aws-sdk-s3 1.160.0 → 1.164.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (17) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +20 -0
  3. data/VERSION +1 -1
  4. data/lib/aws-sdk-s3/bucket.rb +120 -43
  5. data/lib/aws-sdk-s3/client.rb +1097 -392
  6. data/lib/aws-sdk-s3/client_api.rb +8 -0
  7. data/lib/aws-sdk-s3/endpoints.rb +99 -396
  8. data/lib/aws-sdk-s3/object.rb +336 -129
  9. data/lib/aws-sdk-s3/object_summary.rb +324 -109
  10. data/lib/aws-sdk-s3/object_version.rb +14 -8
  11. data/lib/aws-sdk-s3/plugins/endpoints.rb +23 -8
  12. data/lib/aws-sdk-s3/types.rb +644 -306
  13. data/lib/aws-sdk-s3.rb +1 -1
  14. data/sig/client.rbs +10 -1
  15. data/sig/resource.rbs +1 -0
  16. data/sig/types.rbs +10 -2
  17. metadata +4 -4
data/lib/aws-sdk-s3/client.rb CHANGED
@@ -172,13 +172,15 @@ module Aws::S3
172
172
  # locations will be searched for credentials:
173
173
  #
174
174
  # * `Aws.config[:credentials]`
175
- # * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
176
- # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
175
+ # * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
176
+ # `:account_id` options.
177
+ # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
178
+ # ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
177
179
  # * `~/.aws/credentials`
178
180
  # * `~/.aws/config`
179
181
  # * EC2/ECS IMDS instance profile - When used by default, the timeouts
180
182
  # are very aggressive. Construct and pass an instance of
181
- # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
183
+ # `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
182
184
  # enable retries and extended timeouts. Instance profile credential
183
185
  # fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
184
186
  # to true.
@@ -207,6 +209,8 @@ module Aws::S3
207
209
  #
208
210
  # @option options [String] :access_key_id
209
211
  #
212
+ # @option options [String] :account_id
213
+ #
210
214
  # @option options [Boolean] :active_endpoint_cache (false)
211
215
  # When set to `true`, a thread polling for endpoints will be running in
212
216
  # the background every 60 secs (default). Defaults to `false`.
@@ -476,7 +480,9 @@ module Aws::S3
476
480
  # sending the request.
477
481
  #
478
482
  # @option options [Aws::S3::EndpointProvider] :endpoint_provider
479
- # The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::S3::EndpointParameters`
483
+ # The endpoint provider used to resolve endpoints. Any object that responds to
484
+ # `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to
485
+ # `Aws::S3::EndpointParameters`.
480
486
  #
481
487
  # @option options [Float] :http_continue_timeout (1)
482
488
  # The number of seconds to wait for a 100-continue response before sending the
@@ -532,6 +538,12 @@ module Aws::S3
532
538
  # @option options [String] :ssl_ca_store
533
539
  # Sets the X509::Store to verify peer certificate.
534
540
  #
541
+ # @option options [OpenSSL::X509::Certificate] :ssl_cert
542
+ # Sets a client certificate when creating http connections.
543
+ #
544
+ # @option options [OpenSSL::PKey] :ssl_key
545
+ # Sets a client key when creating http connections.
546
+ #
535
547
  # @option options [Float] :ssl_timeout
536
548
  # Sets the SSL timeout in seconds
537
549
  #
@@ -794,9 +806,15 @@ module Aws::S3
794
806
  # [Multipart Upload and Permissions][6] in the *Amazon S3 User
795
807
  # Guide*.
796
808
  #
809
+ # If you provide an [additional checksum value][7] in your
810
+ # `MultipartUpload` requests and the object is encrypted with Key
811
+ # Management Service, you must have permission to use the
812
+ # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
813
+ # succeed.
814
+ #
797
815
  # * **Directory bucket permissions** - To grant access to this API
798
816
  # operation on a directory bucket, we recommend that you use the [
799
- # `CreateSession` ][7] API operation for session-based
817
+ # `CreateSession` ][8] API operation for session-based
800
818
  # authorization. Specifically, you grant the
801
819
  # `s3express:CreateSession` permission to the directory bucket in a
802
820
  # bucket policy or an IAM identity-based policy. Then, you make the
@@ -807,13 +825,11 @@ module Aws::S3
807
825
  # token for use. Amazon Web Services CLI or SDKs create session and
808
826
  # refresh the session token automatically to avoid service
809
827
  # interruptions when a session expires. For more information about
810
- # authorization, see [ `CreateSession` ][7].
828
+ # authorization, see [ `CreateSession` ][8].
811
829
  #
812
- # * If you provide an [additional checksum value][8] in your
813
- # `MultipartUpload` requests and the object is encrypted with Key
814
- # Management Service, you must have permission to use the
815
- # `kms:Decrypt` action for the `CompleteMultipartUpload` request to
816
- # succeed.
830
+ # If the object is encrypted with SSE-KMS, you must also have the
831
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
832
+ # identity-based policies and KMS key policies for the KMS key.
817
833
  #
818
834
  # Special errors
819
835
  # : * Error Code: `EntityTooSmall`
@@ -872,8 +888,8 @@ module Aws::S3
872
888
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
873
889
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
874
890
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
875
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
876
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
891
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
892
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
877
893
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
878
894
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
879
895
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
@@ -1259,6 +1275,10 @@ module Aws::S3
1259
1275
  # destination. The `s3express:SessionMode` condition key can't be
1260
1276
  # set to `ReadOnly` on the copy destination bucket.
1261
1277
  #
1278
+ # If the object is encrypted with SSE-KMS, you must also have the
1279
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
1280
+ # identity-based policies and KMS key policies for the KMS key.
1281
+ #
1262
1282
  # For example policies, see [Example bucket policies for S3 Express
1263
1283
  # One Zone][6] and [Amazon Web Services Identity and Access
1264
1284
  # Management (IAM) identity-based policies for S3 Express One
@@ -1705,9 +1725,8 @@ module Aws::S3
1705
1725
  #
1706
1726
  # @option params [String] :server_side_encryption
1707
1727
  # The server-side encryption algorithm used when storing this object in
1708
- # Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1709
- # Unrecognized or unsupported values won’t write a destination object
1710
- # and will receive a `400 Bad Request` response.
1728
+ # Amazon S3. Unrecognized or unsupported values won’t write a
1729
+ # destination object and will receive a `400 Bad Request` response.
1711
1730
  #
1712
1731
  # Amazon S3 automatically encrypts all new objects that are copied to an
1713
1732
  # S3 bucket. When copying an object, if you don't specify encryption
@@ -1715,35 +1734,72 @@ module Aws::S3
1715
1734
  # object is set to the default encryption configuration of the
1716
1735
  # destination bucket. By default, all buckets have a base level of
1717
1736
  # encryption configuration that uses server-side encryption with Amazon
1718
- # S3 managed keys (SSE-S3). If the destination bucket has a default
1719
- # encryption configuration that uses server-side encryption with Key
1720
- # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1721
- # encryption with Amazon Web Services KMS keys (DSSE-KMS), or
1722
- # server-side encryption with customer-provided encryption keys (SSE-C),
1723
- # Amazon S3 uses the corresponding KMS key, or a customer-provided key
1724
- # to encrypt the target object copy.
1725
- #
1726
- # When you perform a `CopyObject` operation, if you want to use a
1727
- # different type of encryption setting for the target object, you can
1728
- # specify appropriate encryption-related headers to encrypt the target
1729
- # object with an Amazon S3 managed key, a KMS key, or a
1730
- # customer-provided key. If the encryption setting in your request is
1731
- # different from the default encryption configuration of the destination
1732
- # bucket, the encryption setting in your request takes precedence.
1737
+ # S3 managed keys (SSE-S3). If the destination bucket has a different
1738
+ # default encryption configuration, Amazon S3 uses the corresponding
1739
+ # encryption key to encrypt the target object copy.
