aws-sdk-s3 1.159.0 → 1.166.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/bucket.rb +123 -43
- data/lib/aws-sdk-s3/client.rb +1115 -395
- data/lib/aws-sdk-s3/client_api.rb +9 -0
- data/lib/aws-sdk-s3/customizations/object.rb +6 -0
- data/lib/aws-sdk-s3/customizations/object_summary.rb +5 -0
- data/lib/aws-sdk-s3/customizations/object_version.rb +13 -0
- data/lib/aws-sdk-s3/customizations.rb +24 -38
- data/lib/aws-sdk-s3/endpoints.rb +99 -396
- data/lib/aws-sdk-s3/errors.rb +3 -0
- data/lib/aws-sdk-s3/multipart_upload.rb +3 -0
- data/lib/aws-sdk-s3/object.rb +339 -129
- data/lib/aws-sdk-s3/object_summary.rb +327 -109
- data/lib/aws-sdk-s3/object_version.rb +17 -8
- data/lib/aws-sdk-s3/plugins/endpoints.rb +23 -8
- data/lib/aws-sdk-s3/types.rb +647 -306
- data/lib/aws-sdk-s3.rb +35 -31
- data/sig/client.rbs +11 -1
- data/sig/resource.rbs +2 -0
- data/sig/types.rbs +10 -2
- metadata +5 -4
data/lib/aws-sdk-s3/types.rb
CHANGED
@@ -865,11 +865,6 @@ module Aws::S3
|
|
865
865
|
# @!attribute [rw] server_side_encryption
|
866
866
|
# The server-side encryption algorithm used when storing this object
|
867
867
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
868
|
-
#
|
869
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
870
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
871
|
-
#
|
872
|
-
# </note>
|
873
868
|
# @return [String]
|
874
869
|
#
|
875
870
|
# @!attribute [rw] version_id
|
@@ -882,23 +877,14 @@ module Aws::S3
|
|
882
877
|
# @return [String]
|
883
878
|
#
|
884
879
|
# @!attribute [rw] ssekms_key_id
|
885
|
-
# If present, indicates the ID of the
|
886
|
-
#
|
887
|
-
# object.
|
888
|
-
#
|
889
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
890
|
-
#
|
891
|
-
# </note>
|
880
|
+
# If present, indicates the ID of the KMS key that was used for object
|
881
|
+
# encryption.
|
892
882
|
# @return [String]
|
893
883
|
#
|
894
884
|
# @!attribute [rw] bucket_key_enabled
|
895
885
|
# Indicates whether the multipart upload uses an S3 Bucket Key for
|
896
886
|
# server-side encryption with Key Management Service (KMS) keys
|
897
887
|
# (SSE-KMS).
|
898
|
-
#
|
899
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
900
|
-
#
|
901
|
-
# </note>
|
902
888
|
# @return [Boolean]
|
903
889
|
#
|
904
890
|
# @!attribute [rw] request_charged
|
@@ -1348,11 +1334,6 @@ module Aws::S3
|
|
1348
1334
|
# @!attribute [rw] server_side_encryption
|
1349
1335
|
# The server-side encryption algorithm used when you store this object
|
1350
1336
|
# in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
|
1351
|
-
#
|
1352
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
1353
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
1354
|
-
#
|
1355
|
-
# </note>
|
1356
1337
|
# @return [String]
|
1357
1338
|
#
|
1358
1339
|
# @!attribute [rw] sse_customer_algorithm
|
@@ -1377,13 +1358,8 @@ module Aws::S3
|
|
1377
1358
|
# @return [String]
|
1378
1359
|
#
|
1379
1360
|
# @!attribute [rw] ssekms_key_id
|
1380
|
-
# If present, indicates the ID of the
|
1381
|
-
#
|
1382
|
-
# object.
|
1383
|
-
#
|
1384
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
1385
|
-
#
|
1386
|
-
# </note>
|
1361
|
+
# If present, indicates the ID of the KMS key that was used for object
|
1362
|
+
# encryption.
|
1387
1363
|
# @return [String]
|
1388
1364
|
#
|
1389
1365
|
# @!attribute [rw] ssekms_encryption_context
|
@@ -1391,20 +1367,12 @@ module Aws::S3
|
|
1391
1367
|
# to use for object encryption. The value of this header is a
|
1392
1368
|
# base64-encoded UTF-8 string holding JSON with the encryption context
|
1393
1369
|
# key-value pairs.
|
1394
|
-
#
|
1395
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
1396
|
-
#
|
1397
|
-
# </note>
|
1398
1370
|
# @return [String]
|
1399
1371
|
#
|
1400
1372
|
# @!attribute [rw] bucket_key_enabled
|
1401
1373
|
# Indicates whether the copied object uses an S3 Bucket Key for
|
1402
1374
|
# server-side encryption with Key Management Service (KMS) keys
|
1403
1375
|
# (SSE-KMS).
|
1404
|
-
#
|
1405
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
1406
|
-
#
|
1407
|
-
# </note>
|
1408
1376
|
# @return [Boolean]
|
1409
1377
|
#
|
1410
1378
|
# @!attribute [rw] request_charged
|
@@ -1832,9 +1800,8 @@ module Aws::S3
|
|
1832
1800
|
#
|
1833
1801
|
# @!attribute [rw] server_side_encryption
|
1834
1802
|
# The server-side encryption algorithm used when storing this object
|
1835
|
-
# in Amazon S3
|
1836
|
-
#
|
1837
|
-
# and will receive a `400 Bad Request` response.
|
1803
|
+
# in Amazon S3. Unrecognized or unsupported values won’t write a
|
1804
|
+
# destination object and will receive a `400 Bad Request` response.
|
1838
1805
|
#
|
1839
1806
|
# Amazon S3 automatically encrypts all new objects that are copied to
|
1840
1807
|
# an S3 bucket. When copying an object, if you don't specify
|
@@ -1843,21 +1810,8 @@ module Aws::S3
|
|
1843
1810
|
# of the destination bucket. By default, all buckets have a base level
|
1844
1811
|
# of encryption configuration that uses server-side encryption with
|
1845
1812
|
# Amazon S3 managed keys (SSE-S3). If the destination bucket has a
|
1846
|
-
# default encryption configuration
|
1847
|
-
#
|
1848
|
-
# server-side encryption with Amazon Web Services KMS keys (DSSE-KMS),
|
1849
|
-
# or server-side encryption with customer-provided encryption keys
|
1850
|
-
# (SSE-C), Amazon S3 uses the corresponding KMS key, or a
|
1851
|
-
# customer-provided key to encrypt the target object copy.
|
1852
|
-
#
|
1853
|
-
# When you perform a `CopyObject` operation, if you want to use a
|
1854
|
-
# different type of encryption setting for the target object, you can
|
1855
|
-
# specify appropriate encryption-related headers to encrypt the target
|
1856
|
-
# object with an Amazon S3 managed key, a KMS key, or a
|
1857
|
-
# customer-provided key. If the encryption setting in your request is
|
1858
|
-
# different from the default encryption configuration of the
|
1859
|
-
# destination bucket, the encryption setting in your request takes
|
1860
|
-
# precedence.
|
1813
|
+
# different default encryption configuration, Amazon S3 uses the
|
1814
|
+
# corresponding encryption key to encrypt the target object copy.
|
1861
1815
|
#
|
1862
1816
|
# With server-side encryption, Amazon S3 encrypts your data as it
|
1863
1817
|
# writes your data to disks in its data centers and decrypts the data
|
@@ -1865,14 +1819,63 @@ module Aws::S3
|
|
1865
1819
|
# encryption, see [Using Server-Side Encryption][1] in the *Amazon S3
|
1866
1820
|
# User Guide*.
|
1867
1821
|
#
|
1868
|
-
# <
|
1869
|
-
#
|
1870
|
-
#
|
1871
|
-
#
|
1822
|
+
# <b>General purpose buckets </b>
|
1823
|
+
#
|
1824
|
+
# * For general purpose buckets, there are the following supported
|
1825
|
+
# options for server-side encryption: server-side encryption with
|
1826
|
+
# Key Management Service (KMS) keys (SSE-KMS), dual-layer
|
1827
|
+
# server-side encryption with Amazon Web Services KMS keys
|
1828
|
+
# (DSSE-KMS), and server-side encryption with customer-provided
|
1829
|
+
# encryption keys (SSE-C). Amazon S3 uses the corresponding KMS key,
|
1830
|
+
# or a customer-provided key to encrypt the target object copy.
|
1831
|
+
#
|
1832
|
+
# * When you perform a `CopyObject` operation, if you want to use a
|
1833
|
+
# different type of encryption setting for the target object, you
|
1834
|
+
# can specify appropriate encryption-related headers to encrypt the
|
1835
|
+
# target object with an Amazon S3 managed key, a KMS key, or a
|
1836
|
+
# customer-provided key. If the encryption setting in your request
|
1837
|
+
# is different from the default encryption configuration of the
|
1838
|
+
# destination bucket, the encryption setting in your request takes
|
1839
|
+
# precedence.
|
1840
|
+
#
|
1841
|
+
# <b>Directory buckets </b>
|
1842
|
+
#
|
1843
|
+
# * For directory buckets, there are only two supported options for
|
1844
|
+
# server-side encryption: server-side encryption with Amazon S3
|
1845
|
+
# managed keys (SSE-S3) (`AES256`) and server-side encryption with
|
1846
|
+
# KMS keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's
|
1847
|
+
# default encryption uses the desired encryption configuration and
|
1848
|
+
# you don't override the bucket default encryption in your
|
1849
|
+
# `CreateSession` requests or `PUT` object requests. Then, new
|
1850
|
+
# objects are automatically encrypted with the desired encryption
|
1851
|
+
# settings. For more information, see [Protecting data with
|
1852
|
+
# server-side encryption][2] in the *Amazon S3 User Guide*. For more
|
1853
|
+
# information about the encryption overriding behaviors in directory
|
