aws-sdk-s3 1.159.0 → 1.166.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/bucket.rb +123 -43
- data/lib/aws-sdk-s3/client.rb +1115 -395
- data/lib/aws-sdk-s3/client_api.rb +9 -0
- data/lib/aws-sdk-s3/customizations/object.rb +6 -0
- data/lib/aws-sdk-s3/customizations/object_summary.rb +5 -0
- data/lib/aws-sdk-s3/customizations/object_version.rb +13 -0
- data/lib/aws-sdk-s3/customizations.rb +24 -38
- data/lib/aws-sdk-s3/endpoints.rb +99 -396
- data/lib/aws-sdk-s3/errors.rb +3 -0
- data/lib/aws-sdk-s3/multipart_upload.rb +3 -0
- data/lib/aws-sdk-s3/object.rb +339 -129
- data/lib/aws-sdk-s3/object_summary.rb +327 -109
- data/lib/aws-sdk-s3/object_version.rb +17 -8
- data/lib/aws-sdk-s3/plugins/endpoints.rb +23 -8
- data/lib/aws-sdk-s3/types.rb +647 -306
- data/lib/aws-sdk-s3.rb +35 -31
- data/sig/client.rbs +11 -1
- data/sig/resource.rbs +2 -0
- data/sig/types.rbs +10 -2
- metadata +5 -4
@@ -667,9 +667,8 @@ module Aws::S3
|
|
667
667
|
# </note>
|
668
668
|
# @option options [String] :server_side_encryption
|
669
669
|
# The server-side encryption algorithm used when storing this object in
|
670
|
-
# Amazon S3
|
671
|
-
#
|
672
|
-
# and will receive a `400 Bad Request` response.
|
670
|
+
# Amazon S3. Unrecognized or unsupported values won’t write a
|
671
|
+
# destination object and will receive a `400 Bad Request` response.
|
673
672
|
#
|
674
673
|
# Amazon S3 automatically encrypts all new objects that are copied to an
|
675
674
|
# S3 bucket. When copying an object, if you don't specify encryption
|
@@ -677,35 +676,72 @@ module Aws::S3
|
|
677
676
|
# object is set to the default encryption configuration of the
|
678
677
|
# destination bucket. By default, all buckets have a base level of
|
679
678
|
# encryption configuration that uses server-side encryption with Amazon
|
680
|
-
# S3 managed keys (SSE-S3). If the destination bucket has a
|
681
|
-
# encryption configuration
|
682
|
-
#
|
683
|
-
# encryption with Amazon Web Services KMS keys (DSSE-KMS), or
|
684
|
-
# server-side encryption with customer-provided encryption keys (SSE-C),
|
685
|
-
# Amazon S3 uses the corresponding KMS key, or a customer-provided key
|
686
|
-
# to encrypt the target object copy.
|
687
|
-
#
|
688
|
-
# When you perform a `CopyObject` operation, if you want to use a
|
689
|
-
# different type of encryption setting for the target object, you can
|
690
|
-
# specify appropriate encryption-related headers to encrypt the target
|
691
|
-
# object with an Amazon S3 managed key, a KMS key, or a
|
692
|
-
# customer-provided key. If the encryption setting in your request is
|
693
|
-
# different from the default encryption configuration of the destination
|
694
|
-
# bucket, the encryption setting in your request takes precedence.
|
679
|
+
# S3 managed keys (SSE-S3). If the destination bucket has a different
|
680
|
+
# default encryption configuration, Amazon S3 uses the corresponding
|
681
|
+
# encryption key to encrypt the target object copy.
|
695
682
|
#
|
696
683
|
# With server-side encryption, Amazon S3 encrypts your data as it writes
|
697
684
|
# your data to disks in its data centers and decrypts the data when you
|
698
685
|
# access it. For more information about server-side encryption, see
|
699
686
|
# [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
|
700
687
|
#
|
701
|
-
# <
|
702
|
-
#
|
703
|
-
#
|
704
|
-
#
|
688
|
+
# <b>General purpose buckets </b>
|
689
|
+
#
|
690
|
+
# * For general purpose buckets, there are the following supported
|
691
|
+
# options for server-side encryption: server-side encryption with Key
|
692
|
+
# Management Service (KMS) keys (SSE-KMS), dual-layer server-side
|
693
|
+
# encryption with Amazon Web Services KMS keys (DSSE-KMS), and
|
694
|
+
# server-side encryption with customer-provided encryption keys
|
695
|
+
# (SSE-C). Amazon S3 uses the corresponding KMS key, or a
|
696
|
+
# customer-provided key to encrypt the target object copy.
|
697
|
+
#
|
698
|
+
# * When you perform a `CopyObject` operation, if you want to use a
|
699
|
+
# different type of encryption setting for the target object, you can
|
700
|
+
# specify appropriate encryption-related headers to encrypt the target
|
701
|
+
# object with an Amazon S3 managed key, a KMS key, or a
|
702
|
+
# customer-provided key. If the encryption setting in your request is
|
703
|
+
# different from the default encryption configuration of the
|
704
|
+
# destination bucket, the encryption setting in your request takes
|
705
|
+
