3530
  # about authentication and authorization of the `CopyObject` API
3315
3531
  # operation on directory buckets, see [CopyObject][4].
3316
3532
  #
3317
3533
  # * <b> <code>HeadBucket</code> API operation</b> - Unlike other Zonal
3318
- # endpoint APIs, the `HeadBucket` API operation doesn't use the
3319
- # temporary security credentials returned from the `CreateSession` API
3320
- # operation for authentication and authorization. For information
3534
+ # endpoint API operations, the `HeadBucket` API operation doesn't use
3535
+ # the temporary security credentials returned from the `CreateSession`
3536
+ # API operation for authentication and authorization. For information
3321
3537
  # about authentication and authorization of the `HeadBucket` API
3322
3538
  # operation on directory buckets, see [HeadBucket][5].
3323
3539
  #
@@ -3336,9 +3552,71 @@ module Aws::S3
3336
3552
  # Identity and Access Management (IAM) identity-based policies for S3
3337
3553
  # Express One Zone][8] in the *Amazon S3 User Guide*.
3338
3554
  #
3339
- # To grant cross-account access to Zonal endpoint APIs, the bucket
3340
- # policy should also grant both accounts the `s3express:CreateSession`
3341
- # permission.
3555
+ # To grant cross-account access to Zonal endpoint API operations, the
3556
+ # bucket policy should also grant both accounts the
3557
+ # `s3express:CreateSession` permission.
3558
+ #
3559
+ # If you want to encrypt objects with SSE-KMS, you must also have the
3560
+ # `kms:GenerateDataKey` and the `kms:Decrypt` permissions in IAM
3561
+ # identity-based policies and KMS key policies for the target KMS key.
3562
+ #
3563
+ # Encryption
3564
+ #
3565
+ # : For directory buckets, there are only two supported options for
3566
+ # server-side encryption: server-side encryption with Amazon S3
3567
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3568
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
3569
+ # encryption uses the desired encryption configuration and you don't
3570
+ # override the bucket default encryption in your `CreateSession`
3571
+ # requests or `PUT` object requests. Then, new objects are
3572
+ # automatically encrypted with the desired encryption settings. For
3573
+ # more information, see [Protecting data with server-side
3574
+ # encryption][9] in the *Amazon S3 User Guide*. For more information
3575
+ # about the encryption overriding behaviors in directory buckets, see
3576
+ # [Specifying server-side encryption with KMS for new object
3577
+ # uploads][10].
3578
+ #
3579
+ # For [Zonal endpoint (object-level) API operations][11] except
3580
+ # [CopyObject][4] and [UploadPartCopy][12], you authenticate and
3581
+ # authorize requests through [CreateSession][13] for low latency. To
3582
+ # encrypt new objects in a directory bucket with SSE-KMS, you must
3583
+ # specify SSE-KMS as the directory bucket's default encryption
3584
+ # configuration with a KMS key (specifically, a [customer managed
3585
+ # key][14]). Then, when a session is created for Zonal endpoint API
3586
+ # operations, new objects are automatically encrypted and decrypted
3587
+ # with SSE-KMS and S3 Bucket Keys during the session.
3588
+ #
3589
+ # <note markdown="1"> Only 1 [customer managed key][14] is supported per directory bucket
3590
+ # for the lifetime of the bucket. [Amazon Web Services managed
3591
+ # key][15] (`aws/s3`) isn't supported. After you specify SSE-KMS as
3592
+ # your bucket's default encryption configuration with a customer
3593
+ # managed key, you can't change the customer managed key for the
3594
+ # bucket's SSE-KMS configuration.
3595
+ #
3596
+ # </note>
3597
+ #
3598
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
3599
+ # [UploadPartCopy][12]) using the REST API, you can't override the
3600
+ # values of the encryption settings (`x-amz-server-side-encryption`,
3601
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3602
+ # `x-amz-server-side-encryption-context`, and
3603
+ # `x-amz-server-side-encryption-bucket-key-enabled`) from the
3604
+ # `CreateSession` request. You don't need to explicitly specify these
3605
+ # encryption settings values in Zonal endpoint API calls, and Amazon
3606
+ # S3 will use the encryption settings values from the `CreateSession`
3607
+ # request to protect new objects in the directory bucket.
3608
+ #
3609
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3610
+ # `CreateSession`, the session token refreshes automatically to avoid
3611
+ # service interruptions when a session expires. The CLI or the Amazon
3612
+ # Web Services SDKs use the bucket's default encryption configuration
3613
+ # for the `CreateSession` request. It's not supported to override the
3614
+ # encryption settings values in the `CreateSession` request. Also, in
3615
+ # the Zonal endpoint API calls (except [CopyObject][4] and
3616
+ # [UploadPartCopy][12]), it's not supported to override the values of
3617
+ # the encryption settings from the `CreateSession` request.
3618
+ #
3619
+ # </note>
3342
3620
  #
3343
3621
  # HTTP Host header syntax
3344
3622
  #
@@ -3355,21 +3633,110 @@ module Aws::S3
3355
3633
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters
3356
3634
  # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
3357
3635
  # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
3636
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3637
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3638
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations
3639
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3640
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
3641
+ # [14]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3642
+ # [15]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3358
3643
  #
3359
3644
  # @option params [String] :session_mode
3360
3645
  # Specifies the mode of the session that will be created, either
3361
3646
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3362
3647
  # created. A `ReadWrite` session is capable of executing all the Zonal
3363
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3364
- # constrained to execute the following Zonal endpoint APIs: `GetObject`,
3365
- # `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`, `ListParts`, and
3366
- # `ListMultipartUploads`.
3648
+ # endpoint API operations on a directory bucket. A `ReadOnly` session is
3649
+ # constrained to execute the following Zonal endpoint API operations:
3650
+ # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3651
+ # `ListParts`, and `ListMultipartUploads`.
3367
3652
  #
3368
3653
  # @option params [required, String] :bucket
3369
3654
  # The name of the bucket that you create a session for.
3370
3655
  #
3656
+ # @option params [String] :server_side_encryption
3657
+ # The server-side encryption algorithm to use when you store objects in
3658
+ # the directory bucket.
3659
+ #
3660
+ # For directory buckets, there are only two supported options for
3661
+ # server-side encryption: server-side encryption with Amazon S3 managed
3662
+ # keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys
3663
+ # (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3664
+ # SSE-S3. For more information, see [Protecting data with server-side
3665
+ # encryption][1] in the *Amazon S3 User Guide*.
3666
+ #
3667
+ #
3668
+ #
3669
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3670
+ #
3671
+ # @option params [String] :ssekms_key_id
3672
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you must
3673
+ # specify the ` x-amz-server-side-encryption-aws-kms-key-id` header with
3674
+ # the ID (Key ID or Key ARN) of the KMS symmetric encryption customer
3675
+ # managed key to use. Otherwise, you get an HTTP `400 Bad Request`
3676
+ # error. Only use the key ID or key ARN. The key alias format of the KMS
3677
+ # key isn't supported. Also, if the KMS key doesn't exist in the same
3678
+ # account that't issuing the command, you must use the full Key ARN not
3679
+ # the Key ID.
3680
+ #
3681
+ # Your SSE-KMS configuration can only support 1 [customer managed
3682
+ # key][1] per directory bucket for the lifetime of the bucket. [Amazon
3683
+ # Web Services managed key][2] (`aws/s3`) isn't supported.
3684
+ #
3685
+ #
3686
+ #
3687
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3688
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3689
+ #
3690
+ # @option params [String] :ssekms_encryption_context
3691
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3692
+ # additional encryption context to use for object encryption. The value
3693
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
3694
+ # which contains the encryption context as key-value pairs. This value
3695
+ # is stored as object metadata and automatically gets passed on to
3696
+ # Amazon Web Services KMS for future `GetObject` operations on this
3697
+ # object.
3698
+ #
3699
+ # **General purpose buckets** - This value must be explicitly added
3700
+ # during `CopyObject` operations if you want an additional encryption
3701
+ # context for your object. For more information, see [Encryption
3702
+ # context][1] in the *Amazon S3 User Guide*.
3703
+ #
3704
+ # **Directory buckets** - You can optionally provide an explicit
3705
+ # encryption context value. The value must match the default encryption
3706
+ # context - the bucket Amazon Resource Name (ARN). An additional
3707
+ # encryption context value is not supported.
3708
+ #
3709
+ #
3710
+ #
3711
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3712
+ #
3713
+ # @option params [Boolean] :bucket_key_enabled
3714
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3715
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3716
+ #
3717
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a
3718
+ # directory bucket and can’t be disabled. S3 Bucket Keys aren't
3719
+ # supported, when you copy SSE-KMS encrypted objects from general
3720
+ # purpose buckets to directory buckets, from directory buckets to
3721
+ # general purpose buckets, or between directory buckets, through
3722
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3723
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3 makes
3724
+ # a call to KMS every time a copy request is made for a KMS-encrypted
3725
+ # object.