1854
|
+
# buckets, see [Specifying server-side encryption with KMS for new
|
1855
|
+
# object uploads][3].
|
1856
|
+
#
|
1857
|
+
# * To encrypt new object copies to a directory bucket with SSE-KMS,
|
1858
|
+
# we recommend you specify SSE-KMS as the directory bucket's
|
1859
|
+
# default encryption configuration with a KMS key (specifically, a
|
1860
|
+
# [customer managed key][4]). [Amazon Web Services managed key][5]
|
1861
|
+
# (`aws/s3`) isn't supported. Your SSE-KMS configuration can only
|
1862
|
+
# support 1 [customer managed key][4] per directory bucket for the
|
1863
|
+
# lifetime of the bucket. After you specify a customer managed key
|
1864
|
+
# for SSE-KMS, you can't override the customer managed key for the
|
1865
|
+
# bucket's SSE-KMS configuration. Then, when you perform a
|
1866
|
+
# `CopyObject` operation and want to specify server-side encryption
|
1867
|
+
# settings for new object copies with SSE-KMS in the
|
1868
|
+
# encryption-related request headers, you must ensure the encryption
|
1869
|
+
# key is the same customer managed key that you specified for the
|
1870
|
+
# directory bucket's default encryption configuration.
|
1872
1871
|
#
|
1873
1872
|
#
|
1874
1873
|
#
|
1875
1874
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
|
1875
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
1876
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
1877
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
1878
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1876
1879
|
# @return [String]
|
1877
1880
|
#
|
1878
1881
|
# @!attribute [rw] storage_class
|
@@ -1978,7 +1981,7 @@ module Aws::S3
|
|
1978
1981
|
# @return [String]
|
1979
1982
|
#
|
1980
1983
|
# @!attribute [rw] ssekms_key_id
|
1981
|
-
# Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
|
1984
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
1982
1985
|
# object encryption. All GET and PUT requests for an object protected
|
1983
1986
|
# by KMS will fail if they're not made via SSL or using SigV4. For
|
1984
1987
|
# information about configuring any of the officially supported Amazon
|
@@ -1986,27 +1989,45 @@ module Aws::S3
|
|
1986
1989
|
# Signature Version in Request Authentication][1] in the *Amazon S3
|
1987
1990
|
# User Guide*.
|
1988
1991
|
#
|
1989
|
-
#
|
1990
|
-
#
|
1991
|
-
#
|
1992
|
-
#
|
1992
|
+
# **Directory buckets** - If you specify
|
1993
|
+
# `x-amz-server-side-encryption` with `aws:kms`, you must specify the
|
1994
|
+
# ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
|
1995
|
+
# (Key ID or Key ARN) of the KMS symmetric encryption customer managed
|
1996
|
+
# key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
|
1997
|
+
# use the key ID or key ARN. The key alias format of the KMS key
|
1998
|
+
# isn't supported. Your SSE-KMS configuration can only support 1
|
1999
|
+
# [customer managed key][2] per directory bucket for the lifetime of
|
2000
|
+
# the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
|
2001
|
+
# supported.
|
1993
2002
|
#
|
1994
2003
|
#
|
1995
2004
|
#
|
1996
2005
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
2006
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
2007
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1997
2008
|
# @return [String]
|
1998
2009
|
#
|
1999
2010
|
# @!attribute [rw] ssekms_encryption_context
|
2000
|
-
# Specifies the Amazon Web Services KMS Encryption Context
|
2001
|
-
#
|
2002
|
-
#
|
2003
|
-
#
|
2004
|
-
# context for `CopyObject` requests.
|
2011
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
2012
|
+
# additional encryption context to use for the destination object
|
2013
|
+
# encryption. The value of this header is a base64-encoded UTF-8
|
2014
|
+
# string holding JSON with the encryption context key-value pairs.
|
2005
2015
|
#
|
2006
|
-
#
|
2007
|
-
#
|
2016
|
+
# **General purpose buckets** - This value must be explicitly added to
|
2017
|
+
# specify encryption context for `CopyObject` requests if you want an
|
2018
|
+
# additional encryption context for your destination object. The
|
2019
|
+
# additional encryption context of the source object won't be copied
|
2020
|
+
# to the destination object. For more information, see [Encryption
|
2021
|
+
# context][1] in the *Amazon S3 User Guide*.
|
2008
2022
|
#
|
2009
|
-
#
|
2023
|
+
# **Directory buckets** - You can optionally provide an explicit
|
2024
|
+
# encryption context value. The value must match the default
|
2025
|
+
# encryption context - the bucket Amazon Resource Name (ARN). An
|
2026
|
+
# additional encryption context value is not supported.
|
2027
|
+
#
|
2028
|
+
#
|
2029
|
+
#
|
2030
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
2010
2031
|
# @return [String]
|
2011
2032
|
#
|
2012
2033
|
# @!attribute [rw] bucket_key_enabled
|
@@ -2023,14 +2044,19 @@ module Aws::S3
|
|
2023
2044
|
# For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
|
2024
2045
|
# S3 User Guide*.
|
2025
2046
|
#
|
2026
|
-
# <note markdown="1">
|
2027
|
-
#
|
2047
|
+
# <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
|
2048
|
+
# copy SSE-KMS encrypted objects from general purpose buckets to
|
2049
|
+
# directory buckets, from directory buckets to general purpose
|
2050
|
+
# buckets, or between directory buckets, through [CopyObject][2]. In
|
2051
|
+
# this case, Amazon S3 makes a call to KMS every time a copy request
|
2052
|
+
# is made for a KMS-encrypted object.
|
2028
2053
|
#
|
2029
2054
|
# </note>
|
2030
2055
|
#
|
2031
2056
|
#
|
2032
2057
|
#
|
2033
2058
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
|
2059
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2034
2060
|
# @return [Boolean]
|
2035
2061
|
#
|
2036
2062
|
# @!attribute [rw] copy_source_sse_customer_algorithm
|
@@ -2642,11 +2668,6 @@ module Aws::S3
|
|
2642
2668
|
# @!attribute [rw] server_side_encryption
|
2643
2669
|
# The server-side encryption algorithm used when you store this object
|
2644
2670
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
2645
|
-
#
|
2646
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
2647
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
2648
|
-
#
|
2649
|
-
# </note>
|
2650
2671
|
# @return [String]
|
2651
2672
|
#
|
2652
2673
|
# @!attribute [rw] sse_customer_algorithm
|
@@ -2671,34 +2692,21 @@ module Aws::S3
|
|
2671
2692
|
# @return [String]
|
2672
2693
|
#
|
2673
2694
|
# @!attribute [rw] ssekms_key_id
|
2674
|
-
# If present, indicates the ID of the
|
2675
|
-
#
|
2676
|
-
# object.
|
2677
|
-
#
|
2678
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
2679
|
-
#
|
2680
|
-
# </note>
|
2695
|
+
# If present, indicates the ID of the KMS key that was used for object
|
2696
|
+
# encryption.
|
2681
2697
|
# @return [String]
|
2682
2698
|
#
|
2683
2699
|
# @!attribute [rw] ssekms_encryption_context
|
2684
2700
|
# If present, indicates the Amazon Web Services KMS Encryption Context
|
2685
2701
|
# to use for object encryption. The value of this header is a
|
2686
|
-
#
|
2687
|
-
# key-value pairs.
|
2688
|
-
#
|
2689
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
2690
|
-
#
|
2691
|
-
# </note>
|
2702
|
+
# Base64-encoded string of a UTF-8 encoded JSON, which contains the
|
2703
|
+
# encryption context as key-value pairs.
|
2692
2704
|
# @return [String]
|
2693
2705
|
#
|
2694
2706
|
# @!attribute [rw] bucket_key_enabled
|
2695
2707
|
# Indicates whether the multipart upload uses an S3 Bucket Key for
|
2696
2708
|
# server-side encryption with Key Management Service (KMS) keys
|
2697
2709
|
# (SSE-KMS).
|
2698
|
-
#
|
2699
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
2700
|
-
#
|
2701
|
-
# </note>
|
2702
2710
|
# @return [Boolean]
|
2703
2711
|
#
|
2704
2712
|
# @!attribute [rw] request_charged
|
@@ -3110,10 +3118,53 @@ module Aws::S3
|
|
3110
3118
|
# The server-side encryption algorithm used when you store this object
|
3111
3119
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
3112
3120
|
#
|
3113
|
-
# <
|
3114
|
-
#
|
3121
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
3122
|
+
# two supported options for server-side encryption: server-side
|
3123
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
3124
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
3125
|
+
# recommend that the bucket's default encryption uses the desired
|
3126
|
+
# encryption configuration and you don't override the bucket
|
3127
|
+
# default encryption in your `CreateSession` requests or `PUT`
|
3128
|
+
# object requests. Then, new objects are automatically encrypted
|
3129
|
+
# with the desired encryption settings. For more information, see
|