# precedence.
|
706
|
+
#
|
707
|
+
# <b>Directory buckets </b>
|
708
|
+
#
|
709
|
+
# * For directory buckets, there are only two supported options for
|
710
|
+
# server-side encryption: server-side encryption with Amazon S3
|
711
|
+
# managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
|
712
|
+
# keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
|
713
|
+
# encryption uses the desired encryption configuration and you don't
|
714
|
+
# override the bucket default encryption in your `CreateSession`
|
715
|
+
# requests or `PUT` object requests. Then, new objects are
|
716
|
+
# automatically encrypted with the desired encryption settings. For
|
717
|
+
# more information, see [Protecting data with server-side
|
718
|
+
# encryption][2] in the *Amazon S3 User Guide*. For more information
|
719
|
+
# about the encryption overriding behaviors in directory buckets, see
|
720
|
+
# [Specifying server-side encryption with KMS for new object
|
721
|
+
# uploads][3].
|
722
|
+
#
|
723
|
+
# * To encrypt new object copies to a directory bucket with SSE-KMS, we
|
724
|
+
# recommend you specify SSE-KMS as the directory bucket's default
|
725
|
+
# encryption configuration with a KMS key (specifically, a [customer
|
726
|
+
# managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
|
727
|
+
# isn't supported. Your SSE-KMS configuration can only support 1
|
728
|
+
# [customer managed key][4] per directory bucket for the lifetime of
|
729
|
+
# the bucket. After you specify a customer managed key for SSE-KMS,
|
730
|
+
# you can't override the customer managed key for the bucket's
|
731
|
+
# SSE-KMS configuration. Then, when you perform a `CopyObject`
|
732
|
+
# operation and want to specify server-side encryption settings for
|
733
|
+
# new object copies with SSE-KMS in the encryption-related request
|
734
|
+
# headers, you must ensure the encryption key is the same customer
|
735
|
+
# managed key that you specified for the directory bucket's default
|
736
|
+
# encryption configuration.
|
705
737
|
#
|
706
738
|
#
|
707
739
|
#
|
708
740
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
|
741
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
742
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
743
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
744
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
709
745
|
# @option options [String] :storage_class
|
710
746
|
# If the `x-amz-storage-class` header is not used, the copied object
|
711
747
|
# will be stored in the `STANDARD` Storage Class by default. The
|
@@ -796,32 +832,50 @@ module Aws::S3
|
|
796
832
|
#
|
797
833
|
# </note>
|
798
834
|
# @option options [String] :ssekms_key_id
|
799
|
-
# Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
|
800
|
-
# encryption. All GET and PUT requests for an object protected by
|
801
|
-
# will fail if they're not made via SSL or using SigV4. For
|
802
|
-
# about configuring any of the officially supported Amazon
|
803
|
-
# SDKs and Amazon Web Services CLI, see [Specifying the
|
804
|
-
# Version in Request Authentication][1] in the *Amazon S3 User
|
805
|
-
#
|
806
|
-
#
|
807
|
-
#
|
808
|
-
#
|
809
|
-
#
|
835
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
836
|
+
# object encryption. All GET and PUT requests for an object protected by
|
837
|
+
# KMS will fail if they're not made via SSL or using SigV4. For
|
838
|
+
# information about configuring any of the officially supported Amazon
|
839
|
+
# Web Services SDKs and Amazon Web Services CLI, see [Specifying the
|
840
|
+
# Signature Version in Request Authentication][1] in the *Amazon S3 User
|
841
|
+
# Guide*.
|
842
|
+
#
|
843
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
844
|
+
# with `aws:kms`, you must specify the `
|
845
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
846
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
847
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
848
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
849
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
850
|
+
# managed key][2] per directory bucket for the lifetime of the bucket.
|
851
|
+
# [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
|
810
852
|
#
|
811
853
|
#
|
812
854
|
#
|
813
855
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
856
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
857
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
814
858
|
# @option options [String] :ssekms_encryption_context
|