3726
+ #
3727
+ #
3728
+ #
3729
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3730
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3731
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3732
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3733
+ #
3371
3734
  # @return [Types::CreateSessionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3372
3735
  #
3736
+ # * {Types::CreateSessionOutput#server_side_encryption #server_side_encryption} => String
3737
+ # * {Types::CreateSessionOutput#ssekms_key_id #ssekms_key_id} => String
3738
+ # * {Types::CreateSessionOutput#ssekms_encryption_context #ssekms_encryption_context} => String
3739
+ # * {Types::CreateSessionOutput#bucket_key_enabled #bucket_key_enabled} => Boolean
3373
3740
  # * {Types::CreateSessionOutput#credentials #credentials} => Types::SessionCredentials
3374
3741
  #
3375
3742
  # @example Request syntax with placeholder values
@@ -3377,10 +3744,18 @@ module Aws::S3
3377
3744
  # resp = client.create_session({
3378
3745
  # session_mode: "ReadOnly", # accepts ReadOnly, ReadWrite
3379
3746
  # bucket: "BucketName", # required
3747
+ # server_side_encryption: "AES256", # accepts AES256, aws:kms, aws:kms:dsse
3748
+ # ssekms_key_id: "SSEKMSKeyId",
3749
+ # ssekms_encryption_context: "SSEKMSEncryptionContext",
3750
+ # bucket_key_enabled: false,
3380
3751
  # })
3381
3752
  #
3382
3753
  # @example Response structure
3383
3754
  #
3755
+ # resp.server_side_encryption #=> String, one of "AES256", "aws:kms", "aws:kms:dsse"
3756
+ # resp.ssekms_key_id #=> String
3757
+ # resp.ssekms_encryption_context #=> String
3758
+ # resp.bucket_key_enabled #=> Boolean
3384
3759
  # resp.credentials.access_key_id #=> String
3385
3760
  # resp.credentials.secret_access_key #=> String
3386
3761
  # resp.credentials.session_token #=> String
@@ -3626,47 +4001,92 @@ module Aws::S3
3626
4001
  req.send_request(options)
3627
4002
  end
3628
4003
 
3629
- # <note markdown="1"> This operation is not supported by directory buckets.
4004
+ # This implementation of the DELETE action resets the default encryption
4005
+ # for the bucket as server-side encryption with Amazon S3 managed keys
4006
+ # (SSE-S3).
4007
+ #
4008
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
4009
+ # default encryption feature, see [Amazon S3 Bucket Default
4010
+ # Encryption][1] in the *Amazon S3 User Guide*.
4011
+ #
4012
+ # * **Directory buckets** - For directory buckets, there are only two
4013
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
4014
+ # For information about the default encryption configuration in
4015
+ # directory buckets, see [Setting default server-side encryption
4016
+ # behavior for directory buckets][2].
3630
4017
  #
3631
4018
  # </note>
3632
4019
  #
3633
- # This implementation of the DELETE action resets the default encryption
3634
- # for the bucket as server-side encryption with Amazon S3 managed keys
3635
- # (SSE-S3). For information about the bucket default encryption feature,
3636
- # see [Amazon S3 Bucket Default Encryption][1] in the *Amazon S3 User
3637
- # Guide*.
4020
+ # Permissions
4021
+ # : * **General purpose bucket permissions** - The
4022
+ # `s3:PutEncryptionConfiguration` permission is required in a
4023
+ # policy. The bucket owner has this permission by default. The
4024
+ # bucket owner can grant this permission to others. For more
4025
+ # information about permissions, see [Permissions Related to Bucket
4026
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
4027
+ # Resources][4].
3638
4028
  #
3639
- # To use this operation, you must have permissions to perform the
3640
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
3641
- # permission by default. The bucket owner can grant this permission to
3642
- # others. For more information about permissions, see [Permissions
3643
- # Related to Bucket Subresource Operations][2] and [Managing Access
3644
- # Permissions to your Amazon S3 Resources][3] in the *Amazon S3 User
3645
- # Guide*.
4029
+ # * **Directory bucket permissions** - To grant access to this API
4030
+ # operation, you must have the
4031
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
4032
+ # identity-based policy instead of a bucket policy. Cross-account
4033
+ # access to this API operation isn't supported. This operation can
4034
+ # only be performed by the Amazon Web Services account that owns the
4035
+ # resource. For more information about directory bucket policies and
4036
+ # permissions, see [Amazon Web Services Identity and Access
4037
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
4038
+ # User Guide*.
4039
+ #
4040
+ # HTTP Host header syntax
4041
+ #
4042
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
4043
+ # `s3express-control.region.amazonaws.com`.
3646
4044
  #
3647
4045
  # The following operations are related to `DeleteBucketEncryption`:
3648
4046
  #
3649
- # * [PutBucketEncryption][4]
4047
+ # * [PutBucketEncryption][6]
3650
4048
  #
3651
- # * [GetBucketEncryption][5]
4049
+ # * [GetBucketEncryption][7]
3652
4050
  #
3653
4051
  #
3654
4052
  #
3655
4053
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
3656
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
3657
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
3658
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
3659
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
4054
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
4055
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
4056
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
4057
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
4058
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
4059
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
3660
4060
  #
3661
4061
  # @option params [required, String] :bucket
3662
4062
  # The name of the bucket containing the server-side encryption
3663
4063
  # configuration to delete.
3664
4064
  #
4065
+ # <b>Directory buckets </b> - When you use this operation with a
4066
+ # directory bucket, you must use path-style requests in the format
4067
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
4068
+ # Virtual-hosted-style requests aren't supported. Directory bucket
4069
+ # names must be unique in the chosen Availability Zone. Bucket names
4070
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
4071
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
4072
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
4073
+ # the *Amazon S3 User Guide*
4074
+ #
4075
+ #
4076
+ #
4077
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
4078
+ #
3665
4079
  # @option params [String] :expected_bucket_owner
3666
4080
  # The account ID of the expected bucket owner. If the account ID that
3667
4081
  # you provide does not match the actual owner of the bucket, the request
3668
4082
  # fails with the HTTP status code `403 Forbidden` (access denied).
3669
4083
  #
4084
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
4085
+ # operation. If you specify this header, the request fails with the HTTP
4086
+ # status code `501 Not Implemented`.
4087
+ #
4088
+ # </note>
4089
+ #
3670
4090
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
3671
4091
  #
3672
4092
  # @example Request syntax with placeholder values
@@ -4660,35 +5080,35 @@ module Aws::S3
4660
5080
  # * {Types::DeleteObjectTaggingOutput#version_id #version_id} => String
4661
5081
  #
4662
5082
  #
4663
- # @example Example: To remove tag set from an object version
5083
+ # @example Example: To remove tag set from an object
4664
5084
  #
4665
- # # The following example removes tag set associated with the specified object version. The request specifies both the
4666
- # # object key and object version.
5085
+ # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
5086
+ # # operation removes tag set from the latest object version.
4667
5087
  #
4668
5088
  # resp = client.delete_object_tagging({
4669
5089
  # bucket: "examplebucket",
4670
5090
  # key: "HappyFace.jpg",
4671
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4672
5091
  # })
4673
5092
  #
4674
5093
  # resp.to_h outputs the following:
4675
5094
  # {
4676
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
5095
+ # version_id: "null",
4677
5096
  # }
4678
5097
  #
4679
- # @example Example: To remove tag set from an object
5098
+ # @example Example: To remove tag set from an object version
4680
5099
  #
4681
- # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
4682
- # # operation removes tag set from the latest object version.
5100
+ # # The following example removes tag set associated with the specified object version. The request specifies both the
5101
+ # # object key and object version.
4683
5102
  #
4684
5103
  # resp = client.delete_object_tagging({
4685
5104
  # bucket: "examplebucket",
4686
5105
  # key: "HappyFace.jpg",
5106
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4687
5107
  # })
4688
5108
  #
4689
5109
  # resp.to_h outputs the following:
4690
5110
  # {
4691
- # version_id: "null",
5111
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4692
5112
  # }
4693
5113
  #
4694
5114
  # @example Request syntax with placeholder values
@@ -4971,20 +5391,22 @@ module Aws::S3
4971
5391
  # * {Types::DeleteObjectsOutput#errors #errors} => Array&lt;Types::Error&gt;
4972
5392
  #
4973
5393
  #
4974
- # @example Example: To delete multiple objects from a versioned bucket
5394
+ # @example Example: To delete multiple object versions from a versioned bucket
4975
5395
  #
4976
- # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
4977
- # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5396
+ # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5397
+ # # versions and returns the key and versions of deleted objects in the response.