3130
|
+
# [Protecting data with server-side encryption][1] in the *Amazon S3
|
3131
|
+
# User Guide*. For more information about the encryption overriding
|
3132
|
+
# behaviors in directory buckets, see [Specifying server-side
|
3133
|
+
# encryption with KMS for new object uploads][2].
|
3134
|
+
#
|
3135
|
+
# In the Zonal endpoint API calls (except [CopyObject][3] and
|
3136
|
+
# [UploadPartCopy][4]) using the REST API, the encryption request
|
3137
|
+
# headers must match the encryption settings that are specified in
|
3138
|
+
# the `CreateSession` request. You can't override the values of the
|
3139
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
3140
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
3141
|
+
# `x-amz-server-side-encryption-context`, and
|
3142
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
3143
|
+
# specified in the `CreateSession` request. You don't need to
|
3144
|
+
# explicitly specify these encryption settings values in Zonal
|
3145
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
3146
|
+
# values from the `CreateSession` request to protect new objects in
|
3147
|
+
# the directory bucket.
|
3148
|
+
#
|
3149
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
3150
|
+
# `CreateSession`, the session token refreshes automatically to
|
3151
|
+
# avoid service interruptions when a session expires. The CLI or the
|
3152
|
+
# Amazon Web Services SDKs use the bucket's default encryption
|
3153
|
+
# configuration for the `CreateSession` request. It's not supported
|
3154
|
+
# to override the encryption settings values in the `CreateSession`
|
3155
|
+
# request. So in the Zonal endpoint API calls (except
|
3156
|
+
# [CopyObject][3] and [UploadPartCopy][4]), the encryption request
|
3157
|
+
# headers must match the default encryption configuration of the
|
3158
|
+
# directory bucket.
|
3115
3159
|
#
|
3116
|
-
#
|
3160
|
+
# </note>
|
3161
|
+
#
|
3162
|
+
#
|
3163
|
+
#
|
3164
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
3165
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
3166
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
3167
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
3117
3168
|
# @return [String]
|
3118
3169
|
#
|
3119
3170
|
# @!attribute [rw] storage_class
|
@@ -3179,37 +3230,75 @@ module Aws::S3
|
|
3179
3230
|
# @return [String]
|
3180
3231
|
#
|
3181
3232
|
# @!attribute [rw] ssekms_key_id
|
3182
|
-
# Specifies the ID (Key ID, Key ARN, or Key Alias)
|
3183
|
-
# encryption
|
3233
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
3234
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
3235
|
+
# that's issuing the command, you must use the full Key ARN not the
|
3236
|
+
# Key ID.
|
3237
|
+
#
|
3238
|
+
# **General purpose buckets** - If you specify
|
3239
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
|
3240
|
+
# this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
|
3241
|
+
# KMS key to use. If you specify
|
3242
|
+
# `x-amz-server-side-encryption:aws:kms` or
|
3243
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
3244
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
3245
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
3184
3246
|
#
|
3185
|
-
#
|
3247
|
+
# **Directory buckets** - If you specify
|
3248
|
+
# `x-amz-server-side-encryption` with `aws:kms`, you must specify the
|
3249
|
+
# ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
|
3250
|
+
# (Key ID or Key ARN) of the KMS symmetric encryption customer managed
|
3251
|
+
# key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
|
3252
|
+
# use the key ID or key ARN. The key alias format of the KMS key
|
3253
|
+
# isn't supported. Your SSE-KMS configuration can only support 1
|
3254
|
+
# [customer managed key][1] per directory bucket for the lifetime of
|
3255
|
+
# the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
|
3256
|
+
# supported.
|
3186
3257
|
#
|
3187
|
-
#
|
3258
|
+
#
|
3259
|
+
#
|
3260
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
3261
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
3188
3262
|
# @return [String]
|
3189
3263
|
#
|
3190
3264
|
# @!attribute [rw] ssekms_encryption_context
|
3191
3265
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
3192
|
-
# object encryption. The value of this header is a
|
3193
|
-
# UTF-8
|
3194
|
-
# pairs.
|
3195
|
-
#
|
3196
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
3266
|
+
# object encryption. The value of this header is a Base64-encoded
|
3267
|
+
# string of a UTF-8 encoded JSON, which contains the encryption
|
3268
|
+
# context as key-value pairs.
|
3197
3269
|
#
|
3198
|
-
#
|
3270
|
+
# **Directory buckets** - You can optionally provide an explicit
|
3271
|
+
# encryption context value. The value must match the default
|
3272
|
+
# encryption context - the bucket Amazon Resource Name (ARN). An
|
3273
|
+
# additional encryption context value is not supported.
|
3199
3274
|
# @return [String]
|
3200
3275
|
#
|
3201
3276
|
# @!attribute [rw] bucket_key_enabled
|
3202
3277
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
3203
3278
|
# encryption with server-side encryption using Key Management Service
|
3204
|
-
# (KMS) keys (SSE-KMS).
|
3205
|
-
# to use an S3 Bucket Key for object encryption with SSE-KMS.
|
3279
|
+
# (KMS) keys (SSE-KMS).
|
3206
3280
|
#
|
3207
|
-
#
|
3208
|
-
#
|
3281
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
3282
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with
|
3283
|
+
# SSE-KMS. Also, specifying this header with a PUT action doesn't
|
3284
|
+
# affect bucket-level settings for S3 Bucket Key.
|
3209
3285
|
#
|
3210
|
-
#
|
3286
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
3287
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
3288
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted
|
3289
|
+
# objects from general purpose buckets to directory buckets, from
|
3290
|
+
# directory buckets to general purpose buckets, or between directory
|
3291
|
+
# buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
|
3292
|
+
# operation in Batch Operations][3], or [the import jobs][4]. In this
|
3293
|
+
# case, Amazon S3 makes a call to KMS every time a copy request is
|
3294
|
+
# made for a KMS-encrypted object.
|
3211
3295
|
#
|
3212
|
-
#
|
3296
|
+
#
|
3297
|
+
#
|
3298
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
3299
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
3300
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
3301
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
3213
3302
|
# @return [Boolean]
|
3214
3303
|
#
|
3215
3304
|
# @!attribute [rw] request_payer
|
@@ -3319,6 +3408,31 @@ module Aws::S3
|
|
3319
3408
|
include Aws::Structure
|
3320
3409
|
end
|
3321
3410
|
|
3411
|
+
# @!attribute [rw] server_side_encryption
|
3412
|
+
# The server-side encryption algorithm used when you store objects in
|
3413
|
+
# the directory bucket.
|
3414
|
+
# @return [String]
|
3415
|
+
#
|
3416
|
+
# @!attribute [rw] ssekms_key_id
|
3417
|
+
# If you specify `x-amz-server-side-encryption` with `aws:kms`, this
|
3418
|
+
# header indicates the ID of the KMS symmetric encryption customer
|
3419
|
+
# managed key that was used for object encryption.
|
3420
|
+
# @return [String]
|
3421
|
+
#
|
3422
|
+
# @!attribute [rw] ssekms_encryption_context
|
3423
|
+
# If present, indicates the Amazon Web Services KMS Encryption Context
|
3424
|
+
# to use for object encryption. The value of this header is a
|
3425
|
+
# Base64-encoded string of a UTF-8 encoded JSON, which contains the
|
3426
|
+
# encryption context as key-value pairs. This value is stored as
|
3427
|
+
# object metadata and automatically gets passed on to Amazon Web
|
3428
|
+
# Services KMS for future `GetObject` operations on this object.
|
3429
|
+
# @return [String]
|
3430
|
+
#
|
3431
|
+
# @!attribute [rw] bucket_key_enabled
|
3432
|
+
# Indicates whether to use an S3 Bucket Key for server-side encryption
|
3433
|
+
# with KMS keys (SSE-KMS).
|
3434
|
+
# @return [Boolean]
|
3435
|
+
#
|
3322
3436
|
# @!attribute [rw] credentials
|
3323
3437
|
# The established temporary security credentials for the created
|
3324
3438
|
# session.
|
@@ -3327,8 +3441,12 @@ module Aws::S3
|
|
3327
3441
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionOutput AWS API Documentation
|
3328
3442
|
#
|
3329
3443
|
class CreateSessionOutput < Struct.new(
|
3444
|
+
:server_side_encryption,
|
3445
|
+
:ssekms_key_id,
|
3446
|
+
:ssekms_encryption_context,
|
3447
|
+
:bucket_key_enabled,
|
3330
3448
|
:credentials)
|
3331
|
-
SENSITIVE = []