815
|
-
# Specifies the Amazon Web Services KMS Encryption Context
|
816
|
-
#
|
817
|
-
#
|
818
|
-
#
|
819
|
-
# `CopyObject` requests.
|
859
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
860
|
+
# additional encryption context to use for the destination object
|
861
|
+
# encryption. The value of this header is a base64-encoded UTF-8 string
|
862
|
+
# holding JSON with the encryption context key-value pairs.
|
820
863
|
#
|
821
|
-
#
|
822
|
-
#
|
864
|
+
# **General purpose buckets** - This value must be explicitly added to
|
865
|
+
# specify encryption context for `CopyObject` requests if you want an
|
866
|
+
# additional encryption context for your destination object. The
|
867
|
+
# additional encryption context of the source object won't be copied to
|
868
|
+
# the destination object. For more information, see [Encryption
|
869
|
+
# context][1] in the *Amazon S3 User Guide*.
|
823
870
|
#
|
824
|
-
#
|
871
|
+
# **Directory buckets** - You can optionally provide an explicit
|
872
|
+
# encryption context value. The value must match the default encryption
|
873
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
874
|
+
# encryption context value is not supported.
|
875
|
+
#
|
876
|
+
#
|
877
|
+
#
|
878
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
825
879
|
# @option options [Boolean] :bucket_key_enabled
|
826
880
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
827
881
|
# encryption with server-side encryption using Key Management Service
|
@@ -835,14 +889,19 @@ module Aws::S3
|
|
835
889
|
# For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
|
836
890
|
# User Guide*.
|
837
891
|
#
|
838
|
-
# <note markdown="1">
|
839
|
-
#
|
892
|
+
# <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
|
893
|
+
# copy SSE-KMS encrypted objects from general purpose buckets to
|
894
|
+
# directory buckets, from directory buckets to general purpose buckets,
|
895
|
+
# or between directory buckets, through [CopyObject][2]. In this case,
|
896
|
+
# Amazon S3 makes a call to KMS every time a copy request is made for a
|
897
|
+
# KMS-encrypted object.
|
840
898
|
#
|
841
899
|
# </note>
|
842
900
|
#
|
843
901
|
#
|
844
902
|
#
|
845
903
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
|
904
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
846
905
|
# @option options [String] :copy_source_sse_customer_algorithm
|
847
906
|
# Specifies the algorithm to use when decrypting the source object (for
|
848
907
|
# example, `AES256`).
|
@@ -1299,10 +1358,10 @@ module Aws::S3
|
|
1299
1358
|
# @option options [String] :checksum_mode
|
1300
1359
|
# To retrieve the checksum, this mode must be enabled.
|
1301
1360
|
#
|
1302
|
-
# In addition, if you enable checksum mode
|
1303
|
-
# with a [checksum][1] and encrypted with an
|
1304
|
-
# (KMS) key, you must have permission to use the
|
1305
|
-
# retrieve the checksum.
|
1361
|
+
# **General purpose buckets** - In addition, if you enable checksum mode
|
1362
|
+
# and the object is uploaded with a [checksum][1] and encrypted with an
|
1363
|
+
# Key Management Service (KMS) key, you must have permission to use the
|
1364
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
1306
1365
|
#
|
1307
1366
|
#
|
1308
1367
|
#
|
@@ -1655,10 +1714,52 @@ module Aws::S3
|
|
1655
1714
|
# The server-side encryption algorithm used when you store this object
|
1656
1715
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
1657
1716
|
#
|
1658
|
-
# <
|
1659
|
-
#
|
1717
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
1718
|
+
# two supported options for server-side encryption: server-side
|
1719
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
1720
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
1721
|
+
# recommend that the bucket's default encryption uses the desired
|
1722
|
+
# encryption configuration and you don't override the bucket default
|
1723
|
+
# encryption in your `CreateSession` requests or `PUT` object
|
1724
|
+
# requests. Then, new objects are automatically encrypted with the
|
1725
|
+
# desired encryption settings. For more information, see [Protecting
|
1726
|
+
# data with server-side encryption][1] in the *Amazon S3 User Guide*.
|
1727
|
+
# For more information about the encryption overriding behaviors in
|
1728
|
+
# directory buckets, see [Specifying server-side encryption with KMS
|
1729
|
+
# for new object uploads][2].
|
1730
|
+
#
|
1731
|
+
# In the Zonal endpoint API calls (except [CopyObject][3] and
|
1732
|