4978
5398
  #
4979
5399
  # resp = client.delete_objects({
4980
5400
  # bucket: "examplebucket",
4981
5401
  # delete: {
4982
5402
  # objects: [
4983
5403
  # {
4984
- # key: "objectkey1",
5404
+ # key: "HappyFace.jpg",
5405
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
4985
5406
  # },
4986
5407
  # {
4987
- # key: "objectkey2",
5408
+ # key: "HappyFace.jpg",
5409
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
4988
5410
  # },
4989
5411
  # ],
4990
5412
  # quiet: false,
@@ -4995,34 +5417,30 @@ module Aws::S3
4995
5417
  # {
4996
5418
  # deleted: [
4997
5419
  # {
4998
- # delete_marker: true,
4999
- # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5000
- # key: "objectkey1",
5420
+ # key: "HappyFace.jpg",
5421
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5001
5422
  # },
5002
5423
  # {
5003
- # delete_marker: true,
5004
- # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5005
- # key: "objectkey2",
5424
+ # key: "HappyFace.jpg",
5425
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5006
5426
  # },
5007
5427
  # ],
5008
5428
  # }
5009
5429
  #
5010
- # @example Example: To delete multiple object versions from a versioned bucket
5430
+ # @example Example: To delete multiple objects from a versioned bucket
5011
5431
  #
5012
- # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5013
- # # versions and returns the key and versions of deleted objects in the response.
5432
+ # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
5433
+ # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5014
5434
  #
5015
5435
  # resp = client.delete_objects({
5016
5436
  # bucket: "examplebucket",
5017
5437
  # delete: {
5018
5438
  # objects: [
5019
5439
  # {
5020
- # key: "HappyFace.jpg",
5021
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5440
+ # key: "objectkey1",
5022
5441
  # },
5023
5442
  # {
5024
- # key: "HappyFace.jpg",
5025
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5443
+ # key: "objectkey2",
5026
5444
  # },
5027
5445
  # ],
5028
5446
  # quiet: false,
@@ -5033,12 +5451,14 @@ module Aws::S3
5033
5451
  # {
5034
5452
  # deleted: [
5035
5453
  # {
5036
- # key: "HappyFace.jpg",
5037
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5454
+ # delete_marker: true,
5455
+ # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5456
+ # key: "objectkey1",
5038
5457
  # },
5039
5458
  # {
5040
- # key: "HappyFace.jpg",
5041
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5459
+ # delete_marker: true,
5460
+ # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5461
+ # key: "objectkey2",
5042
5462
  # },
5043
5463
  # ],
5044
5464
  # }
@@ -5541,46 +5961,92 @@ module Aws::S3
5541
5961
  req.send_request(options)
5542
5962
  end
5543
5963
 
5544
- # <note markdown="1"> This operation is not supported by directory buckets.
5964
+ # Returns the default encryption configuration for an Amazon S3 bucket.
5965
+ # By default, all buckets have a default encryption configuration that
5966
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
5967
+ #
5968
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
5969
+ # default encryption feature, see [Amazon S3 Bucket Default
5970
+ # Encryption][1] in the *Amazon S3 User Guide*.
5971
+ #
5972
+ # * **Directory buckets** - For directory buckets, there are only two
5973
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
5974
+ # For information about the default encryption configuration in
5975
+ # directory buckets, see [Setting default server-side encryption
5976
+ # behavior for directory buckets][2].
5545
5977
  #
5546
5978
  # </note>
5547
5979
  #
5548
- # Returns the default encryption configuration for an Amazon S3 bucket.
5549
- # By default, all buckets have a default encryption configuration that
5550
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). For
5551
- # information about the bucket default encryption feature, see [Amazon
5552
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
5980
+ # Permissions
5981
+ # : * **General purpose bucket permissions** - The
5982
+ # `s3:GetEncryptionConfiguration` permission is required in a
5983
+ # policy. The bucket owner has this permission by default. The
5984
+ # bucket owner can grant this permission to others. For more
5985
+ # information about permissions, see [Permissions Related to Bucket
5986
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
5987
+ # Resources][4].
5553
5988
  #
5554
- # To use this operation, you must have permission to perform the
5555
- # `s3:GetEncryptionConfiguration` action. The bucket owner has this
5556
- # permission by default. The bucket owner can grant this permission to
5557
- # others. For more information about permissions, see [Permissions
5558
- # Related to Bucket Subresource Operations][2] and [Managing Access
5559
- # Permissions to Your Amazon S3 Resources][3].
5989
+ # * **Directory bucket permissions** - To grant access to this API
5990
+ # operation, you must have the
5991
+ # `s3express:GetEncryptionConfiguration` permission in an IAM
5992
+ # identity-based policy instead of a bucket policy. Cross-account
5993
+ # access to this API operation isn't supported. This operation can
5994
+ # only be performed by the Amazon Web Services account that owns the
5995
+ # resource. For more information about directory bucket policies and
5996
+ # permissions, see [Amazon Web Services Identity and Access
5997
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
5998
+ # User Guide*.
5999
+ #
6000
+ # HTTP Host header syntax
6001
+ #
6002
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
6003
+ # `s3express-control.region.amazonaws.com`.
5560
6004
  #
5561
6005
  # The following operations are related to `GetBucketEncryption`:
5562
6006
  #
5563
- # * [PutBucketEncryption][4]
6007
+ # * [PutBucketEncryption][6]
5564
6008
  #
5565
- # * [DeleteBucketEncryption][5]
6009
+ # * [DeleteBucketEncryption][7]
5566
6010
  #
5567
6011
  #
5568
6012
  #
5569
6013
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
5570
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
5571
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
5572
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
5573
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6014
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
6015
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
6016
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
6017
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
6018
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
6019
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6020
+ #
6021
+ # @option params [required, String] :bucket
6022
+ # The name of the bucket from which the server-side encryption
6023
+ # configuration is retrieved.
6024
+ #
6025
+ # <b>Directory buckets </b> - When you use this operation with a
6026
+ # directory bucket, you must use path-style requests in the format
6027
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
6028
+ # Virtual-hosted-style requests aren't supported. Directory bucket
6029
+ # names must be unique in the chosen Availability Zone. Bucket names
6030
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
6031
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
6032
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
6033
+ # the *Amazon S3 User Guide*
6034
+ #
5574
6035
  #
5575
- # @option params [required, String] :bucket
5576
- # The name of the bucket from which the server-side encryption
5577
- # configuration is retrieved.
6036
+ #
6037
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5578
6038
  #
5579
6039
  # @option params [String] :expected_bucket_owner
5580
6040
  # The account ID of the expected bucket owner. If the account ID that
5581
6041
  # you provide does not match the actual owner of the bucket, the request
5582
6042
  # fails with the HTTP status code `403 Forbidden` (access denied).
5583
6043
  #
6044
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
6045
+ # operation. If you specify this header, the request fails with the HTTP
6046
+ # status code `501 Not Implemented`.
6047
+ #
6048
+ # </note>
6049
+ #
5584
6050
  # @return [Types::GetBucketEncryptionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5585
6051
  #
5586
6052
  # * {Types::GetBucketEncryptionOutput#server_side_encryption_configuration #server_side_encryption_configuration} => Types::ServerSideEncryptionConfiguration
@@ -7320,6 +7786,10 @@ module Aws::S3
7320
7786
  # interruptions when a session expires. For more information about
7321
7787
  # authorization, see [ `CreateSession` ][4].
7322
7788
  #
7789
+ # If the object is encrypted using SSE-KMS, you must also have the
7790
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
7791
+ # identity-based policies and KMS key policies for the KMS key.
7792
+ #
7323
7793
  # Storage classes
7324
7794
  #
7325
7795
  # : If the object you are retrieving is stored in the S3 Glacier
@@ -7348,6 +7818,11 @@ module Aws::S3
7348
7818
  # `GetObject` requests for the object that uses these types of keys,
7349
7819
  # you’ll get an HTTP `400 Bad Request` error.
7350
7820
  #
7821
+ # **Directory buckets** - For directory buckets, there are only two
7822
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
7823
+ # SSE-C isn't supported. For more information, see [Protecting data
7824
+ # with server-side encryption][7] in the *Amazon S3 User Guide*.
7825
+ #
7351
7826
  # Overriding response header values through the request
7352
7827
  #
7353
7828
  # : There are times when you want to override certain response header
@@ -7395,9 +7870,9 @@ module Aws::S3
7395
7870
  #
7396
7871
  # The following operations are related to `GetObject`:
7397
7872
  #
7398
- # * [ListBuckets][7]
7873
+ # * [ListBuckets][8]
7399
7874
  #
7400
- # * [GetObjectAcl][8]
7875
+ # * [GetObjectAcl][9]
7401
7876
  #
7402
7877
  #
7403
7878
  #
@@ -7407,8 +7882,9 @@ module Aws::S3
7407
7882
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
7408
7883
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
7409
7884
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html
7410
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7411
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7885
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
7886
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7887
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7412
7888
  #
7413
7889
  # @option params [String, IO] :response_target
7414
7890
  # Where to write response data, file path, or IO object.
@@ -7705,10 +8181,10 @@ module Aws::S3
7705
8181
  # @option params [String] :checksum_mode
7706
8182
  # To retrieve the checksum, this mode must be enabled.
7707
8183
  #
7708
- # In addition, if you enable checksum mode and the object is uploaded
7709
- # with a [checksum][1] and encrypted with an Key Management Service
7710
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
7711
- # retrieve the checksum.