|
3449
|
+
SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
|
3332
3450
|
include Aws::Structure
|
3333
3451
|
end
|
3334
3452
|
|
@@ -3336,22 +3454,108 @@ module Aws::S3
|
|
3336
3454
|
# Specifies the mode of the session that will be created, either
|
3337
3455
|
# `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
|
3338
3456
|
# created. A `ReadWrite` session is capable of executing all the Zonal
|
3339
|
-
# endpoint
|
3340
|
-
# constrained to execute the following Zonal endpoint
|
3341
|
-
# `GetObject`, `HeadObject`, `ListObjectsV2`,
|
3342
|
-
# `ListParts`, and `ListMultipartUploads`.
|
3457
|
+
# endpoint API operations on a directory bucket. A `ReadOnly` session
|
3458
|
+
# is constrained to execute the following Zonal endpoint API
|
3459
|
+
# operations: `GetObject`, `HeadObject`, `ListObjectsV2`,
|
3460
|
+
# `GetObjectAttributes`, `ListParts`, and `ListMultipartUploads`.
|
3343
3461
|
# @return [String]
|
3344
3462
|
#
|
3345
3463
|
# @!attribute [rw] bucket
|
3346
3464
|
# The name of the bucket that you create a session for.
|
3347
3465
|
# @return [String]
|
3348
3466
|
#
|
3467
|
+
# @!attribute [rw] server_side_encryption
|
3468
|
+
# The server-side encryption algorithm to use when you store objects
|
3469
|
+
# in the directory bucket.
|
3470
|
+
#
|
3471
|
+
# For directory buckets, there are only two supported options for
|
3472
|
+
# server-side encryption: server-side encryption with Amazon S3
|
3473
|
+
# managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
|
3474
|
+
# keys (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
|
3475
|
+
# SSE-S3. For more information, see [Protecting data with server-side
|
3476
|
+
# encryption][1] in the *Amazon S3 User Guide*.
|
3477
|
+
#
|
3478
|
+
#
|
3479
|
+
#
|
3480
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
3481
|
+
# @return [String]
|
3482
|
+
#
|
3483
|
+
# @!attribute [rw] ssekms_key_id
|
3484
|
+
# If you specify `x-amz-server-side-encryption` with `aws:kms`, you
|
3485
|
+
# must specify the ` x-amz-server-side-encryption-aws-kms-key-id`
|
3486
|
+
# header with the ID (Key ID or Key ARN) of the KMS symmetric
|
3487
|
+
# encryption customer managed key to use. Otherwise, you get an HTTP
|
3488
|
+
# `400 Bad Request` error. Only use the key ID or key ARN. The key
|
3489
|
+
# alias format of the KMS key isn't supported. Also, if the KMS key
|
3490
|
+
# doesn't exist in the same account that't issuing the command, you
|
3491
|
+
# must use the full Key ARN not the Key ID.
|
3492
|
+
#
|
3493
|
+
# Your SSE-KMS configuration can only support 1 [customer managed
|
3494
|
+
# key][1] per directory bucket for the lifetime of the bucket. [Amazon
|
3495
|
+
# Web Services managed key][2] (`aws/s3`) isn't supported.
|
3496
|
+
#
|
3497
|
+
#
|
3498
|
+
#
|
3499
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
3500
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
3501
|
+
# @return [String]
|
3502
|
+
#
|
3503
|
+
# @!attribute [rw] ssekms_encryption_context
|
3504
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
3505
|
+
# additional encryption context to use for object encryption. The
|
3506
|
+
# value of this header is a Base64-encoded string of a UTF-8 encoded
|
3507
|
+
# JSON, which contains the encryption context as key-value pairs. This
|
3508
|
+
# value is stored as object metadata and automatically gets passed on
|
3509
|
+
# to Amazon Web Services KMS for future `GetObject` operations on this
|
3510
|
+
# object.
|
3511
|
+
#
|
3512
|
+
# **General purpose buckets** - This value must be explicitly added
|
3513
|
+
# during `CopyObject` operations if you want an additional encryption
|
3514
|
+
# context for your object. For more information, see [Encryption
|
3515
|
+
# context][1] in the *Amazon S3 User Guide*.
|
3516
|
+
#
|
3517
|
+
# **Directory buckets** - You can optionally provide an explicit
|
3518
|
+
# encryption context value. The value must match the default
|
3519
|
+
# encryption context - the bucket Amazon Resource Name (ARN). An
|
3520
|
+
# additional encryption context value is not supported.
|
3521
|
+
#
|
3522
|
+
#
|
3523
|
+
#
|
3524
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
3525
|
+
# @return [String]
|
3526
|
+
#
|
3527
|
+
# @!attribute [rw] bucket_key_enabled
|
3528
|
+
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
3529
|
+
# encryption with server-side encryption using KMS keys (SSE-KMS).
|
3530
|
+
#
|
3531
|
+
# S3 Bucket Keys are always enabled for `GET` and `PUT` operations in
|
3532
|
+
# a directory bucket and can’t be disabled. S3 Bucket Keys aren't
|
3533
|
+
# supported, when you copy SSE-KMS encrypted objects from general
|
3534
|
+
# purpose buckets to directory buckets, from directory buckets to
|
3535
|
+
# general purpose buckets, or between directory buckets, through
|
3536
|
+
# [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
|
3537
|
+
# Operations][3], or [the import jobs][4]. In this case, Amazon S3
|
3538
|
+
# makes a call to KMS every time a copy request is made for a
|
3539
|
+
# KMS-encrypted object.
|
3540
|
+
#
|
3541
|
+
#
|
3542
|
+
#
|
3543
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
3544
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
3545
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
3546
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
3547
|
+
# @return [Boolean]
|
3548
|
+
#
|
3349
3549
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionRequest AWS API Documentation
|
3350
3550
|
#
|
3351
3551
|
class CreateSessionRequest < Struct.new(
|
3352
3552
|
:session_mode,
|
3353
|
-
:bucket
|
3354
|
-
|
3553
|
+
:bucket,
|
3554
|
+
:server_side_encryption,
|
3555
|
+
:ssekms_key_id,
|
3556
|
+
:ssekms_encryption_context,
|
3557
|
+
:bucket_key_enabled)
|
3558
|
+
SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
|
3355
3559
|
include Aws::Structure
|
3356
3560
|
end
|
3357
3561
|
|
@@ -3470,6 +3674,20 @@ module Aws::S3
|
|
3470
3674
|
# @!attribute [rw] bucket
|
3471
3675
|
# The name of the bucket containing the server-side encryption
|
3472
3676
|
# configuration to delete.
|
3677
|
+
#
|
3678
|
+
# <b>Directory buckets </b> - When you use this operation with a
|
3679
|
+
# directory bucket, you must use path-style requests in the format
|
3680
|
+
# `https://s3express-control.region_code.amazonaws.com/bucket-name `.
|
3681
|
+
# Virtual-hosted-style requests aren't supported. Directory bucket
|
3682
|
+
# names must be unique in the chosen Availability Zone. Bucket names
|
3683
|
+
# must also follow the format ` bucket_base_name--az_id--x-s3` (for
|
3684
|
+
# example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
|
3685
|
+
# about bucket naming restrictions, see [Directory bucket naming
|
3686
|
+
# rules][1] in the *Amazon S3 User Guide*
|
3687
|
+
#
|
3688
|
+
#
|
3689
|
+
#
|
3690
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
|
3473
3691
|
# @return [String]
|
3474
3692
|
#
|
3475
3693
|
# @!attribute [rw] expected_bucket_owner
|
@@ -3477,6 +3695,12 @@ module Aws::S3
|
|
3477
3695
|
# you provide does not match the actual owner of the bucket, the
|
3478
3696
|
# request fails with the HTTP status code `403 Forbidden` (access
|
3479
3697
|
# denied).
|
3698
|
+
#
|
3699
|
+
# <note markdown="1"> For directory buckets, this header is not supported in this API
|
3700
|
+
# operation. If you specify this header, the request fails with the
|
3701
|
+
# HTTP status code `501 Not Implemented`.
|
3702
|
+
#
|
3703
|
+
# </note>
|
3480
3704
|
# @return [String]
|
3481
3705
|
#
|
3482
3706
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/DeleteBucketEncryptionRequest AWS API Documentation