1733
1740
  #
1734
1741
  # With server-side encryption, Amazon S3 encrypts your data as it writes
1735
1742
  # your data to disks in its data centers and decrypts the data when you
1736
1743
  # access it. For more information about server-side encryption, see
1737
1744
  # [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
1738
1745
  #
1739
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1740
- # managed keys (SSE-S3) (`AES256`) is supported.
1741
- #
1742
- # </note>
1746
+ # <b>General purpose buckets </b>
1747
+ #
1748
+ # * For general purpose buckets, there are the following supported
1749
+ # options for server-side encryption: server-side encryption with Key
1750
+ # Management Service (KMS) keys (SSE-KMS), dual-layer server-side
1751
+ # encryption with Amazon Web Services KMS keys (DSSE-KMS), and
1752
+ # server-side encryption with customer-provided encryption keys
1753
+ # (SSE-C). Amazon S3 uses the corresponding KMS key, or a
1754
+ # customer-provided key to encrypt the target object copy.
1755
+ #
1756
+ # * When you perform a `CopyObject` operation, if you want to use a
1757
+ # different type of encryption setting for the target object, you can
1758
+ # specify appropriate encryption-related headers to encrypt the target
1759
+ # object with an Amazon S3 managed key, a KMS key, or a
1760
+ # customer-provided key. If the encryption setting in your request is
1761
+ # different from the default encryption configuration of the
1762
+ # destination bucket, the encryption setting in your request takes
1763
+ # precedence.
1764
+ #
1765
+ # <b>Directory buckets </b>
1766
+ #
1767
+ # * For directory buckets, there are only two supported options for
1768
+ # server-side encryption: server-side encryption with Amazon S3
1769
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
1770
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
1771
+ # encryption uses the desired encryption configuration and you don't
1772
+ # override the bucket default encryption in your `CreateSession`
1773
+ # requests or `PUT` object requests. Then, new objects are
1774
+ # automatically encrypted with the desired encryption settings. For
1775
+ # more information, see [Protecting data with server-side
1776
+ # encryption][2] in the *Amazon S3 User Guide*. For more information
1777
+ # about the encryption overriding behaviors in directory buckets, see
1778
+ # [Specifying server-side encryption with KMS for new object
1779
+ # uploads][3].
1780
+ #
1781
+ # * To encrypt new object copies to a directory bucket with SSE-KMS, we
1782
+ # recommend you specify SSE-KMS as the directory bucket's default
1783
+ # encryption configuration with a KMS key (specifically, a [customer
1784
+ # managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
1785
+ # isn't supported. Your SSE-KMS configuration can only support 1
1786
+ # [customer managed key][4] per directory bucket for the lifetime of
1787
+ # the bucket. After you specify a customer managed key for SSE-KMS,
1788
+ # you can't override the customer managed key for the bucket's
1789
+ # SSE-KMS configuration. Then, when you perform a `CopyObject`
1790
+ # operation and want to specify server-side encryption settings for
1791
+ # new object copies with SSE-KMS in the encryption-related request
1792
+ # headers, you must ensure the encryption key is the same customer
1793
+ # managed key that you specified for the directory bucket's default
1794
+ # encryption configuration.
1743
1795
  #
1744
1796
  #
1745
1797
  #
1746
1798
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1799
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1800
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1801
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1802
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1747
1803
  #
1748
1804
  # @option params [String] :storage_class
1749
1805
  # If the `x-amz-storage-class` header is not used, the copied object
@@ -1840,33 +1896,51 @@ module Aws::S3
1840
1896
  # </note>
1841
1897
  #
1842
1898
  # @option params [String] :ssekms_key_id
1843
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object
1844
- # encryption. All GET and PUT requests for an object protected by KMS
1845
- # will fail if they're not made via SSL or using SigV4. For information
1846
- # about configuring any of the officially supported Amazon Web Services
1847
- # SDKs and Amazon Web Services CLI, see [Specifying the Signature
1848
- # Version in Request Authentication][1] in the *Amazon S3 User Guide*.
1849
- #
1850
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1851
- # directory bucket.
1899
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1900
+ # object encryption. All GET and PUT requests for an object protected by
1901
+ # KMS will fail if they're not made via SSL or using SigV4. For
1902
+ # information about configuring any of the officially supported Amazon
1903
+ # Web Services SDKs and Amazon Web Services CLI, see [Specifying the
1904
+ # Signature Version in Request Authentication][1] in the *Amazon S3 User
1905
+ # Guide*.
1852
1906
  #
1853
- # </note>
1907
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
1908
+ # with `aws:kms`, you must specify the `
1909
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
1910
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
1911
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
1912
+ # key ID or key ARN. The key alias format of the KMS key isn't
1913
+ # supported. Your SSE-KMS configuration can only support 1 [customer
1914
+ # managed key][2] per directory bucket for the lifetime of the bucket.
1915
+ # [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
1854
1916
  #
1855
1917
  #
1856
1918
  #
1857
1919
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
1920
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1921
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1858
1922
  #
1859
1923
  # @option params [String] :ssekms_encryption_context
1860
- # Specifies the Amazon Web Services KMS Encryption Context to use for
1861
- # object encryption. The value of this header is a base64-encoded UTF-8
1862
- # string holding JSON with the encryption context key-value pairs. This
1863
- # value must be explicitly added to specify encryption context for
1864
- # `CopyObject` requests.
1924
+ # Specifies the Amazon Web Services KMS Encryption Context as an
1925
+ # additional encryption context to use for the destination object
1926
+ # encryption. The value of this header is a base64-encoded UTF-8 string
1927
+ # holding JSON with the encryption context key-value pairs.
1865
1928
  #
1866
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1867
- # directory bucket.
1929
+ # **General purpose buckets** - This value must be explicitly added to
1930
+ # specify encryption context for `CopyObject` requests if you want an
1931
+ # additional encryption context for your destination object. The
1932
+ # additional encryption context of the source object won't be copied to
1933
+ # the destination object. For more information, see [Encryption
1934
+ # context][1] in the *Amazon S3 User Guide*.
1935
+ #
1936
+ # **Directory buckets** - You can optionally provide an explicit
1937
+ # encryption context value. The value must match the default encryption
1938
+ # context - the bucket Amazon Resource Name (ARN). An additional
1939
+ # encryption context value is not supported.
1868
1940
  #
1869
- # </note>
1941
+ #
1942
+ #
1943
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
1870
1944
  #
1871
1945
  # @option params [Boolean] :bucket_key_enabled
1872
1946
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
@@ -1881,14 +1955,19 @@ module Aws::S3
1881
1955
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
1882
1956
  # User Guide*.
1883
1957
  #
1884
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1885
- # directory bucket.
1958
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
1959
+ # copy SSE-KMS encrypted objects from general purpose buckets to
1960
+ # directory buckets, from directory buckets to general purpose buckets,
1961
+ # or between directory buckets, through [CopyObject][2]. In this case,
1962
+ # Amazon S3 makes a call to KMS every time a copy request is made for a
1963
+ # KMS-encrypted object.
1886
1964
  #
1887
1965
  # </note>
1888
1966
  #
1889
1967
  #
1890
1968
  #
1891
1969
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
1970
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
1892
1971
  #
1893
1972
  # @option params [String] :copy_source_sse_customer_algorithm
1894
1973
  # Specifies the algorithm to use when decrypting the source object (for
@@ -2630,9 +2709,53 @@ module Aws::S3
2630
2709
  # using server-side encryption with customer-provided encryption
2631
2710
  # keys (SSE-C)][11] in the *Amazon S3 User Guide*.
2632
2711
  #
2633
- # * **Directory buckets** -For directory buckets, only server-side
2634
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
2635
- # supported.