8184
+ # **General purpose buckets** - In addition, if you enable checksum mode
8185
+ # and the object is uploaded with a [checksum][1] and encrypted with an
8186
+ # Key Management Service (KMS) key, you must have permission to use the
8187
+ # `kms:Decrypt` action to retrieve the checksum.
7712
8188
  #
7713
8189
  #
7714
8190
  #
@@ -8110,7 +8586,7 @@ module Aws::S3
8110
8586
  # Permissions
8111
8587
  # : * **General purpose bucket permissions** - To use
8112
8588
  # `GetObjectAttributes`, you must have READ access to the object.
8113
- # The permissions that you need to use this operation with depend on
8589
+ # The permissions that you need to use this operation depend on
8114
8590
  # whether the bucket is versioned. If the bucket is versioned, you
8115
8591
  # need both the `s3:GetObjectVersion` and
8116
8592
  # `s3:GetObjectVersionAttributes` permissions for this operation. If
@@ -8144,6 +8620,10 @@ module Aws::S3
8144
8620
  # interruptions when a session expires. For more information about
8145
8621
  # authorization, see [ `CreateSession` ][3].
8146
8622
  #
8623
+ # If the object is encrypted with SSE-KMS, you must also have the
8624
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
8625
+ # identity-based policies and KMS key policies for the KMS key.
8626
+ #
8147
8627
  # Encryption
8148
8628
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
8149
8629
  # should not be sent for `HEAD` requests if your object uses
@@ -8177,9 +8657,19 @@ module Aws::S3
8177
8657
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
8178
8658
  # Guide*.
8179
8659
  #
8180
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
8181
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
8182
- # (`AES256`) is supported.
8660
+ # <note markdown="1"> **Directory bucket permissions** - For directory buckets, there are
8661
+ # only two supported options for server-side encryption: server-side
8662
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
8663
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
8664
+ # recommend that the bucket's default encryption uses the desired
8665
+ # encryption configuration and you don't override the bucket default
8666
+ # encryption in your `CreateSession` requests or `PUT` object
8667
+ # requests. Then, new objects are automatically encrypted with the
8668
+ # desired encryption settings. For more information, see [Protecting
8669
+ # data with server-side encryption][5] in the *Amazon S3 User Guide*.
8670
+ # For more information about the encryption overriding behaviors in
8671
+ # directory buckets, see [Specifying server-side encryption with KMS
8672
+ # for new object uploads][6].
8183
8673
  #
8184
8674
  # </note>
8185
8675
  #
@@ -8203,7 +8693,7 @@ module Aws::S3
8203
8693
  # * `If-Unmodified-Since` condition evaluates to `false`.
8204
8694
  #
8205
8695
  # For more information about conditional requests, see [RFC
8206
- # 7232][5].
8696
+ # 7232][7].
8207
8697
  #
8208
8698
  # * If both of the `If-None-Match` and `If-Modified-Since` headers are
8209
8699
  # present in the request as follows, then Amazon S3 returns the HTTP
@@ -8214,7 +8704,7 @@ module Aws::S3
8214
8704
  # * `If-Modified-Since` condition evaluates to `true`.
8215
8705
  #
8216
8706
  # For more information about conditional requests, see [RFC
8217
- # 7232][5].
8707
+ # 7232][7].
8218
8708
  #
8219
8709
  # HTTP Host header syntax
8220
8710
  #
@@ -8223,21 +8713,21 @@ module Aws::S3
8223
8713
  #
8224
8714
  # The following actions are related to `GetObjectAttributes`:
8225
8715
  #
8226
- # * [GetObject][6]
8716
+ # * [GetObject][8]
8227
8717
  #
8228
- # * [GetObjectAcl][7]
8718
+ # * [GetObjectAcl][9]
8229
8719
  #
8230
- # * [GetObjectLegalHold][8]
8720
+ # * [GetObjectLegalHold][10]
8231
8721
  #
8232
- # * [GetObjectLockConfiguration][9]
8722
+ # * [GetObjectLockConfiguration][11]
8233
8723
  #
8234
- # * [GetObjectRetention][10]
8724
+ # * [GetObjectRetention][12]
8235
8725
  #
8236
- # * [GetObjectTagging][11]
8726
+ # * [GetObjectTagging][13]
8237
8727
  #
8238
- # * [HeadObject][12]
8728
+ # * [HeadObject][14]
8239
8729
  #
8240
- # * [ListParts][13]
8730
+ # * [ListParts][15]
8241
8731
  #
8242
8732
  #
8243
8733
  #
@@ -8245,15 +8735,17 @@ module Aws::S3
8245
8735
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
8246
8736
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
8247
8737
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
8248
- # [5]: https://tools.ietf.org/html/rfc7232
8249
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8250
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8251
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8252
- # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8253
- # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8254
- # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8255
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8256
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8738
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
8739
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
8740
+ # [7]: https://tools.ietf.org/html/rfc7232
8741
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8742
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8743
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8744
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8745
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8746
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8747
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8748
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8257
8749
  #
8258
8750
  # @option params [required, String] :bucket
8259
8751
  # The name of the bucket that contains the object.
@@ -8797,49 +9289,49 @@ module Aws::S3
8797
9289
  # * {Types::GetObjectTaggingOutput#tag_set #tag_set} => Array&lt;Types::Tag&gt;
8798
9290
  #
8799
9291
  #
8800
- # @example Example: To retrieve tag set of an object
9292
+ # @example Example: To retrieve tag set of a specific object version
8801
9293
  #
8802
- # # The following example retrieves tag set of an object.
9294
+ # # The following example retrieves tag set of an object. The request specifies object version.
8803
9295
  #
8804
9296
  # resp = client.get_object_tagging({
8805
9297
  # bucket: "examplebucket",
8806
- # key: "HappyFace.jpg",
9298
+ # key: "exampleobject",
9299
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8807
9300
  # })
8808
9301
  #
8809
9302
  # resp.to_h outputs the following:
8810
9303
  # {
8811
9304
  # tag_set: [
8812
9305
  # {
8813
- # key: "Key4",
8814
- # value: "Value4",
8815
- # },
8816
- # {
8817
- # key: "Key3",
8818
- # value: "Value3",
9306
+ # key: "Key1",
9307
+ # value: "Value1",
8819
9308
  # },
8820
9309
  # ],
8821
- # version_id: "null",
9310
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8822
9311
  # }
8823
9312
  #
8824
- # @example Example: To retrieve tag set of a specific object version
9313
+ # @example Example: To retrieve tag set of an object
8825
9314
  #
8826
- # # The following example retrieves tag set of an object. The request specifies object version.
9315
+ # # The following example retrieves tag set of an object.
8827
9316
  #
8828
9317
  # resp = client.get_object_tagging({
8829
9318
  # bucket: "examplebucket",
8830
- # key: "exampleobject",
8831
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9319
+ # key: "HappyFace.jpg",
8832
9320
  # })
8833
9321
  #
8834
9322
  # resp.to_h outputs the following:
8835
9323
  # {
8836
9324
  # tag_set: [
8837
9325
  # {
8838
- # key: "Key1",
8839
- # value: "Value1",
9326
+ # key: "Key4",
9327
+ # value: "Value4",
9328
+ # },
9329
+ # {
9330
+ # key: "Key3",
9331
+ # value: "Value3",
8840
9332
  # },
8841
9333
  # ],
8842
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9334
+ # version_id: "null",
8843
9335
  # }
8844
9336
  #
8845
9337
  # @example Request syntax with placeholder values
@@ -9272,6 +9764,13 @@ module Aws::S3
9272
9764
  # interruptions when a session expires. For more information about
9273
9765
  # authorization, see [ `CreateSession` ][3].
9274
9766
  #
9767
+ # If you enable `x-amz-checksum-mode` in the request and the object
9768
+ # is encrypted with Amazon Web Services Key Management Service
9769
+ # (Amazon Web Services KMS), you must also have the
9770
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
9771
+ # identity-based policies and KMS key policies for the KMS key to
9772
+ # retrieve the checksum of the object.
9773
+ #
9275
9774
  # Encryption
9276
9775
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
9277
9776
  # should not be sent for `HEAD` requests if your object uses
@@ -9305,9 +9804,10 @@ module Aws::S3
9305
9804
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
9306
9805
  # Guide*.
9307
9806
  #
9308
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
9309
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
9310
- # (`AES256`) is supported.