|
@@ -5326,12 +5550,16 @@ module Aws::S3
|
|
5326
5550
|
class EventBridgeConfiguration < Aws::EmptyStructure; end
|
5327
5551
|
|
5328
5552
|
# Optional configuration to replicate existing source bucket objects.
|
5329
|
-
#
|
5553
|
+
#
|
5554
|
+
# <note markdown="1"> This parameter is no longer supported. To replicate existing objects,
|
5555
|
+
# see [Replicating existing objects with S3 Batch Replication][1] in the
|
5330
5556
|
# *Amazon S3 User Guide*.
|
5331
5557
|
#
|
5558
|
+
# </note>
|
5559
|
+
#
|
5332
5560
|
#
|
5333
5561
|
#
|
5334
|
-
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/
|
5562
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
|
5335
5563
|
#
|
5336
5564
|
# @!attribute [rw] status
|
5337
5565
|
# Specifies whether Amazon S3 replicates existing source bucket
|
@@ -5595,6 +5823,20 @@ module Aws::S3
|
|
5595
5823
|
# @!attribute [rw] bucket
|
5596
5824
|
# The name of the bucket from which the server-side encryption
|
5597
5825
|
# configuration is retrieved.
|
5826
|
+
#
|
5827
|
+
# <b>Directory buckets </b> - When you use this operation with a
|
5828
|
+
# directory bucket, you must use path-style requests in the format
|
5829
|
+
# `https://s3express-control.region_code.amazonaws.com/bucket-name `.
|
5830
|
+
# Virtual-hosted-style requests aren't supported. Directory bucket
|
5831
|
+
# names must be unique in the chosen Availability Zone. Bucket names
|
5832
|
+
# must also follow the format ` bucket_base_name--az_id--x-s3` (for
|
5833
|
+
# example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
|
5834
|
+
# about bucket naming restrictions, see [Directory bucket naming
|
5835
|
+
# rules][1] in the *Amazon S3 User Guide*
|
5836
|
+
#
|
5837
|
+
#
|
5838
|
+
#
|
5839
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
|
5598
5840
|
# @return [String]
|
5599
5841
|
#
|
5600
5842
|
# @!attribute [rw] expected_bucket_owner
|
@@ -5602,6 +5844,12 @@ module Aws::S3
|
|
5602
5844
|
# you provide does not match the actual owner of the bucket, the
|
5603
5845
|
# request fails with the HTTP status code `403 Forbidden` (access
|
5604
5846
|
# denied).
|
5847
|
+
#
|
5848
|
+
# <note markdown="1"> For directory buckets, this header is not supported in this API
|
5849
|
+
# operation. If you specify this header, the request fails with the
|
5850
|
+
# HTTP status code `501 Not Implemented`.
|
5851
|
+
#
|
5852
|
+
# </note>
|
5605
5853
|
# @return [String]
|
5606
5854
|
#
|
5607
5855
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketEncryptionRequest AWS API Documentation