2712
+ # * **Directory buckets** - For directory buckets, there are only two
2713
+ # supported options for server-side encryption: server-side
2714
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
2715
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
2716
+ # recommend that the bucket's default encryption uses the desired
2717
+ # encryption configuration and you don't override the bucket
2718
+ # default encryption in your `CreateSession` requests or `PUT`
2719
+ # object requests. Then, new objects are automatically encrypted
2720
+ # with the desired encryption settings. For more information, see
2721
+ # [Protecting data with server-side encryption][12] in the *Amazon
2722
+ # S3 User Guide*. For more information about the encryption
2723
+ # overriding behaviors in directory buckets, see [Specifying
2724
+ # server-side encryption with KMS for new object uploads][13].
2725
+ #
2726
+ # In the Zonal endpoint API calls (except [CopyObject][14] and
2727
+ # [UploadPartCopy][9]) using the REST API, the encryption request
2728
+ # headers must match the encryption settings that are specified in
2729
+ # the `CreateSession` request. You can't override the values of the
2730
+ # encryption settings (`x-amz-server-side-encryption`,
2731
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
2732
+ # `x-amz-server-side-encryption-context`, and
2733
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
2734
+ # specified in the `CreateSession` request. You don't need to
2735
+ # explicitly specify these encryption settings values in Zonal
2736
+ # endpoint API calls, and Amazon S3 will use the encryption settings
2737
+ # values from the `CreateSession` request to protect new objects in
2738
+ # the directory bucket.
2739
+ #
2740
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
2741
+ # `CreateSession`, the session token refreshes automatically to
2742
+ # avoid service interruptions when a session expires. The CLI or the
2743
+ # Amazon Web Services SDKs use the bucket's default encryption
2744
+ # configuration for the `CreateSession` request. It's not supported
2745
+ # to override the encryption settings values in the `CreateSession`
2746
+ # request. So in the Zonal endpoint API calls (except
2747
+ # [CopyObject][14] and [UploadPartCopy][9]), the encryption request
2748
+ # headers must match the default encryption configuration of the
2749
+ # directory bucket.
2750
+ #
2751
+ # </note>
2752
+ #
2753
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
2754
+ # operation and an `UploadPartCopy` operation, the request headers
2755
+ # you provide in the `CreateMultipartUpload` request must match the
2756
+ # default encryption configuration of the destination bucket.
2757
+ #
2758
+ # </note>
2636
2759
  #
2637
2760
  # HTTP Host header syntax
2638
2761
  #
@@ -2643,13 +2766,13 @@ module Aws::S3
2643
2766
  #
2644
2767
  # * [UploadPart][1]
2645
2768
  #
2646
- # * [CompleteMultipartUpload][12]
2769
+ # * [CompleteMultipartUpload][15]
2647
2770
  #
2648
- # * [AbortMultipartUpload][13]
2771
+ # * [AbortMultipartUpload][16]
2649
2772
  #
2650
- # * [ListParts][14]
2773
+ # * [ListParts][17]
2651
2774
  #
2652
- # * [ListMultipartUploads][15]
2775
+ # * [ListMultipartUploads][18]
2653
2776
  #
2654
2777
  #
2655
2778
  #
@@ -2664,10 +2787,13 @@ module Aws::S3
2664
2787
  # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
2665
2788
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2666
2789
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
2667
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2668
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2669
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2670
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2790
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
2791
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
2792
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2793
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2794
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
2795
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
2796
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
2671
2797
  #
2672
2798
  # @option params [String] :acl
2673
2799
  # The canned ACL to apply to the object. Amazon S3 supports a set of
@@ -3030,10 +3156,52 @@ module Aws::S3
3030
3156
  # The server-side encryption algorithm used when you store this object
3031
3157
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3032
3158
  #
3033
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3034
- # managed keys (SSE-S3) (`AES256`) is supported.
3159
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3160
+ # two supported options for server-side encryption: server-side
3161
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3162
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3163
+ # recommend that the bucket's default encryption uses the desired
3164
+ # encryption configuration and you don't override the bucket default
3165
+ # encryption in your `CreateSession` requests or `PUT` object
3166
+ # requests. Then, new objects are automatically encrypted with the
3167
+ # desired encryption settings. For more information, see [Protecting
3168
+ # data with server-side encryption][1] in the *Amazon S3 User Guide*.
3169
+ # For more information about the encryption overriding behaviors in
3170
+ # directory buckets, see [Specifying server-side encryption with KMS
3171
+ # for new object uploads][2].
3172
+ #
3173
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3174
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3175
+ # headers must match the encryption settings that are specified in the
3176
+ # `CreateSession` request. You can't override the values of the
3177
+ # encryption settings (`x-amz-server-side-encryption`,
3178
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3179
+ # `x-amz-server-side-encryption-context`, and
3180
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3181
+ # specified in the `CreateSession` request. You don't need to
3182
+ # explicitly specify these encryption settings values in Zonal
3183
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3184
+ # values from the `CreateSession` request to protect new objects in
3185
+ # the directory bucket.
3186
+ #
3187
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3188
+ # `CreateSession`, the session token refreshes automatically to avoid
3189
+ # service interruptions when a session expires. The CLI or the Amazon
3190
+ # Web Services SDKs use the bucket's default encryption configuration
3191
+ # for the `CreateSession` request. It's not supported to override the
3192
+ # encryption settings values in the `CreateSession` request. So in the
3193
+ # Zonal endpoint API calls (except [CopyObject][3] and
3194
+ # [UploadPartCopy][4]), the encryption request headers must match the
3195
+ # default encryption configuration of the directory bucket.
3196
+ #
3197
+ # </note>
3035
3198
  #
3036
- # </note>
3199
+ #
3200
+ #
3201
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3202
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3203
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3204
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3037
3205
  #
3038
3206
  # @option params [String] :storage_class
3039
3207
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -3092,34 +3260,71 @@ module Aws::S3
3092
3260
  # </note>
3093
3261
  #
3094
3262
  # @option params [String] :ssekms_key_id
3095
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3096
- # encryption customer managed key to use for object encryption.
3097
- #
3098
- # <note markdown="1"> This functionality is not supported for directory buckets.
3099
- #
3100
- # </note>
3263
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3264
+ # object encryption. If the KMS key doesn't exist in the same account
3265
+ # that's issuing the command, you must use the full Key ARN not the Key
3266
+ # ID.
3267
+ #
3268
+ # **General purpose buckets** - If you specify
3269
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
3270
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
3271
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
3272
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3273
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3274
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3275
+ #
3276
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
3277
+ # with `aws:kms`, you must specify the `
3278
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
3279
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
3280
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
3281
+ # key ID or key ARN. The key alias format of the KMS key isn't
3282
+ # supported. Your SSE-KMS configuration can only support 1 [customer
3283
+ # managed key][1] per directory bucket for the lifetime of the bucket.
3284
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
3285
+ #
3286
+ #
3287
+ #
3288
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3289
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3101
3290
  #
3102
3291
  # @option params [String] :ssekms_encryption_context
3103
3292
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3104
- # object encryption. The value of this header is a base64-encoded UTF-8
3105
- # string holding JSON with the encryption context key-value pairs.
3293
+ # object encryption. The value of this header is a Base64-encoded string
3294
+ # of a UTF-8 encoded JSON, which contains the encryption context as
3295
+ # key-value pairs.
3106
3296
  #
3107
- # <note markdown="1"> This functionality is not supported for directory buckets.
3108
- #
3109
- # </note>
3297
+ # **Directory buckets** - You can optionally provide an explicit
3298
+ # encryption context value. The value must match the default encryption
3299
+ # context - the bucket Amazon Resource Name (ARN). An additional
3300
+ # encryption context value is not supported.
3110
3301
  #
3111
3302
  # @option params [Boolean] :bucket_key_enabled
3112
3303
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3113
3304
  # encryption with server-side encryption using Key Management Service
3114
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3115
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3305
+ # (KMS) keys (SSE-KMS).