+
# [UploadPartCopy][4]) using the REST API, the encryption request
|
1733
|
+
# headers must match the encryption settings that are specified in the
|
1734
|
+
# `CreateSession` request. You can't override the values of the
|
1735
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
1736
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
1737
|
+
# `x-amz-server-side-encryption-context`, and
|
1738
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
1739
|
+
# specified in the `CreateSession` request. You don't need to
|
1740
|
+
# explicitly specify these encryption settings values in Zonal
|
1741
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
1742
|
+
# values from the `CreateSession` request to protect new objects in
|
1743
|
+
# the directory bucket.
|
1744
|
+
#
|
1745
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
1746
|
+
# `CreateSession`, the session token refreshes automatically to avoid
|
1747
|
+
# service interruptions when a session expires. The CLI or the Amazon
|
1748
|
+
# Web Services SDKs use the bucket's default encryption configuration
|
1749
|
+
# for the `CreateSession` request. It's not supported to override the
|
1750
|
+
# encryption settings values in the `CreateSession` request. So in the
|
1751
|
+
# Zonal endpoint API calls (except [CopyObject][3] and
|
1752
|
+
# [UploadPartCopy][4]), the encryption request headers must match the
|
1753
|
+
# default encryption configuration of the directory bucket.
|
1660
1754
|
#
|
1661
|
-
#
|
1755
|
+
# </note>
|
1756
|
+
#
|
1757
|
+
#
|
1758
|
+
#
|
1759
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
1760
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
1761
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
1762
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
1662
1763
|
# @option options [String] :storage_class
|
1663
1764
|
# By default, Amazon S3 uses the STANDARD Storage Class to store newly
|
1664
1765
|
# created objects. The STANDARD storage class provides high durability
|
@@ -1711,32 +1812,69 @@ module Aws::S3
|
|
1711
1812
|
#
|
1712
1813
|
# </note>
|
1713
1814
|
# @option options [String] :ssekms_key_id
|
1714
|
-
# Specifies the ID (Key ID, Key ARN, or Key Alias)
|
1715
|
-
# encryption
|
1716
|
-
#
|
1717
|
-
#
|
1718
|
-
#
|
1719
|
-
#
|
1815
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
1816
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
1817
|
+
# that's issuing the command, you must use the full Key ARN not the Key
|
1818
|
+
# ID.
|
1819
|
+
#
|
1820
|
+
# **General purpose buckets** - If you specify
|
1821
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
|
1822
|
+
# header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
|
1823
|
+
# to use. If you specify `x-amz-server-side-encryption:aws:kms` or
|
1824
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
1825
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1826
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
1827
|
+
#
|
1828
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
1829
|
+
# with `aws:kms`, you must specify the `
|
1830
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
1831
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
1832
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
1833
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
1834
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
1835
|
+
# managed key][1] per directory bucket for the lifetime of the bucket.
|
1836
|
+
# [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
|
1837
|
+
#
|
1838
|
+
#
|
1839
|
+
#
|
1840
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
1841
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1720
1842
|
# @option options [String] :ssekms_encryption_context
|
1721
1843
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1722
|
-
# object encryption. The value of this header is a
|
1723
|
-
#
|
1724
|
-
#
|
1725
|
-
#
|
1726
|
-
#
|
1727
|
-
#
|
1844
|
+
# object encryption. The value of this header is a Base64-encoded string
|
1845
|
+
# of a UTF-8 encoded JSON, which contains the encryption context as
|
1846
|
+
# key-value pairs.
|
1847
|
+
#
|
1848
|
+
# **Directory buckets** - You can optionally provide an explicit
|
1849
|
+
# encryption context value. The value must match the default encryption
|
1850
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
1851
|
+
# encryption context value is not supported.
|
1728
1852
|
# @option options [Boolean] :bucket_key_enabled
|
1729
1853