|
@@ -6923,12 +7171,7 @@ module Aws::S3
|
|
6923
7171
|
#
|
6924
7172
|
# @!attribute [rw] server_side_encryption
|
6925
7173
|
# The server-side encryption algorithm used when you store this object
|
6926
|
-
# in Amazon S3
|
6927
|
-
#
|
6928
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
6929
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
6930
|
-
#
|
6931
|
-
# </note>
|
7174
|
+
# in Amazon S3.
|
6932
7175
|
# @return [String]
|
6933
7176
|
#
|
6934
7177
|
# @!attribute [rw] metadata
|
@@ -6957,22 +7200,13 @@ module Aws::S3
|
|
6957
7200
|
# @return [String]
|
6958
7201
|
#
|
6959
7202
|
# @!attribute [rw] ssekms_key_id
|
6960
|
-
# If present, indicates the ID of the
|
6961
|
-
#
|
6962
|
-
# object.
|
6963
|
-
#
|
6964
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
6965
|
-
#
|
6966
|
-
# </note>
|
7203
|
+
# If present, indicates the ID of the KMS key that was used for object
|
7204
|
+
# encryption.
|
6967
7205
|
# @return [String]
|
6968
7206
|
#
|
6969
7207
|
# @!attribute [rw] bucket_key_enabled
|
6970
7208
|
# Indicates whether the object uses an S3 Bucket Key for server-side
|
6971
7209
|
# encryption with Key Management Service (KMS) keys (SSE-KMS).
|
6972
|
-
#
|
6973
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
6974
|
-
#
|
6975
|
-
# </note>
|
6976
7210
|
# @return [Boolean]
|
6977
7211
|
#
|
6978
7212
|
# @!attribute [rw] storage_class
|
@@ -7413,10 +7647,10 @@ module Aws::S3
|
|
7413
7647
|
# @!attribute [rw] checksum_mode
|
7414
7648
|
# To retrieve the checksum, this mode must be enabled.
|
7415
7649
|
#
|
7416
|
-
# In addition, if you enable checksum
|
7417
|
-
# with a [checksum][1] and encrypted
|
7418
|
-
# (KMS) key, you must have permission
|
7419
|
-
# to retrieve the checksum.
|
7650
|
+
# **General purpose buckets** - In addition, if you enable checksum
|
7651
|
+
# mode and the object is uploaded with a [checksum][1] and encrypted
|
7652
|
+
# with an Key Management Service (KMS) key, you must have permission
|
7653
|
+
# to use the `kms:Decrypt` action to retrieve the checksum.
|
7420
7654
|
#
|
7421
7655
|
#
|
7422
7656
|
#
|
@@ -8137,11 +8371,6 @@ module Aws::S3
|
|
8137
8371
|
# @!attribute [rw] server_side_encryption
|
8138
8372
|
# The server-side encryption algorithm used when you store this object
|
8139
8373
|
# in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
|
8140
|
-
#
|
8141
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
8142
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
8143
|
-
#
|
8144
|
-
# </note>
|
8145
8374
|
# @return [String]
|
8146
8375
|
#
|
8147
8376
|
# @!attribute [rw] metadata
|
@@ -8170,22 +8399,13 @@ module Aws::S3
|
|
8170
8399
|
# @return [String]
|
8171
8400
|
#
|
8172
8401
|
# @!attribute [rw] ssekms_key_id
|
8173
|
-
# If present, indicates the ID of the
|
8174
|
-
#
|
8175
|
-
# object.
|
8176
|
-
#
|
8177
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
8178
|
-
#
|
8179
|
-
# </note>
|
8402
|
+
# If present, indicates the ID of the KMS key that was used for object
|
8403
|
+
# encryption.
|
8180
8404
|
# @return [String]
|
8181
8405
|
#
|
8182
8406
|
# @!attribute [rw] bucket_key_enabled
|
8183
8407
|
# Indicates whether the object uses an S3 Bucket Key for server-side
|
8184
8408
|
# encryption with Key Management Service (KMS) keys (SSE-KMS).
|
8185
|
-
#
|
8186
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
8187
|
-
#
|
8188
|
-
# </note>
|
8189
8409
|
# @return [Boolean]
|
8190
8410
|
#
|
8191
8411
|
# @!attribute [rw] storage_class
|
@@ -8587,10 +8807,16 @@ module Aws::S3
|
|
8587
8807
|
# @!attribute [rw] checksum_mode
|
8588
8808
|
# To retrieve the checksum, this parameter must be enabled.
|
8589
8809
|
#
|
8590
|
-
#
|
8591
|
-
# with a [checksum][1] and encrypted with an Key
|
8592
|
-
# (KMS) key, you must have permission to use the
|
8593
|
-
# to retrieve the checksum.
|
8810
|
+
# **General purpose buckets** - If you enable checksum mode and the
|
8811
|
+
# object is uploaded with a [checksum][1] and encrypted with an Key
|
8812
|
+
# Management Service (KMS) key, you must have permission to use the
|
8813
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
8814
|
+
#
|
8815
|
+
# **Directory buckets** - If you enable `ChecksumMode` and the object
|
8816
|
+
# is encrypted with Amazon Web Services Key Management Service (Amazon
|
8817
|
+
# Web Services KMS), you must also have the `kms:GenerateDataKey` and
|
8818
|
+
# `kms:Decrypt` permissions in IAM identity-based policies and KMS key
|
8819
|
+
# policies for the KMS key to retrieve the checksum of the object.
|
8594
8820
|
#
|
8595
8821
|
#
|
8596
8822
|
#
|
@@ -12490,18 +12716,21 @@ module Aws::S3
|
|
12490
12716
|
|
12491
12717
|
# @!attribute [rw] bucket
|
12492
12718
|
# Specifies default encryption for a bucket using server-side
|
12493
|
-
# encryption with different key options.
|
12494
|
-
#
|
12495
|
-
#
|
12496
|
-
#
|
12497
|
-
#
|
12498
|
-
#
|
12499
|
-
#
|
12500
|
-
#
|
12719
|
+
# encryption with different key options.
|
12720
|
+
#
|
12721
|
+
# <b>Directory buckets </b> - When you use this operation with a
|
12722
|
+
# directory bucket, you must use path-style requests in the format
|
12723
|
+
# `https://s3express-control.region_code.amazonaws.com/bucket-name `.
|
12724
|
+
# Virtual-hosted-style requests aren't supported. Directory bucket
|
12725
|
+
# names must be unique in the chosen Availability Zone. Bucket names
|
12726
|
+
# must also follow the format ` bucket_base_name--az_id--x-s3` (for
|
12727
|
+
# example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
|
12728
|
+
# about bucket naming restrictions, see [Directory bucket naming
|
12729
|
+
# rules][1] in the *Amazon S3 User Guide*
|
12501
12730
|
#
|
12502
12731
|
#
|
12503
12732
|
#
|
12504
|
-
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/
|
12733
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
|
12505
12734
|
# @return [String]
|
12506
12735
|
#
|
12507
12736
|
# @!attribute [rw] content_md5
|
@@ -12511,6 +12740,10 @@ module Aws::S3
|
|
12511
12740
|
# For requests made using the Amazon Web Services Command Line
|
12512
12741
|
# Interface (CLI) or Amazon Web Services SDKs, this field is
|
12513
12742
|
# calculated automatically.
|
12743
|
+
#
|
12744
|
+
# <note markdown="1"> This functionality is not supported for directory buckets.
|
12745
|
+
#
|
12746
|
+
# </note>
|
12514
12747
|
# @return [String]
|
12515
12748
|
#
|
12516
12749
|
# @!attribute [rw] checksum_algorithm
|
@@ -12525,6 +12758,12 @@ module Aws::S3
|
|
12525
12758
|
# If you provide an individual checksum, Amazon S3 ignores any
|
12526
12759
|
# provided `ChecksumAlgorithm` parameter.
|
12527
12760
|
#
|
12761
|
+
# <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs,
|
12762
|
+
# `CRC32` is the default checksum algorithm that's used for
|
12763
|
+
# performance.
|
12764
|
+
#
|
12765
|
+
# </note>
|
12766
|
+
#
|
12528
12767
|
#
|
12529
12768
|
#
|
12530
12769
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
|
@@ -12539,6 +12778,12 @@ module Aws::S3
|
|
12539
12778
|
# you provide does not match the actual owner of the bucket, the
|
12540
12779
|
# request fails with the HTTP status code `403 Forbidden` (access
|
12541
12780
|
# denied).
|
12781
|
+
#
|
12782
|
+
# <note markdown="1"> For directory buckets, this header is not supported in this API
|
12783
|
+
# operation. If you specify this header, the request fails with the
|
12784
|
+
# HTTP status code `501 Not Implemented`.
|
12785
|
+
#
|
12786
|
+
# </note>
|
12542
12787
|
# @return [String]
|
12543
12788
|
#
|
12544
12789
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketEncryptionRequest AWS API Documentation