3116
3306
  #
3117
- # Specifying this header with an object action doesn’t affect
3307
+ # **General purpose buckets** - Setting this header to `true` causes
3308
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
3309
+ # Also, specifying this header with a PUT action doesn't affect
3118
3310
  # bucket-level settings for S3 Bucket Key.
3119
3311
  #
3120
- # <note markdown="1"> This functionality is not supported for directory buckets.
3312
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3313
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3314
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
3315
+ # from general purpose buckets to directory buckets, from directory
3316
+ # buckets to general purpose buckets, or between directory buckets,
3317
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
3318
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
3319
+ # makes a call to KMS every time a copy request is made for a
3320
+ # KMS-encrypted object.
3121
3321
  #
3122
- # </note>
3322
+ #
3323
+ #
3324
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3325
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3326
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3327
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3123
3328
  #
3124
3329
  # @option params [String] :request_payer
3125
3330
  # Confirms that the requester knows that they will be charged for the
@@ -3280,9 +3485,10 @@ module Aws::S3
3280
3485
 
3281
3486
  # Creates a session that establishes temporary security credentials to
3282
3487
  # support fast authentication and authorization for the Zonal endpoint
3283
- # APIs on directory buckets. For more information about Zonal endpoint
3284
- # APIs that include the Availability Zone in the request endpoint, see
3285
- # [S3 Express One Zone APIs][1] in the *Amazon S3 User Guide*.
3488
+ # API operations on directory buckets. For more information about Zonal
3489
+ # endpoint API operations that include the Availability Zone in the
3490
+ # request endpoint, see [S3 Express One Zone APIs][1] in the *Amazon S3
3491
+ # User Guide*.
3286
3492
  #
3287
3493
  # To make Zonal endpoint API requests on a directory bucket, use the
3288
3494
  # `CreateSession` API operation. Specifically, you grant
@@ -3291,13 +3497,13 @@ module Aws::S3
3291
3497
  # the `CreateSession` API request on the bucket, which returns temporary
3292
3498
  # security credentials that include the access key ID, secret access
3293
3499
  # key, session token, and expiration. These credentials have associated
3294
- # permissions to access the Zonal endpoint APIs. After the session is
3295
- # created, you don’t need to use other policies to grant permissions to
3296
- # each Zonal endpoint API individually. Instead, in your Zonal endpoint
3297
- # API requests, you sign your requests by applying the temporary
3298
- # security credentials of the session to the request headers and
3299
- # following the SigV4 protocol for authentication. You also apply the
3300
- # session token to the `x-amz-s3session-token` request header for
3500
+ # permissions to access the Zonal endpoint API operations. After the
3501
+ # session is created, you don’t need to use other policies to grant
3502
+ # permissions to each Zonal endpoint API individually. Instead, in your
3503
+ # Zonal endpoint API requests, you sign your requests by applying the
3504
+ # temporary security credentials of the session to the request headers
3505
+ # and following the SigV4 protocol for authentication. You also apply
3506
+ # the session token to the `x-amz-s3session-token` request header for
3301
3507
  # authorization. Temporary security credentials are scoped to the bucket
3302
3508
  # and expire after 5 minutes. After the expiration time, any calls that
3303
3509
  # you make with those credentials will fail. You must use IAM
@@ -3320,16 +3526,16 @@ module Aws::S3
3320
3526
  # [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
3321
3527
  #
3322
3528
  # * <b> <code>CopyObject</code> API operation</b> - Unlike other Zonal
3323
- # endpoint APIs, the `CopyObject` API operation doesn't use the
3324
- # temporary security credentials returned from the `CreateSession` API
3325
- # operation for authentication and authorization. For information
3529
+ # endpoint API operations, the `CopyObject` API operation doesn't use
3530
+ # the temporary security credentials returned from the `CreateSession`
3531
+ # API operation for authentication and authorization. For information
3326
3532
  # about authentication and authorization of the `CopyObject` API
3327
3533
  # operation on directory buckets, see [CopyObject][4].
3328
3534
  #
3329
3535
  # * <b> <code>HeadBucket</code> API operation</b> - Unlike other Zonal
3330
- # endpoint APIs, the `HeadBucket` API operation doesn't use the
3331
- # temporary security credentials returned from the `CreateSession` API
3332
- # operation for authentication and authorization. For information
3536
+ # endpoint API operations, the `HeadBucket` API operation doesn't use
3537
+ # the temporary security credentials returned from the `CreateSession`
3538
+ # API operation for authentication and authorization. For information
3333
3539
  # about authentication and authorization of the `HeadBucket` API
3334
3540
  # operation on directory buckets, see [HeadBucket][5].
3335
3541
  #
@@ -3348,9 +3554,71 @@ module Aws::S3
3348
3554
  # Identity and Access Management (IAM) identity-based policies for S3
3349
3555
  # Express One Zone][8] in the *Amazon S3 User Guide*.
3350
3556
  #
3351
- # To grant cross-account access to Zonal endpoint APIs, the bucket
3352
- # policy should also grant both accounts the `s3express:CreateSession`
3353
- # permission.
3557
+ # To grant cross-account access to Zonal endpoint API operations, the
3558
+ # bucket policy should also grant both accounts the
3559
+ # `s3express:CreateSession` permission.
3560
+ #
3561
+ # If you want to encrypt objects with SSE-KMS, you must also have the
3562
+ # `kms:GenerateDataKey` and the `kms:Decrypt` permissions in IAM
3563
+ # identity-based policies and KMS key policies for the target KMS key.
3564
+ #
3565
+ # Encryption
3566
+ #
3567
+ # : For directory buckets, there are only two supported options for
3568
+ # server-side encryption: server-side encryption with Amazon S3
3569
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3570
+ # keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
3571
+ # encryption uses the desired encryption configuration and you don't
3572
+ # override the bucket default encryption in your `CreateSession`
3573
+ # requests or `PUT` object requests. Then, new objects are
3574
+ # automatically encrypted with the desired encryption settings. For
3575
+ # more information, see [Protecting data with server-side
3576
+ # encryption][9] in the *Amazon S3 User Guide*. For more information
3577
+ # about the encryption overriding behaviors in directory buckets, see
3578
+ # [Specifying server-side encryption with KMS for new object
3579
+ # uploads][10].
3580
+ #
3581
+ # For [Zonal endpoint (object-level) API operations][11] except
3582
+ # [CopyObject][4] and [UploadPartCopy][12], you authenticate and
3583
+ # authorize requests through [CreateSession][13] for low latency. To
3584
+ # encrypt new objects in a directory bucket with SSE-KMS, you must
3585
+ # specify SSE-KMS as the directory bucket's default encryption
3586
+ # configuration with a KMS key (specifically, a [customer managed
3587
+ # key][14]). Then, when a session is created for Zonal endpoint API
3588
+ # operations, new objects are automatically encrypted and decrypted
3589
+ # with SSE-KMS and S3 Bucket Keys during the session.
3590
+ #
3591
+ # <note markdown="1"> Only 1 [customer managed key][14] is supported per directory bucket
3592
+ # for the lifetime of the bucket. [Amazon Web Services managed
3593
+ # key][15] (`aws/s3`) isn't supported. After you specify SSE-KMS as
3594
+ # your bucket's default encryption configuration with a customer
3595
+ # managed key, you can't change the customer managed key for the
3596
+ # bucket's SSE-KMS configuration.
3597
+ #
3598
+ # </note>
3599
+ #
3600
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
3601
+ # [UploadPartCopy][12]) using the REST API, you can't override the
3602
+ # values of the encryption settings (`x-amz-server-side-encryption`,
3603
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3604
+ # `x-amz-server-side-encryption-context`, and
3605
+ # `x-amz-server-side-encryption-bucket-key-enabled`) from the
3606
+ # `CreateSession` request. You don't need to explicitly specify these
3607
+ # encryption settings values in Zonal endpoint API calls, and Amazon
3608
+ # S3 will use the encryption settings values from the `CreateSession`
3609
+ # request to protect new objects in the directory bucket.