9807
+ # <note markdown="1"> <b>Directory bucket </b> - For directory buckets, there are only two
9808
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
9809
+ # SSE-C isn't supported. For more information, see [Protecting data
9810
+ # with server-side encryption][5] in the *Amazon S3 User Guide*.
9311
9811
  #
9312
9812
  # </note>
9313
9813
  #
@@ -9341,15 +9841,15 @@ module Aws::S3
9341
9841
  # requests in the format
9342
9842
  # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
9343
9843
  # `. Path-style requests are not supported. For more information, see
9344
- # [Regional and Zonal endpoints][5] in the *Amazon S3 User Guide*.
9844
+ # [Regional and Zonal endpoints][6] in the *Amazon S3 User Guide*.
9345
9845
  #
9346
9846
  # </note>
9347
9847
  #
9348
9848
  # The following actions are related to `HeadObject`:
9349
9849
  #
9350
- # * [GetObject][6]
9850
+ # * [GetObject][7]
9351
9851
  #
9352
- # * [GetObjectAttributes][7]
9852
+ # * [GetObjectAttributes][8]
9353
9853
  #
9354
9854
  #
9355
9855
  #
@@ -9357,9 +9857,10 @@ module Aws::S3
9357
9857
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
9358
9858
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
9359
9859
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
9360
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9361
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9362
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9860
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
9861
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9862
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9863
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9363
9864
  #
9364
9865
  # @option params [required, String] :bucket
9365
9866
  # The name of the bucket that contains the object.
@@ -9575,10 +10076,16 @@ module Aws::S3
9575
10076
  # @option params [String] :checksum_mode
9576
10077
  # To retrieve the checksum, this parameter must be enabled.
9577
10078
  #
9578
- # In addition, if you enable checksum mode and the object is uploaded
9579
- # with a [checksum][1] and encrypted with an Key Management Service
9580
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
9581
- # retrieve the checksum.
10079
+ # **General purpose buckets** - If you enable checksum mode and the
10080
+ # object is uploaded with a [checksum][1] and encrypted with an Key
10081
+ # Management Service (KMS) key, you must have permission to use the
10082
+ # `kms:Decrypt` action to retrieve the checksum.
10083
+ #
10084
+ # **Directory buckets** - If you enable `ChecksumMode` and the object is
10085
+ # encrypted with Amazon Web Services Key Management Service (Amazon Web
10086
+ # Services KMS), you must also have the `kms:GenerateDataKey` and
10087
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
10088
+ # policies for the KMS key to retrieve the checksum of the object.
9582
10089
  #
9583
10090
  #
9584
10091
  #
@@ -12574,24 +13081,73 @@ module Aws::S3
12574
13081
  req.send_request(options)
12575
13082
  end
12576
13083
 
12577
- # <note markdown="1"> This operation is not supported by directory buckets.
13084
+ # This operation configures default encryption and Amazon S3 Bucket Keys
13085
+ # for an existing bucket.
12578
13086
  #
12579
- # </note>
13087
+ # <note markdown="1"> <b>Directory buckets </b> - For directory buckets, you must make
13088
+ # requests for this API operation to the Regional endpoint. These
13089
+ # endpoints support path-style requests in the format
13090
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13091
+ # Virtual-hosted-style requests aren't supported. For more information,
13092
+ # see [Regional and Zonal endpoints][1] in the *Amazon S3 User Guide*.
12580
13093
  #
12581
- # This action uses the `encryption` subresource to configure default
12582
- # encryption and Amazon S3 Bucket Keys for an existing bucket.
13094
+ # </note>
12583
13095
  #
12584
13096
  # By default, all buckets have a default encryption configuration that
12585
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). You
12586
- # can optionally configure default encryption for a bucket by using
12587
- # server-side encryption with Key Management Service (KMS) keys
12588
- # (SSE-KMS) or dual-layer server-side encryption with Amazon Web
12589
- # Services KMS keys (DSSE-KMS). If you specify default encryption by
12590
- # using SSE-KMS, you can also configure [Amazon S3 Bucket Keys][1]. If
12591
- # you use PutBucketEncryption to set your [default bucket encryption][2]
12592
- # to SSE-KMS, you should verify that your KMS key ID is correct. Amazon
12593
- # S3 does not validate the KMS key ID provided in PutBucketEncryption
12594
- # requests.
13097
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
13098
+ #
13099
+ # <note markdown="1"> * **General purpose buckets**
13100
+ #
13101
+ # * You can optionally configure default encryption for a bucket by
13102
+ # using server-side encryption with Key Management Service (KMS)
13103
+ # keys (SSE-KMS) or dual-layer server-side encryption with Amazon
13104
+ # Web Services KMS keys (DSSE-KMS). If you specify default
13105
+ # encryption by using SSE-KMS, you can also configure [Amazon S3
13106
+ # Bucket Keys][2]. For information about the bucket default
13107
+ # encryption feature, see [Amazon S3 Bucket Default Encryption][3]
13108
+ # in the *Amazon S3 User Guide*.
13109
+ #
13110
+ # * If you use PutBucketEncryption to set your [default bucket
13111
+ # encryption][3] to SSE-KMS, you should verify that your KMS key ID
13112
+ # is correct. Amazon S3 doesn't validate the KMS key ID provided in
13113
+ # PutBucketEncryption requests.
13114
+ #
13115
+ # * <b>Directory buckets </b> - You can optionally configure default
13116
+ # encryption for a bucket by using server-side encryption with Key
13117
+ # Management Service (KMS) keys (SSE-KMS).
13118
+ #
13119
+ # * We recommend that the bucket's default encryption uses the
13120
+ # desired encryption configuration and you don't override the
13121
+ # bucket default encryption in your `CreateSession` requests or
13122
+ # `PUT` object requests. Then, new objects are automatically
13123
+ # encrypted with the desired encryption settings. For more
13124
+ # information about the encryption overriding behaviors in directory
13125
+ # buckets, see [Specifying server-side encryption with KMS for new
13126
+ # object uploads][4].
13127
+ #
13128
+ # * Your SSE-KMS configuration can only support 1 [customer managed
13129
+ # key][5] per directory bucket for the lifetime of the bucket.
13130
+ # [Amazon Web Services managed key][6] (`aws/s3`) isn't supported.
13131
+ #
13132
+ # * S3 Bucket Keys are always enabled for `GET` and `PUT` operations
13133
+ # in a directory bucket and can’t be disabled. S3 Bucket Keys
13134
+ # aren't supported, when you copy SSE-KMS encrypted objects from
13135
+ # general purpose buckets to directory buckets, from directory
13136
+ # buckets to general purpose buckets, or between directory buckets,
13137
+ # through [CopyObject][7], [UploadPartCopy][8], [the Copy operation
13138
+ # in Batch Operations][9], or [the import jobs][10]. In this case,
13139
+ # Amazon S3 makes a call to KMS every time a copy request is made
13140
+ # for a KMS-encrypted object.
13141
+ #
13142
+ # * When you specify an [KMS customer managed key][5] for encryption
13143
+ # in your directory bucket, only use the key ID or key ARN. The key
13144
+ # alias format of the KMS key isn't supported.
13145
+ #
13146
+ # * For directory buckets, if you use PutBucketEncryption to set your
13147
+ # [default bucket encryption][3] to SSE-KMS, Amazon S3 validates the
13148
+ # KMS key ID provided in PutBucketEncryption requests.
13149
+ #
13150
+ # </note>
12595
13151
  #
12596
13152
  # If you're specifying a customer managed KMS key, we recommend using a
12597
13153
  # fully qualified KMS key ARN. If you use a KMS key alias instead, then
@@ -12601,45 +13157,80 @@ module Aws::S3
12601
13157
  #
12602
13158
  # Also, this action requires Amazon Web Services Signature Version 4.
12603
13159
  # For more information, see [ Authenticating Requests (Amazon Web
12604
- # Services Signature Version 4)][3].
13160
+ # Services Signature Version 4)][11].
12605
13161
  #
12606
- # To use this operation, you must have permission to perform the
12607
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
12608
- # permission by default. The bucket owner can grant this permission to
12609
- # others. For more information about permissions, see [Permissions
12610
- # Related to Bucket Subresource Operations][4] and [Managing Access
12611
- # Permissions to Your Amazon S3 Resources][5] in the *Amazon S3 User
12612
- # Guide*.
13162
+ # Permissions
13163
+ # : * **General purpose bucket permissions** - The
13164
+ # `s3:PutEncryptionConfiguration` permission is required in a
13165
+ # policy. The bucket owner has this permission by default. The
13166
+ # bucket owner can grant this permission to others. For more
13167
+ # information about permissions, see [Permissions Related to Bucket
13168
+ # Operations][12] and [Managing Access Permissions to Your Amazon S3
13169
+ # Resources][13] in the *Amazon S3 User Guide*.