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
1730
1854
|
# encryption with server-side encryption using Key Management Service
|
1731
|
-
# (KMS) keys (SSE-KMS).
|
1732
|
-
# to use an S3 Bucket Key for object encryption with SSE-KMS.
|
1855
|
+
# (KMS) keys (SSE-KMS).
|
1733
1856
|
#
|
1734
|
-
#
|
1857
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
1858
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
|
1859
|
+
# Also, specifying this header with a PUT action doesn't affect
|
1735
1860
|
# bucket-level settings for S3 Bucket Key.
|
1736
1861
|
#
|
1737
|
-
#
|
1862
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
1863
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
1864
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
|
1865
|
+
# from general purpose buckets to directory buckets, from directory
|
1866
|
+
# buckets to general purpose buckets, or between directory buckets,
|
1867
|
+
# through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
|
1868
|
+
# Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
|
1869
|
+
# makes a call to KMS every time a copy request is made for a
|
1870
|
+
# KMS-encrypted object.
|
1738
1871
|
#
|
1739
|
-
#
|
1872
|
+
#
|
1873
|
+
#
|
1874
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
1875
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
1876
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
1877
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
1740
1878
|
# @option options [String] :request_payer
|
1741
1879
|
# Confirms that the requester knows that they will be charged for the
|
1742
1880
|
# request. Bucket owners need not specify this parameter in their
|
@@ -2100,25 +2238,65 @@ module Aws::S3
|
|
2100
2238
|
# object in Amazon S3 (for example, `AES256`, `aws:kms`,
|
2101
2239
|
# `aws:kms:dsse`).
|
2102
2240
|
#
|
2103
|
-
# <b>General purpose buckets </b> - You have four mutually exclusive
|
2104
|
-
#
|
2105
|
-
#
|
2106
|
-
#
|
2107
|
-
#
|
2108
|
-
#
|
2109
|
-
#
|
2110
|
-
#
|
2111
|
-
#
|
2112
|
-
#
|
2113
|
-
#
|
2241
|
+
# * <b>General purpose buckets </b> - You have four mutually exclusive
|
2242
|
+
# options to protect data using server-side encryption in Amazon S3,
|
2243
|
+
# depending on how you choose to manage the encryption keys.
|
2244
|
+
# Specifically, the encryption key options are Amazon S3 managed keys
|
2245
|
+
# (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
|
2246
|
+
# customer-provided keys (SSE-C). Amazon S3 encrypts data with
|
2247
|
+
# server-side encryption by using Amazon S3 managed keys (SSE-S3) by
|
2248
|
+
# default. You can optionally tell Amazon S3 to encrypt data at rest
|
2249
|
+
# by using server-side encryption with other key options. For more
|
2250
|
+
# information, see [Using Server-Side Encryption][1] in the *Amazon S3
|
2251
|
+
# User Guide*.
|
2252
|
+
#
|
2253
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
2254
|
+
# two supported options for server-side encryption: server-side
|
2255
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
2256
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
2257
|
+
# recommend that the bucket's default encryption uses the desired
|
2258
|
+
# encryption configuration and you don't override the bucket default
|
2259
|
+
# encryption in your `CreateSession` requests or `PUT` object
|
2260
|
+
# requests. Then, new objects are automatically encrypted with the
|
2261
|
+
# desired encryption settings. For more information, see [Protecting
|
2262
|
+
# data with server-side encryption][2] in the *Amazon S3 User Guide*.
|
2263
|
+
# For more information about the encryption overriding behaviors in
|
2264
|
+
# directory buckets, see [Specifying server-side encryption with KMS
|
2265
|
+
# for new object uploads][3].
|
2266
|
+
#
|
2267
|
+
# In the Zonal endpoint API calls (except [CopyObject][4] and
|
2268
|
+
# [UploadPartCopy][5]) using the REST API, the encryption request
|
2269
|
+
# headers must match the encryption settings that are specified in the
|
2270
|
+
# `CreateSession` request. You can't override the values of the
|
2271
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
2272
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
2273
|
+
# `x-amz-server-side-encryption-context`, and
|
2274
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
2275
|
+
# specified in the `CreateSession` request. You don't need to
|
2276
|
+
# explicitly specify these encryption settings values in Zonal
|
2277