3610
+ #
3611
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3612
+ # `CreateSession`, the session token refreshes automatically to avoid
3613
+ # service interruptions when a session expires. The CLI or the Amazon
3614
+ # Web Services SDKs use the bucket's default encryption configuration
3615
+ # for the `CreateSession` request. It's not supported to override the
3616
+ # encryption settings values in the `CreateSession` request. Also, in
3617
+ # the Zonal endpoint API calls (except [CopyObject][4] and
3618
+ # [UploadPartCopy][12]), it's not supported to override the values of
3619
+ # the encryption settings from the `CreateSession` request.
3620
+ #
3621
+ # </note>
3354
3622
  #
3355
3623
  # HTTP Host header syntax
3356
3624
  #
@@ -3367,21 +3635,110 @@ module Aws::S3
3367
3635
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters
3368
3636
  # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
3369
3637
  # [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
3638
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3639
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3640
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations
3641
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3642
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
3643
+ # [14]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3644
+ # [15]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3370
3645
  #
3371
3646
  # @option params [String] :session_mode
3372
3647
  # Specifies the mode of the session that will be created, either
3373
3648
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3374
3649
  # created. A `ReadWrite` session is capable of executing all the Zonal
3375
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3376
- # constrained to execute the following Zonal endpoint APIs: `GetObject`,
3377
- # `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`, `ListParts`, and
3378
- # `ListMultipartUploads`.
3650
+ # endpoint API operations on a directory bucket. A `ReadOnly` session is
3651
+ # constrained to execute the following Zonal endpoint API operations:
3652
+ # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3653
+ # `ListParts`, and `ListMultipartUploads`.
3379
3654
  #
3380
3655
  # @option params [required, String] :bucket
3381
3656
  # The name of the bucket that you create a session for.
3382
3657
  #
3658
+ # @option params [String] :server_side_encryption
3659
+ # The server-side encryption algorithm to use when you store objects in
3660
+ # the directory bucket.
3661
+ #
3662
+ # For directory buckets, there are only two supported options for
3663
+ # server-side encryption: server-side encryption with Amazon S3 managed
3664
+ # keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys
3665
+ # (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3666
+ # SSE-S3. For more information, see [Protecting data with server-side
3667
+ # encryption][1] in the *Amazon S3 User Guide*.
3668
+ #
3669
+ #
3670
+ #
3671
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3672
+ #
3673
+ # @option params [String] :ssekms_key_id
3674
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you must
3675
+ # specify the ` x-amz-server-side-encryption-aws-kms-key-id` header with
3676
+ # the ID (Key ID or Key ARN) of the KMS symmetric encryption customer
3677
+ # managed key to use. Otherwise, you get an HTTP `400 Bad Request`
3678
+ # error. Only use the key ID or key ARN. The key alias format of the KMS
3679
+ # key isn't supported. Also, if the KMS key doesn't exist in the same
3680
+ # account that't issuing the command, you must use the full Key ARN not
3681
+ # the Key ID.
3682
+ #
3683
+ # Your SSE-KMS configuration can only support 1 [customer managed
3684
+ # key][1] per directory bucket for the lifetime of the bucket. [Amazon
3685
+ # Web Services managed key][2] (`aws/s3`) isn't supported.
3686
+ #
3687
+ #
3688
+ #
3689
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3690
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3691
+ #
3692
+ # @option params [String] :ssekms_encryption_context
3693
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3694
+ # additional encryption context to use for object encryption. The value
3695
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
3696
+ # which contains the encryption context as key-value pairs. This value
3697
+ # is stored as object metadata and automatically gets passed on to
3698
+ # Amazon Web Services KMS for future `GetObject` operations on this
3699
+ # object.
3700
+ #
3701
+ # **General purpose buckets** - This value must be explicitly added
3702
+ # during `CopyObject` operations if you want an additional encryption
3703
+ # context for your object. For more information, see [Encryption
3704
+ # context][1] in the *Amazon S3 User Guide*.
3705
+ #
3706
+ # **Directory buckets** - You can optionally provide an explicit
3707
+ # encryption context value. The value must match the default encryption
3708
+ # context - the bucket Amazon Resource Name (ARN). An additional
3709
+ # encryption context value is not supported.
3710
+ #
3711
+ #
3712
+ #
3713
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3714
+ #
3715
+ # @option params [Boolean] :bucket_key_enabled
3716
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3717
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3718
+ #
3719
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a
3720
+ # directory bucket and can’t be disabled. S3 Bucket Keys aren't
3721
+ # supported, when you copy SSE-KMS encrypted objects from general
3722
+ # purpose buckets to directory buckets, from directory buckets to
3723
+ # general purpose buckets, or between directory buckets, through
3724
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3725
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3 makes
3726
+ # a call to KMS every time a copy request is made for a KMS-encrypted
3727
+ # object.
3728
+ #
3729
+ #
3730
+ #
3731
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3732
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3733
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3734
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3735
+ #
3383
3736
  # @return [Types::CreateSessionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3384
3737
  #
3738
+ # * {Types::CreateSessionOutput#server_side_encryption #server_side_encryption} => String
3739
+ # * {Types::CreateSessionOutput#ssekms_key_id #ssekms_key_id} => String
3740
+ # * {Types::CreateSessionOutput#ssekms_encryption_context #ssekms_encryption_context} => String
3741
+ # * {Types::CreateSessionOutput#bucket_key_enabled #bucket_key_enabled} => Boolean
3385
3742
  # * {Types::CreateSessionOutput#credentials #credentials} => Types::SessionCredentials
3386
3743
  #
3387
3744
  # @example Request syntax with placeholder values
@@ -3389,10 +3746,18 @@ module Aws::S3
3389
3746
  # resp = client.create_session({
3390
3747
  # session_mode: "ReadOnly", # accepts ReadOnly, ReadWrite
3391
3748
  # bucket: "BucketName", # required
3749
+ # server_side_encryption: "AES256", # accepts AES256, aws:kms, aws:kms:dsse
3750
+ # ssekms_key_id: "SSEKMSKeyId",
3751
+ # ssekms_encryption_context: "SSEKMSEncryptionContext",
3752
+ # bucket_key_enabled: false,
3392
3753
  # })
3393
3754
  #
3394
3755
  # @example Response structure
3395
3756
  #
3757
+ # resp.server_side_encryption #=> String, one of "AES256", "aws:kms", "aws:kms:dsse"
3758
+ # resp.ssekms_key_id #=> String
3759
+ # resp.ssekms_encryption_context #=> String
3760
+ # resp.bucket_key_enabled #=> Boolean
3396
3761
  # resp.credentials.access_key_id #=> String
3397
3762
  # resp.credentials.secret_access_key #=> String
3398
3763
  # resp.credentials.session_token #=> String
@@ -3638,47 +4003,92 @@ module Aws::S3
3638
4003
  req.send_request(options)
3639
4004
  end
3640
4005
 
3641
- # <note markdown="1"> This operation is not supported by directory buckets.
4006
+ # This implementation of the DELETE action resets the default encryption
4007
+ # for the bucket as server-side encryption with Amazon S3 managed keys
4008
+ # (SSE-S3).
4009
+ #
4010
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
4011
+ # default encryption feature, see [Amazon S3 Bucket Default
4012
+ # Encryption][1] in the *Amazon S3 User Guide*.
4013
+ #
4014
+ # * **Directory buckets** - For directory buckets, there are only two
4015
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
4016
+ # For information about the default encryption configuration in
4017
+ # directory buckets, see [Setting default server-side encryption
4018
+ # behavior for directory buckets][2].
3642
4019
  #
3643
4020
  # </note>
3644
4021
  #
3645
- # This implementation of the DELETE action resets the default encryption
3646
- # for the bucket as server-side encryption with Amazon S3 managed keys
3647
- # (SSE-S3). For information about the bucket default encryption feature,
3648
- # see [Amazon S3 Bucket Default Encryption][1] in the *Amazon S3 User
3649
- # Guide*.