13170
+ #
13171
+ # * **Directory bucket permissions** - To grant access to this API
13172
+ # operation, you must have the
13173
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
13174
+ # identity-based policy instead of a bucket policy. Cross-account
13175
+ # access to this API operation isn't supported. This operation can
13176
+ # only be performed by the Amazon Web Services account that owns the
13177
+ # resource. For more information about directory bucket policies and
13178
+ # permissions, see [Amazon Web Services Identity and Access
13179
+ # Management (IAM) for S3 Express One Zone][14] in the *Amazon S3
13180
+ # User Guide*.
13181
+ #
13182
+ # To set a directory bucket default encryption with SSE-KMS, you
13183
+ # must also have the `kms:GenerateDataKey` and the `kms:Decrypt`
13184
+ # permissions in IAM identity-based policies and KMS key policies
13185
+ # for the target KMS key.
13186
+ #
13187
+ # HTTP Host header syntax
13188
+ #
13189
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
13190
+ # `s3express-control.region.amazonaws.com`.
12613
13191
  #
12614
13192
  # The following operations are related to `PutBucketEncryption`:
12615
13193
  #
12616
- # * [GetBucketEncryption][6]
13194
+ # * [GetBucketEncryption][15]
12617
13195
  #
12618
- # * [DeleteBucketEncryption][7]
13196
+ # * [DeleteBucketEncryption][16]
12619
13197
  #
12620
13198
  #
12621
13199
  #
12622
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
12623
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12624
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
12625
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
12626
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
12627
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
12628
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
13200
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
13201
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
13202
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13203
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
13204
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
13205
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
13206
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
13207
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
13208
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
13209
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
13210
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
13211
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
13212
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
13213
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
13214
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
13215
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
12629
13216
  #
12630
13217
  # @option params [required, String] :bucket
12631
13218
  # Specifies default encryption for a bucket using server-side encryption
12632
- # with different key options. By default, all buckets have a default
12633
- # encryption configuration that uses server-side encryption with Amazon
12634
- # S3 managed keys (SSE-S3). You can optionally configure default
12635
- # encryption for a bucket by using server-side encryption with an Amazon
12636
- # Web Services KMS key (SSE-KMS) or a customer-provided key (SSE-C). For
12637
- # information about the bucket default encryption feature, see [Amazon
12638
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
13219
+ # with different key options.
13220
+ #
13221
+ # <b>Directory buckets </b> - When you use this operation with a
13222
+ # directory bucket, you must use path-style requests in the format
13223
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13224
+ # Virtual-hosted-style requests aren't supported. Directory bucket
13225
+ # names must be unique in the chosen Availability Zone. Bucket names
13226
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
13227
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
13228
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
13229
+ # the *Amazon S3 User Guide*
12639
13230
  #
12640
13231
  #
12641
13232
  #
12642
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13233
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12643
13234
  #
12644
13235
  # @option params [String] :content_md5
12645
13236
  # The base64-encoded 128-bit MD5 digest of the server-side encryption
@@ -12649,6 +13240,10 @@ module Aws::S3
12649
13240
  # (CLI) or Amazon Web Services SDKs, this field is calculated
12650
13241
  # automatically.
12651
13242
  #
13243
+ # <note markdown="1"> This functionality is not supported for directory buckets.
13244
+ #
13245
+ # </note>
13246
+ #
12652
13247
  # @option params [String] :checksum_algorithm
12653
13248
  # Indicates the algorithm used to create the checksum for the object
12654
13249
  # when you use the SDK. This header will not provide any additional
@@ -12661,6 +13256,11 @@ module Aws::S3
12661
13256
  # If you provide an individual checksum, Amazon S3 ignores any provided
12662
13257
  # `ChecksumAlgorithm` parameter.
12663
13258
  #
13259
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
13260
+ # is the default checksum algorithm that's used for performance.
13261
+ #
13262
+ # </note>
13263
+ #
12664
13264
  #
12665
13265
  #
12666
13266
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12673,6 +13273,12 @@ module Aws::S3
12673
13273
  # you provide does not match the actual owner of the bucket, the request
12674
13274
  # fails with the HTTP status code `403 Forbidden` (access denied).
12675
13275
  #
13276
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
13277
+ # operation. If you specify this header, the request fails with the HTTP
13278
+ # status code `501 Not Implemented`.
13279
+ #
13280
+ # </note>
13281
+ #
12676
13282
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
12677
13283
  #
12678
13284
  # @example Request syntax with placeholder values
@@ -15070,6 +15676,10 @@ module Aws::S3
15070
15676
  # interruptions when a session expires. For more information about
15071
15677
  # authorization, see [ `CreateSession` ][5].
15072
15678
  #
15679
+ # If the object is encrypted with SSE-KMS, you must also have the
15680
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
15681
+ # identity-based policies and KMS key policies for the KMS key.
15682
+ #
15073
15683
  # Data integrity with Content-MD5
15074
15684
  # : * **General purpose bucket** - To ensure that data is not corrupted
15075
15685
  # traversing the network, use the `Content-MD5` header. When you use
@@ -15419,25 +16029,65 @@ module Aws::S3
15419
16029
  # object in Amazon S3 (for example, `AES256`, `aws:kms`,
15420
16030
  # `aws:kms:dsse`).
15421
16031
  #
15422
- # <b>General purpose buckets </b> - You have four mutually exclusive
15423
- # options to protect data using server-side encryption in Amazon S3,
15424
- # depending on how you choose to manage the encryption keys.
15425
- # Specifically, the encryption key options are Amazon S3 managed keys
15426
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
15427
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
15428
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
15429
- # default. You can optionally tell Amazon S3 to encrypt data at rest by
15430
- # using server-side encryption with other key options. For more
15431
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
15432
- # User Guide*.
16032
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
16033
+ # options to protect data using server-side encryption in Amazon S3,
16034
+ # depending on how you choose to manage the encryption keys.
16035
+ # Specifically, the encryption key options are Amazon S3 managed keys
16036
+ # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
16037
+ # customer-provided keys (SSE-C). Amazon S3 encrypts data with
16038
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
16039
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
16040
+ # by using server-side encryption with other key options. For more
16041
+ # information, see [Using Server-Side Encryption][1] in the *Amazon S3
16042
+ # User Guide*.
15433
16043
  #
15434
- # <b>Directory buckets </b> - For directory buckets, only the
15435
- # server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
15436
- # value is supported.
16044
+ # * <b>Directory buckets </b> - For directory buckets, there are only
16045
+ # two supported options for server-side encryption: server-side
16046
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
16047
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
16048
+ # recommend that the bucket's default encryption uses the desired
16049
+ # encryption configuration and you don't override the bucket default
16050
+ # encryption in your `CreateSession` requests or `PUT` object
16051
+ # requests. Then, new objects are automatically encrypted with the
16052
+ # desired encryption settings. For more information, see [Protecting
16053
+ # data with server-side encryption][2] in the *Amazon S3 User Guide*.
16054
+ # For more information about the encryption overriding behaviors in
16055
+ # directory buckets, see [Specifying server-side encryption with KMS
16056
+ # for new object uploads][3].
16057
+ #
16058
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
16059
+ # [UploadPartCopy][5]) using the REST API, the encryption request
16060
+ # headers must match the encryption settings that are specified in the
16061
+ # `CreateSession` request. You can't override the values of the
16062
+ # encryption settings (`x-amz-server-side-encryption`,
16063
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
16064
+ # `x-amz-server-side-encryption-context`, and
16065
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
16066
+ # specified in the `CreateSession` request. You don't need to
16067
+ # explicitly specify these encryption settings values in Zonal
16068
+ # endpoint API calls, and Amazon S3 will use the encryption settings
16069
+ # values from the `CreateSession` request to protect new objects in
16070
+ # the directory bucket.
16071
+ #
16072
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
16073
+ # `CreateSession`, the session token refreshes automatically to avoid
16074
+ # service interruptions when a session expires. The CLI or the Amazon
16075
+ # Web Services SDKs use the bucket's default encryption configuration
16076
+ # for the `CreateSession` request. It's not supported to override the
16077
+ # encryption settings values in the `CreateSession` request. So in the
16078
+ # Zonal endpoint API calls (except [CopyObject][4] and
16079
+ # [UploadPartCopy][5]), the encryption request headers must match the
16080
+ # default encryption configuration of the directory bucket.
16081
+ #
16082
+ # </note>
15437
16083
  #
15438
16084
  #
15439
16085
  #
15440
16086
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
16087
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
16088
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
16089
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16090
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
15441
16091
  #
15442
16092
  # @option params [String] :storage_class
15443
16093
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -15517,46 +16167,83 @@ module Aws::S3
15517
16167
  # </note>
15518
16168
  #
15519
16169
  # @option params [String] :ssekms_key_id
15520
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
15521
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
15522
- # Alias) of the Key Management Service (KMS) symmetric encryption
15523
- # customer managed key that was used for the object. If you specify
15524
- # `x-amz-server-side-encryption:aws:kms` or
15525
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
15526
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
15527
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If the
15528
- # KMS key does not exist in the same account that's issuing the
15529
- # command, you must use the full ARN and not just the ID.