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
2278
|
+
# values from the `CreateSession` request to protect new objects in
|
2279
|
+
# the directory bucket.
|
2280
|
+
#
|
2281
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
2282
|
+
# `CreateSession`, the session token refreshes automatically to avoid
|
2283
|
+
# service interruptions when a session expires. The CLI or the Amazon
|
2284
|
+
# Web Services SDKs use the bucket's default encryption configuration
|
2285
|
+
# for the `CreateSession` request. It's not supported to override the
|
2286
|
+
# encryption settings values in the `CreateSession` request. So in the
|
2287
|
+
# Zonal endpoint API calls (except [CopyObject][4] and
|
2288
|
+
# [UploadPartCopy][5]), the encryption request headers must match the
|
2289
|
+
# default encryption configuration of the directory bucket.
|
2114
2290
|
#
|
2115
|
-
#
|
2116
|
-
# server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
|
2117
|
-
# value is supported.
|
2291
|
+
# </note>
|
2118
2292
|
#
|
2119
2293
|
#
|
2120
2294
|
#
|
2121
2295
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
|
2296
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
2297
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
2298
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2299
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
2122
2300
|
# @option options [String] :storage_class
|
2123
2301
|
# By default, Amazon S3 uses the STANDARD Storage Class to store newly
|
2124
2302
|
# created objects. The STANDARD storage class provides high durability
|
@@ -2192,44 +2370,81 @@ module Aws::S3
|
|
2192
2370
|
#
|
2193
2371
|
# </note>
|
2194
2372
|
# @option options [String] :ssekms_key_id
|
2195
|
-
#
|
2196
|
-
#
|
2197
|
-
#
|
2198
|
-
#
|
2199
|
-
#
|
2200
|
-
#
|
2201
|
-
# x-amz-server-side-encryption
|
2202
|
-
#
|
2203
|
-
#
|
2204
|
-
#
|
2373
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
2374
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
2375
|
+
# that's issuing the command, you must use the full Key ARN not the Key
|
2376
|
+
# ID.
|
2377
|
+
#
|
2378
|
+
# **General purpose buckets** - If you specify
|
2379
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
|
2380
|
+
# header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
|
2381
|
+
# to use. If you specify `x-amz-server-side-encryption:aws:kms` or
|
2382
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
2383
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
2384
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
2385
|
+
#
|
2386
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
2387
|
+
# with `aws:kms`, you must specify the `
|
2388
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
2389
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
2390
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
2391
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
2392
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
2393
|
+
# managed key][1] per directory bucket for the lifetime of the bucket.
|
2394
|
+
# [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
|
2395
|
+
#
|
2396
|
+
#
|
2397
|
+
#
|
2398
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
2399
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
2400
|
+
# @option options [String] :ssekms_encryption_context
|
2401
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
2402
|
+
# additional encryption context to use for object encryption. The value
|
2403
|
+
# of this header is a Base64-encoded string of a UTF-8 encoded JSON,
|
2404
|
+
# which contains the encryption context as key-value pairs. This value
|
2405
|
+
# is stored as object metadata and automatically gets passed on to
|
2406
|
+
# Amazon Web Services KMS for future `GetObject` operations on this
|
2407
|
+
# object.
|
2205
2408
|
#
|
2206
|
-
#
|
2409
|
+
# **General purpose buckets** - This value must be explicitly added
|
2410
|
+
# during `CopyObject` operations if you want an additional encryption
|
2411
|
+
# context for your object. For more information, see [Encryption
|
2412
|
+
# context][1] in the *Amazon S3 User Guide*.
|
2207
2413
|
#
|
2208
|
-
#
|
2209
|
-
#
|
2210
|
-
#
|
2211
|
-
#
|
2212
|
-
# string holding JSON with the encryption context key-value pairs. This
|
2213
|
-
# value is stored as object metadata and automatically gets passed on to
|
2214
|
-
# Amazon Web Services KMS for future `GetObject` or `CopyObject`
|
2215
|
-
# operations on this object. This value must be explicitly added during
|