4022
+ # Permissions
4023
+ # : * **General purpose bucket permissions** - The
4024
+ # `s3:PutEncryptionConfiguration` permission is required in a
4025
+ # policy. The bucket owner has this permission by default. The
4026
+ # bucket owner can grant this permission to others. For more
4027
+ # information about permissions, see [Permissions Related to Bucket
4028
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
4029
+ # Resources][4].
3650
4030
  #
3651
- # To use this operation, you must have permissions to perform the
3652
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
3653
- # permission by default. The bucket owner can grant this permission to
3654
- # others. For more information about permissions, see [Permissions
3655
- # Related to Bucket Subresource Operations][2] and [Managing Access
3656
- # Permissions to your Amazon S3 Resources][3] in the *Amazon S3 User
3657
- # Guide*.
4031
+ # * **Directory bucket permissions** - To grant access to this API
4032
+ # operation, you must have the
4033
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
4034
+ # identity-based policy instead of a bucket policy. Cross-account
4035
+ # access to this API operation isn't supported. This operation can
4036
+ # only be performed by the Amazon Web Services account that owns the
4037
+ # resource. For more information about directory bucket policies and
4038
+ # permissions, see [Amazon Web Services Identity and Access
4039
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
4040
+ # User Guide*.
4041
+ #
4042
+ # HTTP Host header syntax
4043
+ #
4044
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
4045
+ # `s3express-control.region.amazonaws.com`.
3658
4046
  #
3659
4047
  # The following operations are related to `DeleteBucketEncryption`:
3660
4048
  #
3661
- # * [PutBucketEncryption][4]
4049
+ # * [PutBucketEncryption][6]
3662
4050
  #
3663
- # * [GetBucketEncryption][5]
4051
+ # * [GetBucketEncryption][7]
3664
4052
  #
3665
4053
  #
3666
4054
  #
3667
4055
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
3668
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
3669
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
3670
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
3671
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
4056
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
4057
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
4058
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
4059
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
4060
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
4061
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
3672
4062
  #
3673
4063
  # @option params [required, String] :bucket
3674
4064
  # The name of the bucket containing the server-side encryption
3675
4065
  # configuration to delete.
3676
4066
  #
4067
+ # <b>Directory buckets </b> - When you use this operation with a
4068
+ # directory bucket, you must use path-style requests in the format
4069
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
4070
+ # Virtual-hosted-style requests aren't supported. Directory bucket
4071
+ # names must be unique in the chosen Availability Zone. Bucket names
4072
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
4073
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
4074
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
4075
+ # the *Amazon S3 User Guide*
4076
+ #
4077
+ #
4078
+ #
4079
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
4080
+ #
3677
4081
  # @option params [String] :expected_bucket_owner
3678
4082
  # The account ID of the expected bucket owner. If the account ID that
3679
4083
  # you provide does not match the actual owner of the bucket, the request
3680
4084
  # fails with the HTTP status code `403 Forbidden` (access denied).
3681
4085
  #
4086
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
4087
+ # operation. If you specify this header, the request fails with the HTTP
4088
+ # status code `501 Not Implemented`.
4089
+ #
4090
+ # </note>
4091
+ #
3682
4092
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
3683
4093
  #
3684
4094
  # @example Request syntax with placeholder values
@@ -4672,35 +5082,35 @@ module Aws::S3
4672
5082
  # * {Types::DeleteObjectTaggingOutput#version_id #version_id} => String
4673
5083
  #
4674
5084
  #
4675
- # @example Example: To remove tag set from an object version
5085
+ # @example Example: To remove tag set from an object
4676
5086
  #
4677
- # # The following example removes tag set associated with the specified object version. The request specifies both the
4678
- # # object key and object version.
5087
+ # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
5088
+ # # operation removes tag set from the latest object version.
4679
5089
  #
4680
5090
  # resp = client.delete_object_tagging({
4681
5091
  # bucket: "examplebucket",
4682
5092
  # key: "HappyFace.jpg",
4683
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4684
5093
  # })
4685
5094
  #
4686
5095
  # resp.to_h outputs the following:
4687
5096
  # {
4688
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
5097
+ # version_id: "null",
4689
5098
  # }
4690
5099
  #
4691
- # @example Example: To remove tag set from an object
5100
+ # @example Example: To remove tag set from an object version
4692
5101
  #
4693
- # # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
4694
- # # operation removes tag set from the latest object version.
5102
+ # # The following example removes tag set associated with the specified object version. The request specifies both the
5103
+ # # object key and object version.
4695
5104
  #
4696
5105
  # resp = client.delete_object_tagging({
4697
5106
  # bucket: "examplebucket",
4698
5107
  # key: "HappyFace.jpg",
5108
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4699
5109
  # })
4700
5110
  #
4701
5111
  # resp.to_h outputs the following:
4702
5112
  # {
4703
- # version_id: "null",
5113
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
4704
5114
  # }
4705
5115
  #
4706
5116
  # @example Request syntax with placeholder values
@@ -4983,20 +5393,22 @@ module Aws::S3
4983
5393
  # * {Types::DeleteObjectsOutput#errors #errors} => Array&lt;Types::Error&gt;
4984
5394
  #
4985
5395
  #
4986
- # @example Example: To delete multiple objects from a versioned bucket
5396
+ # @example Example: To delete multiple object versions from a versioned bucket
4987
5397
  #
4988
- # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
4989
- # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5398
+ # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5399
+ # # versions and returns the key and versions of deleted objects in the response.
4990
5400
  #
4991
5401
  # resp = client.delete_objects({
4992
5402
  # bucket: "examplebucket",
4993
5403
  # delete: {
4994
5404
  # objects: [
4995
5405
  # {
4996
- # key: "objectkey1",
5406
+ # key: "HappyFace.jpg",
5407
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
4997
5408
  # },
4998
5409
  # {
4999
- # key: "objectkey2",
5410
+ # key: "HappyFace.jpg",
5411
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5000
5412
  # },
5001
5413
  # ],
5002
5414
  # quiet: false,
@@ -5007,34 +5419,30 @@ module Aws::S3
5007
5419
  # {
5008
5420
  # deleted: [
5009
5421
  # {
5010
- # delete_marker: true,
5011
- # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5012
- # key: "objectkey1",
5422
+ # key: "HappyFace.jpg",
5423
+ # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5013
5424
  # },
5014
5425
  # {
5015
- # delete_marker: true,
5016
- # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5017
- # key: "objectkey2",
5426
+ # key: "HappyFace.jpg",
5427
+ # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5018
5428
  # },
5019
5429
  # ],
5020
5430
  # }
5021
5431
  #
5022
- # @example Example: To delete multiple object versions from a versioned bucket
5432
+ # @example Example: To delete multiple objects from a versioned bucket
5023
5433
  #
5024
- # # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
5025
- # # versions and returns the key and versions of deleted objects in the response.
5434
+ # # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
5435
+ # # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
5026
5436
  #
5027
5437
  # resp = client.delete_objects({
5028
5438
  # bucket: "examplebucket",
5029
5439
  # delete: {
5030
5440
  # objects: [
5031
5441
  # {
5032
- # key: "HappyFace.jpg",
5033
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5442
+ # key: "objectkey1",
5034
5443
  # },
5035
5444
  # {
5036
- # key: "HappyFace.jpg",
5037
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5445
+ # key: "objectkey2",
5038
5446
  # },
5039
5447
  # ],
5040
5448
  # quiet: false,
@@ -5045,12 +5453,14 @@ module Aws::S3
5045
5453
  # {
5046
5454
  # deleted: [
5047
5455
  # {
5048
- # key: "HappyFace.jpg",
5049
- # version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
5456
+ # delete_marker: true,
5457
+ # delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
5458
+ # key: "objectkey1",
5050
5459
  # },
5051
5460
  # {
5052
- # key: "HappyFace.jpg",
5053
- # version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
5461
+ # delete_marker: true,
5462
+ # delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
5463
+ # key: "objectkey2",
5054
5464
  # },
5055
5465
  # ],
5056
5466
  # }
@@ -5553,46 +5963,92 @@ module Aws::S3
5553
5963
  req.send_request(options)
5554
5964
  end
5555
5965
 
5556
- # <note markdown="1"> This operation is not supported by directory buckets.