16170
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
16171
+ # object encryption. If the KMS key doesn't exist in the same account
16172
+ # that's issuing the command, you must use the full Key ARN not the Key
16173
+ # ID.
16174
+ #
16175
+ # **General purpose buckets** - If you specify
16176
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
16177
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
16178
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
16179
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
16180
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
16181
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
16182
+ #
16183
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
16184
+ # with `aws:kms`, you must specify the `
16185
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
16186
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
16187
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
16188
+ # key ID or key ARN. The key alias format of the KMS key isn't
16189
+ # supported. Your SSE-KMS configuration can only support 1 [customer
16190
+ # managed key][1] per directory bucket for the lifetime of the bucket.
16191
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
16192
+ #
16193
+ #
16194
+ #
16195
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16196
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
15530
16197
  #
15531
- # <note markdown="1"> This functionality is not supported for directory buckets.
16198
+ # @option params [String] :ssekms_encryption_context
16199
+ # Specifies the Amazon Web Services KMS Encryption Context as an
16200
+ # additional encryption context to use for object encryption. The value
16201
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
16202
+ # which contains the encryption context as key-value pairs. This value
16203
+ # is stored as object metadata and automatically gets passed on to
16204
+ # Amazon Web Services KMS for future `GetObject` operations on this
16205
+ # object.
15532
16206
  #
15533
- # </note>
16207
+ # **General purpose buckets** - This value must be explicitly added
16208
+ # during `CopyObject` operations if you want an additional encryption
16209
+ # context for your object. For more information, see [Encryption
16210
+ # context][1] in the *Amazon S3 User Guide*.
15534
16211
  #
15535
- # @option params [String] :ssekms_encryption_context
15536
- # Specifies the Amazon Web Services KMS Encryption Context to use for
15537
- # object encryption. The value of this header is a base64-encoded UTF-8
15538
- # string holding JSON with the encryption context key-value pairs. This
15539
- # value is stored as object metadata and automatically gets passed on to
15540
- # Amazon Web Services KMS for future `GetObject` or `CopyObject`
15541
- # operations on this object. This value must be explicitly added during
15542
- # `CopyObject` operations.
16212
+ # **Directory buckets** - You can optionally provide an explicit
16213
+ # encryption context value. The value must match the default encryption
16214
+ # context - the bucket Amazon Resource Name (ARN). An additional
16215
+ # encryption context value is not supported.
15543
16216
  #
15544
- # <note markdown="1"> This functionality is not supported for directory buckets.
15545
16217
  #
15546
- # </note>
16218
+ #
16219
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
15547
16220
  #
15548
16221
  # @option params [Boolean] :bucket_key_enabled
15549
16222
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
15550
16223
  # encryption with server-side encryption using Key Management Service
15551
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
15552
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
16224
+ # (KMS) keys (SSE-KMS).
16225
+ #
16226
+ # **General purpose buckets** - Setting this header to `true` causes
16227
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
16228
+ # Also, specifying this header with a PUT action doesn't affect
16229
+ # bucket-level settings for S3 Bucket Key.
15553
16230
  #
15554
- # Specifying this header with a PUT action doesn’t affect bucket-level
15555
- # settings for S3 Bucket Key.
16231
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
16232
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
16233
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
16234
+ # from general purpose buckets to directory buckets, from directory
16235
+ # buckets to general purpose buckets, or between directory buckets,
16236
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
16237
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
16238
+ # makes a call to KMS every time a copy request is made for a
16239
+ # KMS-encrypted object.
15556
16240
  #
15557
- # <note markdown="1"> This functionality is not supported for directory buckets.
15558
16241
  #
15559
- # </note>
16242
+ #
16243
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16244
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16245
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16246
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
15560
16247
  #
15561
16248
  # @option params [String] :request_payer
15562
16249
  # Confirms that the requester knows that they will be charged for the
@@ -15634,24 +16321,22 @@ module Aws::S3
15634
16321
  # * {Types::PutObjectOutput#request_charged #request_charged} => String
15635
16322
  #
15636
16323
  #
15637
- # @example Example: To upload an object (specify optional headers)
16324
+ # @example Example: To upload an object and specify optional tags
15638
16325
  #
15639
- # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
15640
- # # storage class and use server-side encryption.
16326
+ # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
16327
+ # # S3 returns version ID of the newly created object.
15641
16328
  #
15642
16329
  # resp = client.put_object({
15643
- # body: "HappyFace.jpg",
16330
+ # body: "c:\\HappyFace.jpg",
15644
16331
  # bucket: "examplebucket",
15645
16332
  # key: "HappyFace.jpg",
15646
- # server_side_encryption: "AES256",
15647
- # storage_class: "STANDARD_IA",
16333
+ # tagging: "key1=value1&key2=value2",
15648
16334
  # })
15649
16335
  #
15650
16336
  # resp.to_h outputs the following:
15651
16337
  # {
15652
16338
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15653
- # server_side_encryption: "AES256",
15654
- # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
16339
+ # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
15655
16340
  # }
15656
16341
  #
15657
16342
  # @example Example: To create an object.
@@ -15670,98 +16355,100 @@ module Aws::S3
15670
16355
  # version_id: "Bvq0EDKxOcXLJXNo_Lkz37eM3R4pfzyQ",
15671
16356
  # }
15672
16357
  #
15673
- # @example Example: To upload an object
16358
+ # @example Example: To upload object and specify user-defined metadata
15674
16359
  #
15675
- # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
15676
- # # syntax. S3 returns VersionId of the newly created object.
16360
+ # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
16361
+ # # enabled, S3 returns version ID in response.
15677
16362
  #
15678
16363
  # resp = client.put_object({
15679
- # body: "HappyFace.jpg",
16364
+ # body: "filetoupload",
15680
16365
  # bucket: "examplebucket",
15681
- # key: "HappyFace.jpg",
16366
+ # key: "exampleobject",
16367
+ # metadata: {
16368
+ # "metadata1" => "value1",
16369
+ # "metadata2" => "value2",
16370
+ # },
15682
16371
  # })
15683
16372
  #
15684
16373
  # resp.to_h outputs the following:
15685
16374
  # {
15686
16375
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15687
- # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
16376
+ # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
15688
16377
  # }
15689
16378
  #
15690
- # @example Example: To upload an object and specify optional tags
16379
+ # @example Example: To upload an object
15691
16380
  #
15692
- # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
15693
- # # S3 returns version ID of the newly created object.
16381
+ # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
16382
+ # # syntax. S3 returns VersionId of the newly created object.
15694
16383
  #
15695
16384
  # resp = client.put_object({
15696
- # body: "c:\\HappyFace.jpg",
16385
+ # body: "HappyFace.jpg",
15697
16386
  # bucket: "examplebucket",
15698
16387
  # key: "HappyFace.jpg",
15699
- # tagging: "key1=value1&key2=value2",
15700
16388
  # })
15701
16389
  #
15702
16390
  # resp.to_h outputs the following:
15703
16391
  # {
15704
16392
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15705
- # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
16393
+ # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
15706
16394
  # }
15707
16395
  #
15708
- # @example Example: To upload an object and specify canned ACL.
16396
+ # @example Example: To upload an object and specify server-side encryption and object tags
15709
16397
  #
15710
- # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
15711
- # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
16398
+ # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
16399
+ # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
15712
16400
  #
15713
16401
  # resp = client.put_object({
15714
- # acl: "authenticated-read",
15715
16402
  # body: "filetoupload",
15716
16403
  # bucket: "examplebucket",
15717
16404
  # key: "exampleobject",
16405
+ # server_side_encryption: "AES256",
16406
+ # tagging: "key1=value1&key2=value2",
15718
16407
  # })
15719
16408
  #
15720
16409
  # resp.to_h outputs the following:
15721
16410
  # {
15722
16411
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15723
- # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
16412
+ # server_side_encryption: "AES256",
16413
+ # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
15724
16414
  # }
15725
16415
  #
15726
- # @example Example: To upload object and specify user-defined metadata
16416
+ # @example Example: To upload an object and specify canned ACL.
15727
16417
  #
15728
- # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
15729
- # # enabled, S3 returns version ID in response.