2216
|
-
# `CopyObject` operations.
|
2414
|
+
# **Directory buckets** - You can optionally provide an explicit
|
2415
|
+
# encryption context value. The value must match the default encryption
|
2416
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
2417
|
+
# encryption context value is not supported.
|
2217
2418
|
#
|
2218
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
2219
2419
|
#
|
2220
|
-
#
|
2420
|
+
#
|
2421
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
2221
2422
|
# @option options [Boolean] :bucket_key_enabled
|
2222
2423
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
2223
2424
|
# encryption with server-side encryption using Key Management Service
|
2224
|
-
# (KMS) keys (SSE-KMS).
|
2225
|
-
# to use an S3 Bucket Key for object encryption with SSE-KMS.
|
2425
|
+
# (KMS) keys (SSE-KMS).
|
2226
2426
|
#
|
2227
|
-
#
|
2228
|
-
#
|
2427
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
2428
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
|
2429
|
+
# Also, specifying this header with a PUT action doesn't affect
|
2430
|
+
# bucket-level settings for S3 Bucket Key.
|
2229
2431
|
#
|
2230
|
-
#
|
2432
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
2433
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
2434
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
|
2435
|
+
# from general purpose buckets to directory buckets, from directory
|
2436
|
+
# buckets to general purpose buckets, or between directory buckets,
|
2437
|
+
# through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
|
2438
|
+
# Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
|
2439
|
+
# makes a call to KMS every time a copy request is made for a
|
2440
|
+
# KMS-encrypted object.
|
2231
2441
|
#
|
2232
|
-
#
|
2442
|
+
#
|
2443
|
+
#
|
2444
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2445
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
2446
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
2447
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
2233
2448
|
# @option options [String] :request_payer
|
2234
2449
|
# Confirms that the requester knows that they will be charged for the
|
2235
2450
|
# request. Bucket owners need not specify this parameter in their
|
@@ -2668,3 +2883,6 @@ module Aws::S3
|
|
2668
2883
|
end
|
2669
2884
|
end
|
2670
2885
|
end
|
2886
|
+
|
2887
|
+
# Load customizations if they exist
|
2888
|
+
require 'aws-sdk-s3/customizations/object_summary'
|
@@ -524,10 +524,10 @@ module Aws::S3
|
|
524
524
|
# @option options [String] :checksum_mode
|
525
525
|
# To retrieve the checksum, this mode must be enabled.
|
526
526
|
#
|
527
|
-
# In addition, if you enable checksum mode
|
528
|
-
# with a [checksum][1] and encrypted with an
|
529
|
-
# (KMS) key, you must have permission to use the
|
530
|
-
# retrieve the checksum.
|
527
|
+
# **General purpose buckets** - In addition, if you enable checksum mode
|
528
|
+
# and the object is uploaded with a [checksum][1] and encrypted with an
|
529
|
+
# Key Management Service (KMS) key, you must have permission to use the
|
530
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
531
531
|
#
|
532
532
|
#
|
533
533
|
#
|
@@ -710,10 +710,16 @@ module Aws::S3
|
|
710
710
|
# @option options [String] :checksum_mode
|
711
711
|
# To retrieve the checksum, this parameter must be enabled.
|
712
712
|
#
|
713
|
-
#
|
714
|
-
# with a [checksum][1] and encrypted with an Key
|
715
|
-
# (KMS) key, you must have permission to use the
|
716
|
-
# retrieve the checksum.
|
713
|
+
# **General purpose buckets** - If you enable checksum mode and the
|
714
|
+
# object is uploaded with a [checksum][1] and encrypted with an Key
|
715
|
+
# Management Service (KMS) key, you must have permission to use the
|
716
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
717
|
+
#
|
718
|
+
# **Directory buckets** - If you enable `ChecksumMode` and the object is
|
719
|
+
# encrypted with Amazon Web Services Key Management Service (Amazon Web
|
720
|
+
# Services KMS), you must also have the `kms:GenerateDataKey` and
|
721
|
+
# `kms:Decrypt` permissions in IAM identity-based policies and KMS key
|
722
|
+
# policies for the KMS key to retrieve the checksum of the object.
|
717
723
|
#
|
718
724
|
#
|
719
725
|
#
|
@@ -911,3 +917,6 @@ module Aws::S3
|
|
911
917
|
end
|
912
918
|
end
|
913
919
|
end
|
920
|
+
|
921
|
+
# Load customizations if they exist
|
922
|
+
require 'aws-sdk-s3/customizations/object_version'
|