5966
+ # Returns the default encryption configuration for an Amazon S3 bucket.
5967
+ # By default, all buckets have a default encryption configuration that
5968
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
5969
+ #
5970
+ # <note markdown="1"> * **General purpose buckets** - For information about the bucket
5971
+ # default encryption feature, see [Amazon S3 Bucket Default
5972
+ # Encryption][1] in the *Amazon S3 User Guide*.
5973
+ #
5974
+ # * **Directory buckets** - For directory buckets, there are only two
5975
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
5976
+ # For information about the default encryption configuration in
5977
+ # directory buckets, see [Setting default server-side encryption
5978
+ # behavior for directory buckets][2].
5557
5979
  #
5558
5980
  # </note>
5559
5981
  #
5560
- # Returns the default encryption configuration for an Amazon S3 bucket.
5561
- # By default, all buckets have a default encryption configuration that
5562
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). For
5563
- # information about the bucket default encryption feature, see [Amazon
5564
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
5982
+ # Permissions
5983
+ # : * **General purpose bucket permissions** - The
5984
+ # `s3:GetEncryptionConfiguration` permission is required in a
5985
+ # policy. The bucket owner has this permission by default. The
5986
+ # bucket owner can grant this permission to others. For more
5987
+ # information about permissions, see [Permissions Related to Bucket
5988
+ # Operations][3] and [Managing Access Permissions to Your Amazon S3
5989
+ # Resources][4].
5565
5990
  #
5566
- # To use this operation, you must have permission to perform the
5567
- # `s3:GetEncryptionConfiguration` action. The bucket owner has this
5568
- # permission by default. The bucket owner can grant this permission to
5569
- # others. For more information about permissions, see [Permissions
5570
- # Related to Bucket Subresource Operations][2] and [Managing Access
5571
- # Permissions to Your Amazon S3 Resources][3].
5991
+ # * **Directory bucket permissions** - To grant access to this API
5992
+ # operation, you must have the
5993
+ # `s3express:GetEncryptionConfiguration` permission in an IAM
5994
+ # identity-based policy instead of a bucket policy. Cross-account
5995
+ # access to this API operation isn't supported. This operation can
5996
+ # only be performed by the Amazon Web Services account that owns the
5997
+ # resource. For more information about directory bucket policies and
5998
+ # permissions, see [Amazon Web Services Identity and Access
5999
+ # Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
6000
+ # User Guide*.
6001
+ #
6002
+ # HTTP Host header syntax
6003
+ #
6004
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
6005
+ # `s3express-control.region.amazonaws.com`.
5572
6006
  #
5573
6007
  # The following operations are related to `GetBucketEncryption`:
5574
6008
  #
5575
- # * [PutBucketEncryption][4]
6009
+ # * [PutBucketEncryption][6]
5576
6010
  #
5577
- # * [DeleteBucketEncryption][5]
6011
+ # * [DeleteBucketEncryption][7]
5578
6012
  #
5579
6013
  #
5580
6014
  #
5581
6015
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
5582
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
5583
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
5584
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
5585
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6016
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
6017
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
6018
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
6019
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
6020
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
6021
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
6022
+ #
6023
+ # @option params [required, String] :bucket
6024
+ # The name of the bucket from which the server-side encryption
6025
+ # configuration is retrieved.
6026
+ #
6027
+ # <b>Directory buckets </b> - When you use this operation with a
6028
+ # directory bucket, you must use path-style requests in the format
6029
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
6030
+ # Virtual-hosted-style requests aren't supported. Directory bucket
6031
+ # names must be unique in the chosen Availability Zone. Bucket names
6032
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
6033
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
6034
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
6035
+ # the *Amazon S3 User Guide*
6036
+ #
5586
6037
  #
5587
- # @option params [required, String] :bucket
5588
- # The name of the bucket from which the server-side encryption
5589
- # configuration is retrieved.
6038
+ #
6039
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5590
6040
  #
5591
6041
  # @option params [String] :expected_bucket_owner
5592
6042
  # The account ID of the expected bucket owner. If the account ID that
5593
6043
  # you provide does not match the actual owner of the bucket, the request
5594
6044
  # fails with the HTTP status code `403 Forbidden` (access denied).
5595
6045
  #
6046
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
6047
+ # operation. If you specify this header, the request fails with the HTTP
6048
+ # status code `501 Not Implemented`.
6049
+ #
6050
+ # </note>
6051
+ #
5596
6052
  # @return [Types::GetBucketEncryptionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5597
6053
  #
5598
6054
  # * {Types::GetBucketEncryptionOutput#server_side_encryption_configuration #server_side_encryption_configuration} => Types::ServerSideEncryptionConfiguration
@@ -7332,6 +7788,10 @@ module Aws::S3
7332
7788
  # interruptions when a session expires. For more information about
7333
7789
  # authorization, see [ `CreateSession` ][4].
7334
7790
  #
7791
+ # If the object is encrypted using SSE-KMS, you must also have the
7792
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
7793
+ # identity-based policies and KMS key policies for the KMS key.
7794
+ #
7335
7795
  # Storage classes
7336
7796
  #
7337
7797
  # : If the object you are retrieving is stored in the S3 Glacier
@@ -7360,6 +7820,11 @@ module Aws::S3
7360
7820
  # `GetObject` requests for the object that uses these types of keys,
7361
7821
  # you’ll get an HTTP `400 Bad Request` error.
7362
7822
  #
7823
+ # **Directory buckets** - For directory buckets, there are only two
7824
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
7825
+ # SSE-C isn't supported. For more information, see [Protecting data
7826
+ # with server-side encryption][7] in the *Amazon S3 User Guide*.
7827
+ #
7363
7828
  # Overriding response header values through the request
7364
7829
  #
7365
7830
  # : There are times when you want to override certain response header
@@ -7407,9 +7872,9 @@ module Aws::S3
7407
7872
  #
7408
7873
  # The following operations are related to `GetObject`:
7409
7874
  #
7410
- # * [ListBuckets][7]
7875
+ # * [ListBuckets][8]
7411
7876
  #
7412
- # * [GetObjectAcl][8]
7877
+ # * [GetObjectAcl][9]
7413
7878
  #
7414
7879
  #
7415
7880
  #
@@ -7419,8 +7884,9 @@ module Aws::S3
7419
7884
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
7420
7885
  # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
7421
7886
  # [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html
7422
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7423
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7887
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
7888
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
7889
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
7424
7890
  #
7425
7891
  # @option params [String, IO] :response_target
7426
7892
  # Where to write response data, file path, or IO object.
@@ -7717,10 +8183,10 @@ module Aws::S3
7717
8183
  # @option params [String] :checksum_mode
7718
8184
  # To retrieve the checksum, this mode must be enabled.
7719
8185
  #
7720
- # In addition, if you enable checksum mode and the object is uploaded
7721
- # with a [checksum][1] and encrypted with an Key Management Service
7722
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
7723
- # retrieve the checksum.
8186
+ # **General purpose buckets** - In addition, if you enable checksum mode
8187
+ # and the object is uploaded with a [checksum][1] and encrypted with an
8188
+ # Key Management Service (KMS) key, you must have permission to use the
8189
+ # `kms:Decrypt` action to retrieve the checksum.