16418
+ # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
16419
+ # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
15730
16420
  #
15731
16421
  # resp = client.put_object({
16422
+ # acl: "authenticated-read",
15732
16423
  # body: "filetoupload",
15733
16424
  # bucket: "examplebucket",
15734
16425
  # key: "exampleobject",
15735
- # metadata: {
15736
- # "metadata1" => "value1",
15737
- # "metadata2" => "value2",
15738
- # },
15739
16426
  # })
15740
16427
  #
15741
16428
  # resp.to_h outputs the following:
15742
16429
  # {
15743
16430
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15744
- # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
16431
+ # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
15745
16432
  # }
15746
16433
  #
15747
- # @example Example: To upload an object and specify server-side encryption and object tags
16434
+ # @example Example: To upload an object (specify optional headers)
15748
16435
  #
15749
- # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
15750
- # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
16436
+ # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
16437
+ # # storage class and use server-side encryption.
15751
16438
  #
15752
16439
  # resp = client.put_object({
15753
- # body: "filetoupload",
16440
+ # body: "HappyFace.jpg",
15754
16441
  # bucket: "examplebucket",
15755
- # key: "exampleobject",
16442
+ # key: "HappyFace.jpg",
15756
16443
  # server_side_encryption: "AES256",
15757
- # tagging: "key1=value1&key2=value2",
16444
+ # storage_class: "STANDARD_IA",
15758
16445
  # })
15759
16446
  #
15760
16447
  # resp.to_h outputs the following:
15761
16448
  # {
15762
16449
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15763
16450
  # server_side_encryption: "AES256",
15764
- # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
16451
+ # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
15765
16452
  # }
15766
16453
  #
15767
16454
  # @example Streaming a file from disk
@@ -17774,6 +18461,10 @@ module Aws::S3
17774
18461
  # interruptions when a session expires. For more information about
17775
18462
  # authorization, see [ `CreateSession` ][9].
17776
18463
  #
18464
+ # If the object is encrypted with SSE-KMS, you must also have the
18465
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18466
+ # identity-based policies and KMS key policies for the KMS key.
18467
+ #
17777
18468
  # Data integrity
17778
18469
  #
17779
18470
  # : **General purpose bucket** - To ensure that data is not corrupted
@@ -17825,12 +18516,13 @@ module Aws::S3
17825
18516
  #
17826
18517
  # * x-amz-server-side-encryption-customer-key-MD5
17827
18518
  #
17828
- # * **Directory bucket** - For directory buckets, only server-side
17829
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
17830
- # supported.
18519
+ # For more information, see [Using Server-Side Encryption][11] in
18520
+ # the *Amazon S3 User Guide*.
17831
18521
  #
17832
- # For more information, see [Using Server-Side Encryption][11] in the
17833
- # *Amazon S3 User Guide*.
18522
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18523
+ # two supported options for server-side encryption: server-side
18524
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18525
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`).
17834
18526
  #
17835
18527
  # Special errors
17836
18528
  # : * Error Code: `NoSuchUpload`
@@ -18243,6 +18935,10 @@ module Aws::S3
18243
18935
  # destination. The `s3express:SessionMode` condition key cannot be
18244
18936
  # set to `ReadOnly` on the copy destination.
18245
18937
  #
18938
+ # If the object is encrypted with SSE-KMS, you must also have the
18939
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18940
+ # identity-based policies and KMS key policies for the KMS key.
18941
+ #
18246
18942
  # For example policies, see [Example bucket policies for S3 Express
18247
18943
  # One Zone][10] and [Amazon Web Services Identity and Access
18248
18944
  # Management (IAM) identity-based policies for S3 Express One
@@ -18254,9 +18950,26 @@ module Aws::S3
18254
18950
  # the `UploadPartCopy` operation, see [CopyObject][12] and
18255
18951
  # [UploadPart][2].
18256
18952
  #
18257
- # * <b>Directory buckets </b> - For directory buckets, only
18258
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
18259
- # (`AES256`) is supported.
18953
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18954
+ # two supported options for server-side encryption: server-side
18955
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18956
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). For
18957
+ # more information, see [Protecting data with server-side
18958
+ # encryption][13] in the *Amazon S3 User Guide*.
18959
+ #
18960
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
18961
+ # operation and an `UploadPartCopy` operation, the request headers
18962
+ # you provide in the `CreateMultipartUpload` request must match the
18963
+ # default encryption configuration of the destination bucket.
18964
+ #
18965
+ # </note>
18966
+ #
18967
+ # S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted
18968
+ # objects from general purpose buckets to directory buckets, from
18969
+ # directory buckets to general purpose buckets, or between directory
18970
+ # buckets, through [UploadPartCopy][14]. In this case, Amazon S3
18971
+ # makes a call to KMS every time a copy request is made for a
18972
+ # KMS-encrypted object.
18260
18973
  #
18261
18974
  # Special errors
18262
18975
  # : * Error Code: `NoSuchUpload`
@@ -18281,17 +18994,17 @@ module Aws::S3
18281
18994
  #
18282
18995
  # The following operations are related to `UploadPartCopy`:
18283
18996
  #
18284
- # * [CreateMultipartUpload][13]
18997
+ # * [CreateMultipartUpload][15]
18285
18998
  #
18286
18999
  # * [UploadPart][2]
18287
19000
  #
18288
- # * [CompleteMultipartUpload][14]
19001
+ # * [CompleteMultipartUpload][16]
18289
19002
  #
18290
- # * [AbortMultipartUpload][15]
19003
+ # * [AbortMultipartUpload][17]
18291
19004
  #
18292
- # * [ListParts][16]
19005
+ # * [ListParts][18]
18293
19006
  #
18294
- # * [ListMultipartUploads][17]
19007
+ # * [ListMultipartUploads][19]
18295
19008
  #
18296
19009
  #
18297
19010
  #
@@ -18307,11 +19020,13 @@ module Aws::S3
18307
19020
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
18308
19021
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
18309
19022
  # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
18310
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
18311
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
18312
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
18313
- # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
18314
- # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
19023
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
19024
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
19025
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
19026
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
19027
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
19028
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
19029
+ # [19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
18315
19030
  #
18316
19031
  # @option params [required, String] :bucket
18317
19032
  # The bucket name.
@@ -18597,45 +19312,45 @@ module Aws::S3
18597
19312
  # * {Types::UploadPartCopyOutput#request_charged #request_charged} => String
18598
19313
  #
18599
19314
  #
18600
- # @example Example: To upload a part by copying data from an existing object as data source
19315
+ # @example Example: To upload a part by copying byte range from an existing object as data source
18601
19316
  #
18602
- # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
19317
+ # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
19318
+ # # data source.
18603
19319
  #
18604
19320
  # resp = client.upload_part_copy({
18605
19321
  # bucket: "examplebucket",
18606
19322
  # copy_source: "/bucketname/sourceobjectkey",
19323
+ # copy_source_range: "bytes=1-100000",
18607
19324
  # key: "examplelargeobject",
18608
- # part_number: 1,
19325
+ # part_number: 2,
18609
19326
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18610
19327
  # })
18611
19328
  #
18612
19329
  # resp.to_h outputs the following:
18613
19330
  # {
18614
19331
  # copy_part_result: {
18615
- # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
18616
- # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
19332
+ # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
19333
+ # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
18617
19334
  # },
18618
19335
  # }
18619
19336
  #
18620
- # @example Example: To upload a part by copying byte range from an existing object as data source
19337
+ # @example Example: To upload a part by copying data from an existing object as data source
18621
19338
  #
18622
- # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
18623
- # # data source.
19339
+ # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
18624
19340
  #
18625
19341
  # resp = client.upload_part_copy({
18626
19342
  # bucket: "examplebucket",
18627
19343
  # copy_source: "/bucketname/sourceobjectkey",
18628
- # copy_source_range: "bytes=1-100000",
18629
19344
  # key: "examplelargeobject",
18630
- # part_number: 2,
19345
+ # part_number: 1,
18631
19346
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18632
19347
  # })
18633
19348
  #
18634
19349
  # resp.to_h outputs the following:
18635
19350
  # {
18636
19351
  # copy_part_result: {
18637
- # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
18638
- # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
19352
+ # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
19353
+ # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
18639
19354
  # },
18640
19355
  # }
18641
19356
  #
@@ -19085,14 +19800,19 @@ module Aws::S3
19085
19800
  # @api private
19086
19801
  def build_request(operation_name, params = {})
19087
19802
  handlers = @handlers.for(operation_name)
19803
+ tracer = config.telemetry_provider.tracer_provider.tracer(
19804
+ Aws::Telemetry.module_to_tracer_name('Aws::S3')
19805
+ )
19088
19806
  context = Seahorse::Client::RequestContext.new(
19089
19807
  operation_name: operation_name,
19090
19808
  operation: config.api.operation(operation_name),
19091
19809
  client: self,
19092
19810
  params: params,
19093
- config: config)
19811
+ config: config,
19812
+ tracer: tracer
19813
+ )
19094
19814
  context[:gem_name] = 'aws-sdk-s3'
19095
- context[:gem_version] = '1.159.0'
19815
+ context[:gem_version] = '1.166.0'
19096
19816
  Seahorse::Client::Request.new(handlers, context)
19097
19817
  end
19098
19818