|
@@ -13807,12 +14052,7 @@ module Aws::S3
|
|
13807
14052
|
#
|
13808
14053
|
# @!attribute [rw] server_side_encryption
|
13809
14054
|
# The server-side encryption algorithm used when you store this object
|
13810
|
-
# in Amazon S3
|
13811
|
-
#
|
13812
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
13813
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
13814
|
-
#
|
13815
|
-
# </note>
|
14055
|
+
# in Amazon S3.
|
13816
14056
|
# @return [String]
|
13817
14057
|
#
|
13818
14058
|
# @!attribute [rw] version_id
|
@@ -13860,37 +14100,23 @@ module Aws::S3
|
|
13860
14100
|
# @return [String]
|
13861
14101
|
#
|
13862
14102
|
# @!attribute [rw] ssekms_key_id
|
13863
|
-
# If
|
13864
|
-
#
|
13865
|
-
# Service (KMS) symmetric encryption customer managed key that was
|
13866
|
-
# used for the object.
|
13867
|
-
#
|
13868
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
13869
|
-
#
|
13870
|
-
# </note>
|
14103
|
+
# If present, indicates the ID of the KMS key that was used for object
|
14104
|
+
# encryption.
|
13871
14105
|
# @return [String]
|
13872
14106
|
#
|
13873
14107
|
# @!attribute [rw] ssekms_encryption_context
|
13874
14108
|
# If present, indicates the Amazon Web Services KMS Encryption Context
|
13875
14109
|
# to use for object encryption. The value of this header is a
|
13876
|
-
#
|
13877
|
-
# key-value pairs. This value is stored as
|
13878
|
-
# automatically gets passed on to Amazon Web
|
13879
|
-
#
|
13880
|
-
#
|
13881
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
13882
|
-
#
|
13883
|
-
# </note>
|
14110
|
+
# Base64-encoded string of a UTF-8 encoded JSON, which contains the
|
14111
|
+
# encryption context as key-value pairs. This value is stored as
|
14112
|
+
# object metadata and automatically gets passed on to Amazon Web
|
14113
|
+
# Services KMS for future `GetObject` operations on this object.
|
13884
14114
|
# @return [String]
|
13885
14115
|
#
|
13886
14116
|
# @!attribute [rw] bucket_key_enabled
|
13887
14117
|
# Indicates whether the uploaded object uses an S3 Bucket Key for
|
13888
14118
|
# server-side encryption with Key Management Service (KMS) keys
|
13889
14119
|
# (SSE-KMS).
|
13890
|
-
#
|
13891
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
13892
|
-
#
|
13893
|
-
# </note>
|
13894
14120
|
# @return [Boolean]
|
13895
14121
|
#
|
13896
14122
|
# @!attribute [rw] request_charged
|
@@ -14266,25 +14492,66 @@ module Aws::S3
|
|
14266
14492
|
# this object in Amazon S3 (for example, `AES256`, `aws:kms`,
|
14267
14493
|
# `aws:kms:dsse`).
|
14268
14494
|
#
|
14269
|
-
# <b>General purpose buckets </b> - You have four mutually exclusive
|
14270
|
-
#
|
14271
|
-
#
|
14272
|
-
#
|
14273
|
-
#
|
14274
|
-
#
|
14275
|
-
#
|
14276
|
-
#
|
14277
|
-
#
|
14278
|
-
#
|
14279
|
-
#
|
14495
|
+
# * <b>General purpose buckets </b> - You have four mutually exclusive
|
14496
|
+
# options to protect data using server-side encryption in Amazon S3,
|
14497
|
+
# depending on how you choose to manage the encryption keys.
|
14498
|
+
# Specifically, the encryption key options are Amazon S3 managed
|
14499
|
+
# keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS),
|
14500
|
+
# and customer-provided keys (SSE-C). Amazon S3 encrypts data with
|
14501
|
+
# server-side encryption by using Amazon S3 managed keys (SSE-S3) by
|
14502
|
+
# default. You can optionally tell Amazon S3 to encrypt data at rest
|
14503
|
+
# by using server-side encryption with other key options. For more
|
14504
|
+
# information, see [Using Server-Side Encryption][1] in the *Amazon
|
14505
|
+
# S3 User Guide*.
|
14506
|
+
#
|
14507
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
14508
|
+
# two supported options for server-side encryption: server-side
|
14509
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
14510
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
14511
|
+
# recommend that the bucket's default encryption uses the desired
|
14512
|
+
# encryption configuration and you don't override the bucket
|
14513
|
+
# default encryption in your `CreateSession` requests or `PUT`
|
14514
|
+
# object requests. Then, new objects are automatically encrypted
|
14515
|
+
# with the desired encryption settings. For more information, see
|
14516
|
+
# [Protecting data with server-side encryption][2] in the *Amazon S3
|
14517
|
+
# User Guide*. For more information about the encryption overriding
|
14518
|
+
# behaviors in directory buckets, see [Specifying server-side
|
14519
|
+
# encryption with KMS for new object uploads][3].
|
14520
|
+
#
|
14521
|
+
# In the Zonal endpoint API calls (except [CopyObject][4] and
|
14522
|
+
# [UploadPartCopy][5]) using the REST API, the encryption request
|
14523
|
+
# headers must match the encryption settings that are specified in
|
14524
|
+
# the `CreateSession` request. You can't override the values of the
|
14525
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
14526
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
14527
|
+
# `x-amz-server-side-encryption-context`, and
|
14528
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
14529
|
+
# specified in the `CreateSession` request. You don't need to
|
14530
|
+
# explicitly specify these encryption settings values in Zonal
|
14531
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
14532
|
+
# values from the `CreateSession` request to protect new objects in
|
14533
|
+
# the directory bucket.
|
14534
|
+
#
|
14535
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
14536
|
+
# `CreateSession`, the session token refreshes automatically to
|
14537
|
+
# avoid service interruptions when a session expires. The CLI or the
|
14538
|
+
# Amazon Web Services SDKs use the bucket's default encryption
|
14539
|
+
# configuration for the `CreateSession` request. It's not supported
|
14540
|
+
# to override the encryption settings values in the `CreateSession`
|
14541
|
+
# request. So in the Zonal endpoint API calls (except
|
14542
|
+
# [CopyObject][4] and [UploadPartCopy][5]), the encryption request
|
14543
|
+
# headers must match the default encryption configuration of the
|
14544
|
+
# directory bucket.
|
14280
14545
|
#
|
14281
|
-
#
|
14282
|
-
# server-side encryption with Amazon S3 managed keys (SSE-S3)
|
14283
|
-
# (`AES256`) value is supported.
|
14546
|
+
# </note>
|
14284
14547
|
#
|
14285
14548
|
#
|
14286
14549
|
#
|
14287
14550
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
|
14551
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
14552
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
14553
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
14554
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
14288
14555
|
# @return [String]
|
14289
14556
|
#
|
14290
14557
|
# @!attribute [rw] storage_class
|
@@ -14370,48 +14637,87 @@ module Aws::S3
|
|
14370
14637
|
# @return [String]
|
14371
14638
|
#
|
14372
14639
|
# @!attribute [rw] ssekms_key_id
|
14373
|
-
#
|
14374
|
-
#
|
14375
|
-
#
|
14376
|
-
#
|
14640
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
14641
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
14642
|
+
# that's issuing the command, you must use the full Key ARN not the
|
14643
|
+
# Key ID.
|
14644
|
+
#
|
14645
|
+
# **General purpose buckets** - If you specify
|
14646
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
|
14647
|
+
# this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
|
14648
|
+
# KMS key to use. If you specify
|
14377
14649
|
# `x-amz-server-side-encryption:aws:kms` or
|
14378
|
-
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
14379
|
-
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
14380
|
-
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
14381
|
-
# the KMS key does not exist in the same account that's issuing the
|
14382
|
-
# command, you must use the full ARN and not just the ID.
|
14650
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
14651
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
14652
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
14383
14653
|
#
|
14384
|
-
#
|
14654
|
+
# **Directory buckets** - If you specify
|
14655
|
+
# `x-amz-server-side-encryption` with `aws:kms`, you must specify the
|
14656
|
+
# ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
|
14657
|
+
# (Key ID or Key ARN) of the KMS symmetric encryption customer managed
|
14658
|
+
# key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
|
14659
|
+
# use the key ID or key ARN. The key alias format of the KMS key
|
14660
|
+
# isn't supported. Your SSE-KMS configuration can only support 1
|
14661
|
+
# [customer managed key][1] per directory bucket for the lifetime of
|
14662
|
+
# the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
|
14663
|
+
# supported.
|
14385
14664
|
#
|
14386
|
-
#
|
14665
|
+
#
|
14666
|
+
#
|
14667
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
14668
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
14387
14669
|
# @return [String]
|
14388
14670
|
#
|
14389
14671
|
# @!attribute [rw] ssekms_encryption_context
|
14390
|
-
# Specifies the Amazon Web Services KMS Encryption Context
|
14391
|
-
#
|
14392
|
-
#
|
14393
|
-
#
|
14394
|
-
#
|
14395
|
-
# `
|
14396
|
-
#
|
14672
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
14673
|
+
# additional encryption context to use for object encryption. The
|
14674
|
+
# value of this header is a Base64-encoded string of a UTF-8 encoded
|
14675
|
+
# JSON, which contains the encryption context as key-value pairs. This
|
14676
|
+
# value is stored as object metadata and automatically gets passed on
|
14677
|
+
# to Amazon Web Services KMS for future `GetObject` operations on this
|
14678
|
+
# object.
|
14397
14679
|
#
|
14398
|
-
#
|
14680
|
+
# **General purpose buckets** - This value must be explicitly added
|
14681
|
+
# during `CopyObject` operations if you want an additional encryption
|
14682
|
+
# context for your object. For more information, see [Encryption
|
14683
|
+
# context][1] in the *Amazon S3 User Guide*.
|
14399
14684
|
#
|
14400
|
-
#
|
14685
|
+
# **Directory buckets** - You can optionally provide an explicit
|
14686
|
+
# encryption context value. The value must match the default
|
14687
|
+
# encryption context - the bucket Amazon Resource Name (ARN). An
|
14688
|
+
# additional encryption context value is not supported.
|
14689
|
+
#
|
14690
|
+
#
|
14691
|
+
#
|
14692
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
14401
14693
|
# @return [String]
|
14402
14694
|
#
|
14403
14695
|
# @!attribute [rw] bucket_key_enabled
|
14404
14696
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
14405
14697
|
# encryption with server-side encryption using Key Management Service
|
14406
|
-
# (KMS) keys (SSE-KMS).
|
14407
|
-
# to use an S3 Bucket Key for object encryption with SSE-KMS.
|
14698
|
+
# (KMS) keys (SSE-KMS).
|
14408
14699
|
#
|
14409
|
-
#
|
14410
|
-
#
|
14700
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
14701
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with
|
14702
|
+
# SSE-KMS. Also, specifying this header with a PUT action doesn't
|
14703
|
+
# affect bucket-level settings for S3 Bucket Key.
|
14411
14704
|
#
|
14412
|
-
#
|
14705
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
14706
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
14707
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted
|
14708
|
+
# objects from general purpose buckets to directory buckets, from
|
14709
|
+
# directory buckets to general purpose buckets, or between directory
|
14710
|
+
# buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
|
14711
|
+
# operation in Batch Operations][3], or [the import jobs][4]. In this
|
14712
|
+
# case, Amazon S3 makes a call to KMS every time a copy request is
|
14713
|
+
# made for a KMS-encrypted object.
|
14413
14714
|
#
|
14414
|
-
#
|
14715
|
+
#
|
14716
|
+
#
|
14717
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
14718
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
14719
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
14720
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
14415
14721
|
# @return [Boolean]
|
14416
14722
|
#
|
14417
14723
|
# @!attribute [rw] request_payer
|
@@ -15125,12 +15431,16 @@ module Aws::S3
|
|
15125
15431
|
#
|
15126
15432
|
# @!attribute [rw] existing_object_replication
|
15127
15433
|
# Optional configuration to replicate existing source bucket objects.
|
15128
|
-
#
|
15129
|
-
#
|
15434
|
+
#
|
15435
|
+
# <note markdown="1"> This parameter is no longer supported. To replicate existing
|
15436
|
+
# objects, see [Replicating existing objects with S3 Batch
|
15437
|
+
# Replication][1] in the *Amazon S3 User Guide*.
|
15438
|
+
#
|
15439
|
+
# </note>
|
15130
15440
|
#
|
15131
15441
|
#
|
15132
15442
|
#
|
15133
|
-
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/
|
15443
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
|
15134
15444
|
# @return [Types::ExistingObjectReplication]
|
15135
15445
|
#
|
15136
15446
|
# @!attribute [rw] destination
|
@@ -16002,35 +16312,51 @@ module Aws::S3
|
|
16002
16312
|
|
16003
16313
|
# Describes the default server-side encryption to apply to new objects
|
16004
16314
|
# in the bucket. If a PUT Object request doesn't specify any
|
16005
|
-
# server-side encryption, this default encryption will be applied.
|
16006
|
-
#
|
16007
|
-
# automatically creates an Amazon Web Services KMS key in your Amazon
|
16008
|
-
# Web Services account the first time that you add an object encrypted
|
16009
|
-
# with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for
|
16010
|
-
# SSE-KMS. For more information, see [PUT Bucket encryption][1] in the
|
16011
|
-
# *Amazon S3 API Reference*.
|
16315
|
+
# server-side encryption, this default encryption will be applied. For
|
16316
|
+
# more information, see [PutBucketEncryption][1].
|
16012
16317
|
#
|
16013
|
-
# <note markdown="1">
|
16014
|
-
#
|
16015
|
-
#
|
16016
|
-
#
|
16017
|
-
#
|
16318
|
+
# <note markdown="1"> * **General purpose buckets** - If you don't specify a customer
|
16319
|
+
# managed key at configuration, Amazon S3 automatically creates an
|
16320
|
+
# Amazon Web Services KMS key (`aws/s3`) in your Amazon Web Services
|
16321
|
+
# account the first time that you add an object encrypted with SSE-KMS
|
16322
|
+
# to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
|
16323
|
+
#
|
16324
|
+
# * **Directory buckets** - Your SSE-KMS configuration can only support
|
16325
|
+
# 1 [customer managed key][2] per directory bucket for the lifetime of
|
16326
|
+
# the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
|
16327
|
+
# supported.
|
16328
|
+
#
|
16329
|
+
# * **Directory buckets** - For directory buckets, there are only two
|
16330
|
+
# supported options for server-side encryption: SSE-S3 and SSE-KMS.
|
16018
16331
|
#
|
16019
16332
|
# </note>
|
16020
16333
|
#
|
16021
16334
|
#
|
16022
16335
|
#
|
16023
16336
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html
|
16337
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
16338
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
16024
16339
|
#
|
16025
16340
|
# @!attribute [rw] sse_algorithm
|
16026
16341
|
# Server-side encryption algorithm to use for the default encryption.
|
16342
|
+
#
|
16343
|
+
# <note markdown="1"> For directory buckets, there are only two supported values for
|
16344
|
+
# server-side encryption: `AES256` and `aws:kms`.
|
16345
|
+
#
|
16346
|
+
# </note>
|
16027
16347
|
# @return [String]
|
16028
16348
|
#
|
16029
16349
|
# @!attribute [rw] kms_master_key_id
|
16030
|
-
# Amazon Web Services Key Management Service (KMS) customer
|
16031
|
-
#
|
16032
|
-
#
|
16033
|
-
#
|
16350
|
+
# Amazon Web Services Key Management Service (KMS) customer managed
|
16351
|
+
# key ID to use for the default encryption.
|
16352
|
+
#
|
16353
|
+
# <note markdown="1"> * **General purpose buckets** - This parameter is allowed if and
|
16354
|
+
# only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`.
|
16355
|
+
#
|
16356
|
+
# * **Directory buckets** - This parameter is allowed if and only if
|
16357
|
+
# `SSEAlgorithm` is set to `aws:kms`.
|
16358
|
+
#
|
16359
|
+
# </note>
|
16034
16360
|
#
|
16035
16361
|
# You can specify the key ID, key alias, or the Amazon Resource Name
|
16036
16362
|
# (ARN) of the KMS key.
|
@@ -16042,22 +16368,36 @@ module Aws::S3
|
|
16042
16368
|
#
|
16043
16369
|
# * Key Alias: `alias/alias-name`
|
16044
16370
|
#
|
16045
|
-
# If you use a key ID, you can run into a LogDestination undeliverable
|
16046
|
-
# error when creating a VPC flow log.
|
16047
|
-
#
|
16048
16371
|
# If you are using encryption with cross-account or Amazon Web
|
16049
|
-
# Services service operations you must use a fully qualified KMS key
|
16372
|
+
# Services service operations, you must use a fully qualified KMS key
|
16050
16373
|
# ARN. For more information, see [Using encryption for cross-account
|
16051
16374
|
# operations][1].
|
16052
16375
|
#
|
16376
|
+
# <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
|
16377
|
+
# managed KMS key, we recommend using a fully qualified KMS key ARN.
|
16378
|
+
# If you use a KMS key alias instead, then KMS resolves the key
|
16379
|
+
# within the requester’s account. This behavior can result in data
|
16380
|
+
# that's encrypted with a KMS key that belongs to the requester,
|
16381
|
+
# and not the bucket owner. Also, if you use a key ID, you can run
|
16382
|
+
# into a LogDestination undeliverable error when creating a VPC flow
|
16383
|
+
# log.
|
16384
|
+
#
|
16385
|
+
# * **Directory buckets** - When you specify an [KMS customer managed
|
16386
|
+
# key][2] for encryption in your directory bucket, only use the key
|
16387
|
+
# ID or key ARN. The key alias format of the KMS key isn't
|
16388
|
+
# supported.
|
16389
|
+
#
|
16390
|
+
# </note>
|
16391
|
+
#
|
16053
16392
|
# Amazon S3 only supports symmetric encryption KMS keys. For more
|
16054
|
-
# information, see [Asymmetric keys in Amazon Web Services KMS][
|
16393
|
+
# information, see [Asymmetric keys in Amazon Web Services KMS][3] in
|
16055
16394
|
# the *Amazon Web Services Key Management Service Developer Guide*.
|
16056
16395
|
#
|
16057
16396
|
#
|
16058
16397
|
#
|
16059
16398
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy
|
16060
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
16399
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
16400
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
16061
16401
|
# @return [String]
|
16062
16402
|
#
|
16063
16403
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionByDefault AWS API Documentation
|
@@ -16086,14 +16426,23 @@ module Aws::S3
|
|
16086
16426
|
|
16087
16427
|
# Specifies the default server-side encryption configuration.
|
16088
16428
|
#
|
16089
|
-
# <note markdown="1"> If you're specifying a customer
|
16090
|
-
#
|
16091
|
-
#
|
16092
|
-
# result in data that's
|
16093
|
-
# requester, and not the
|
16429
|
+
# <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
|
16430
|
+
# managed KMS key, we recommend using a fully qualified KMS key ARN.
|
16431
|
+
# If you use a KMS key alias instead, then KMS resolves the key within
|
16432
|
+
# the requester’s account. This behavior can result in data that's
|
16433
|
+
# encrypted with a KMS key that belongs to the requester, and not the
|
16434
|
+
# bucket owner.
|
16435
|
+
#
|
16436
|
+
# * **Directory buckets** - When you specify an [KMS customer managed
|
16437
|
+
# key][1] for encryption in your directory bucket, only use the key ID
|
16438
|
+
# or key ARN. The key alias format of the KMS key isn't supported.
|
16094
16439
|
#
|
16095
16440
|
# </note>
|
16096
16441
|
#
|
16442
|
+
#
|
16443
|
+
#
|
16444
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
16445
|
+
#
|
16097
16446
|
# @!attribute [rw] apply_server_side_encryption_by_default
|
16098
16447
|
# Specifies the default server-side encryption to apply to new objects
|
16099
16448
|
# in the bucket. If a PUT Object request doesn't specify any
|
@@ -16105,14 +16454,31 @@ module Aws::S3
|
|
16105
16454
|
# server-side encryption using KMS (SSE-KMS) for new objects in the
|
16106
16455
|
# bucket. Existing objects are not affected. Setting the
|
16107
16456
|
# `BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3
|
16108
|
-
# Bucket Key.
|
16457
|
+
# Bucket Key.
|
16109
16458
|
#
|
16110
|
-
#
|
16111
|
-
#
|
16459
|
+
# <note markdown="1"> * **General purpose buckets** - By default, S3 Bucket Key is not
|
16460
|
+
# enabled. For more information, see [Amazon S3 Bucket Keys][1] in
|
16461
|
+
# the *Amazon S3 User Guide*.
|
16462
|
+
#
|
16463
|
+
# * **Directory buckets** - S3 Bucket Keys are always enabled for
|
16464
|
+
# `GET` and `PUT` operations in a directory bucket and can’t be
|
16465
|
+
# disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS
|
16466
|
+
# encrypted objects from general purpose buckets to directory
|
16467
|
+
# buckets, from directory buckets to general purpose buckets, or
|
16468
|
+
# between directory buckets, through [CopyObject][2],
|
16469
|
+
# [UploadPartCopy][3], [the Copy operation in Batch Operations][4],
|
16470
|
+
# or [the import jobs][5]. In this case, Amazon S3 makes a call to
|
16471
|
+
# KMS every time a copy request is made for a KMS-encrypted object.
|
16472
|
+
#
|
16473
|
+
# </note>
|
16112
16474
|
#
|
16113
16475
|
#
|
16114
16476
|
#
|
16115
16477
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
|
16478
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
16479
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
16480
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
16481
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
16116
16482
|
# @return [Boolean]
|
16117
16483
|
#
|
16118
16484
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionRule AWS API Documentation
|
@@ -16127,8 +16493,8 @@ module Aws::S3
|
|
16127
16493
|
# The established temporary security credentials of the session.
|
16128
16494
|
#
|
16129
16495
|
# <note markdown="1"> **Directory buckets** - These session credentials are only supported
|
16130
|
-
# for the authentication and authorization of Zonal endpoint
|
16131
|
-
# directory buckets.
|
16496
|
+
# for the authentication and authorization of Zonal endpoint API
|
16497
|
+
# operations on directory buckets.
|
16132
16498
|
#
|
16133
16499
|
# </note>
|
16134
16500
|
#
|
@@ -16562,11 +16928,6 @@ module Aws::S3
|
|
16562
16928
|
# @!attribute [rw] server_side_encryption
|
16563
16929
|
# The server-side encryption algorithm used when you store this object
|
16564
16930
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
16565
|
-
#
|
16566
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
16567
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
16568
|
-
#
|
16569
|
-
# </note>
|
16570
16931
|
# @return [String]
|
16571
16932
|
#
|
16572
16933
|
# @!attribute [rw] sse_customer_algorithm
|
@@ -16591,23 +16952,14 @@ module Aws::S3
|
|
16591
16952
|
# @return [String]
|
16592
16953
|
#
|
16593
16954
|
# @!attribute [rw] ssekms_key_id
|
16594
|
-
# If present, indicates the ID of the
|
16595
|
-
#
|
16596
|
-
# object.
|
16597
|
-
#
|
16598
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
16599
|
-
#
|
16600
|
-
# </note>
|
16955
|
+
# If present, indicates the ID of the KMS key that was used for object
|
16956
|
+
# encryption.
|
16601
16957
|
# @return [String]
|
16602
16958
|
#
|
16603
16959
|
# @!attribute [rw] bucket_key_enabled
|
16604
16960
|
# Indicates whether the multipart upload uses an S3 Bucket Key for
|
16605
16961
|
# server-side encryption with Key Management Service (KMS) keys
|
16606
16962
|
# (SSE-KMS).
|
16607
|
-
#
|
16608
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
16609
|
-
#
|
16610
|
-
# </note>
|
16611
16963
|
# @return [Boolean]
|
16612
16964
|
#
|
16613
16965
|
# @!attribute [rw] request_charged
|
@@ -16958,11 +17310,6 @@ module Aws::S3
|
|
16958
17310
|
# @!attribute [rw] server_side_encryption
|
16959
17311
|
# The server-side encryption algorithm used when you store this object
|
16960
17312
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
16961
|
-
#
|
16962
|
-
# <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
|
16963
|
-
# managed keys (SSE-S3) (`AES256`) is supported.
|
16964
|
-
#
|
16965
|
-
# </note>
|
16966
17313
|
# @return [String]
|
16967
17314
|
#
|
16968
17315
|
# @!attribute [rw] etag
|
@@ -17051,23 +17398,14 @@ module Aws::S3
|
|
17051
17398
|
# @return [String]
|
17052
17399
|
#
|
17053
17400
|
# @!attribute [rw] ssekms_key_id
|
17054
|
-
# If present, indicates the ID of the
|
17055
|
-
#
|
17056
|
-
# object.
|
17057
|
-
#
|
17058
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
17059
|
-
#
|
17060
|
-
# </note>
|
17401
|
+
# If present, indicates the ID of the KMS key that was used for object
|
17402
|
+
# encryption.
|
17061
17403
|
# @return [String]
|
17062
17404
|
#
|
17063
17405
|
# @!attribute [rw] bucket_key_enabled
|
17064
17406
|
# Indicates whether the multipart upload uses an S3 Bucket Key for
|
17065
17407
|
# server-side encryption with Key Management Service (KMS) keys
|
17066
17408
|
# (SSE-KMS).
|
17067
|
-
#
|
17068
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
17069
|
-
#
|
17070
|
-
# </note>
|
17071
17409
|
# @return [Boolean]
|
17072
17410
|
#
|
17073
17411
|
# @!attribute [rw] request_charged
|
@@ -17770,3 +18108,6 @@ module Aws::S3
|
|
17770
18108
|
|
17771
18109
|
end
|
17772
18110
|
end
|
18111
|
+
|
18112
|
+
require "aws-sdk-s3/customizations/types/list_object_versions_output"
|
18113
|
+
require "aws-sdk-s3/customizations/types/permanent_redirect"
|