7724
8190
  #
7725
8191
  #
7726
8192
  #
@@ -8122,7 +8588,7 @@ module Aws::S3
8122
8588
  # Permissions
8123
8589
  # : * **General purpose bucket permissions** - To use
8124
8590
  # `GetObjectAttributes`, you must have READ access to the object.
8125
- # The permissions that you need to use this operation with depend on
8591
+ # The permissions that you need to use this operation depend on
8126
8592
  # whether the bucket is versioned. If the bucket is versioned, you
8127
8593
  # need both the `s3:GetObjectVersion` and
8128
8594
  # `s3:GetObjectVersionAttributes` permissions for this operation. If
@@ -8156,6 +8622,10 @@ module Aws::S3
8156
8622
  # interruptions when a session expires. For more information about
8157
8623
  # authorization, see [ `CreateSession` ][3].
8158
8624
  #
8625
+ # If the object is encrypted with SSE-KMS, you must also have the
8626
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
8627
+ # identity-based policies and KMS key policies for the KMS key.
8628
+ #
8159
8629
  # Encryption
8160
8630
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
8161
8631
  # should not be sent for `HEAD` requests if your object uses
@@ -8189,9 +8659,19 @@ module Aws::S3
8189
8659
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
8190
8660
  # Guide*.
8191
8661
  #
8192
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
8193
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
8194
- # (`AES256`) is supported.
8662
+ # <note markdown="1"> **Directory bucket permissions** - For directory buckets, there are
8663
+ # only two supported options for server-side encryption: server-side
8664
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
8665
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
8666
+ # recommend that the bucket's default encryption uses the desired
8667
+ # encryption configuration and you don't override the bucket default
8668
+ # encryption in your `CreateSession` requests or `PUT` object
8669
+ # requests. Then, new objects are automatically encrypted with the
8670
+ # desired encryption settings. For more information, see [Protecting
8671
+ # data with server-side encryption][5] in the *Amazon S3 User Guide*.
8672
+ # For more information about the encryption overriding behaviors in
8673
+ # directory buckets, see [Specifying server-side encryption with KMS
8674
+ # for new object uploads][6].
8195
8675
  #
8196
8676
  # </note>
8197
8677
  #
@@ -8215,7 +8695,7 @@ module Aws::S3
8215
8695
  # * `If-Unmodified-Since` condition evaluates to `false`.
8216
8696
  #
8217
8697
  # For more information about conditional requests, see [RFC
8218
- # 7232][5].
8698
+ # 7232][7].
8219
8699
  #
8220
8700
  # * If both of the `If-None-Match` and `If-Modified-Since` headers are
8221
8701
  # present in the request as follows, then Amazon S3 returns the HTTP
@@ -8226,7 +8706,7 @@ module Aws::S3
8226
8706
  # * `If-Modified-Since` condition evaluates to `true`.
8227
8707
  #
8228
8708
  # For more information about conditional requests, see [RFC
8229
- # 7232][5].
8709
+ # 7232][7].
8230
8710
  #
8231
8711
  # HTTP Host header syntax
8232
8712
  #
@@ -8235,21 +8715,21 @@ module Aws::S3
8235
8715
  #
8236
8716
  # The following actions are related to `GetObjectAttributes`:
8237
8717
  #
8238
- # * [GetObject][6]
8718
+ # * [GetObject][8]
8239
8719
  #
8240
- # * [GetObjectAcl][7]
8720
+ # * [GetObjectAcl][9]
8241
8721
  #
8242
- # * [GetObjectLegalHold][8]
8722
+ # * [GetObjectLegalHold][10]
8243
8723
  #
8244
- # * [GetObjectLockConfiguration][9]
8724
+ # * [GetObjectLockConfiguration][11]
8245
8725
  #
8246
- # * [GetObjectRetention][10]
8726
+ # * [GetObjectRetention][12]
8247
8727
  #
8248
- # * [GetObjectTagging][11]
8728
+ # * [GetObjectTagging][13]
8249
8729
  #
8250
- # * [HeadObject][12]
8730
+ # * [HeadObject][14]
8251
8731
  #
8252
- # * [ListParts][13]
8732
+ # * [ListParts][15]
8253
8733
  #
8254
8734
  #
8255
8735
  #
@@ -8257,15 +8737,17 @@ module Aws::S3
8257
8737
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
8258
8738
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
8259
8739
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
8260
- # [5]: https://tools.ietf.org/html/rfc7232
8261
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8262
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8263
- # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8264
- # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8265
- # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8266
- # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8267
- # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8268
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8740
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
8741
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
8742
+ # [7]: https://tools.ietf.org/html/rfc7232
8743
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
8744
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
8745
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
8746
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
8747
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
8748
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
8749
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
8750
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
8269
8751
  #
8270
8752
  # @option params [required, String] :bucket
8271
8753
  # The name of the bucket that contains the object.
@@ -8809,49 +9291,49 @@ module Aws::S3
8809
9291
  # * {Types::GetObjectTaggingOutput#tag_set #tag_set} => Array&lt;Types::Tag&gt;
8810
9292
  #
8811
9293
  #
8812
- # @example Example: To retrieve tag set of an object
9294
+ # @example Example: To retrieve tag set of a specific object version
8813
9295
  #
8814
- # # The following example retrieves tag set of an object.
9296
+ # # The following example retrieves tag set of an object. The request specifies object version.
8815
9297
  #
8816
9298
  # resp = client.get_object_tagging({
8817
9299
  # bucket: "examplebucket",
8818
- # key: "HappyFace.jpg",
9300
+ # key: "exampleobject",
9301
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8819
9302
  # })
8820
9303
  #
8821
9304
  # resp.to_h outputs the following:
8822
9305
  # {
8823
9306
  # tag_set: [
8824
9307
  # {
8825
- # key: "Key4",
8826
- # value: "Value4",
8827
- # },
8828
- # {
8829
- # key: "Key3",
8830
- # value: "Value3",
9308
+ # key: "Key1",
9309
+ # value: "Value1",
8831
9310
  # },
8832
9311
  # ],
8833
- # version_id: "null",
9312
+ # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
8834
9313
  # }
8835
9314
  #
8836
- # @example Example: To retrieve tag set of a specific object version
9315
+ # @example Example: To retrieve tag set of an object
8837
9316
  #
8838
- # # The following example retrieves tag set of an object. The request specifies object version.
9317
+ # # The following example retrieves tag set of an object.
8839
9318
  #
8840
9319
  # resp = client.get_object_tagging({
8841
9320
  # bucket: "examplebucket",
8842
- # key: "exampleobject",
8843
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9321
+ # key: "HappyFace.jpg",
8844
9322
  # })
8845
9323
  #
8846
9324
  # resp.to_h outputs the following:
8847
9325
  # {
8848
9326
  # tag_set: [
8849
9327
  # {
8850
- # key: "Key1",
8851
- # value: "Value1",
9328
+ # key: "Key4",
9329
+ # value: "Value4",
9330
+ # },
9331
+ # {
9332
+ # key: "Key3",
9333
+ # value: "Value3",
8852
9334
  # },
8853
9335
  # ],
8854
- # version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
9336
+ # version_id: "null",
8855
9337
  # }
8856
9338
  #
8857
9339
  # @example Request syntax with placeholder values
@@ -9284,6 +9766,13 @@ module Aws::S3
9284
9766
  # interruptions when a session expires. For more information about
9285
9767
  # authorization, see [ `CreateSession` ][3].
9286
9768
  #
9769
+ # If you enable `x-amz-checksum-mode` in the request and the object
9770
+ # is encrypted with Amazon Web Services Key Management Service
9771
+ # (Amazon Web Services KMS), you must also have the
9772
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
9773
+ # identity-based policies and KMS key policies for the KMS key to
9774
+ # retrieve the checksum of the object.
9775
+ #
9287
9776
  # Encryption
9288
9777
  # : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
9289
9778
  # should not be sent for `HEAD` requests if your object uses
@@ -9317,9 +9806,10 @@ module Aws::S3
9317
9806
  # Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
9318
9807
  # Guide*.
9319
9808
  #
9320
- # <note markdown="1"> **Directory bucket permissions** - For directory buckets, only
9321
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
9322
- # (`AES256`) is supported.
9809
+ # <note markdown="1"> <b>Directory bucket </b> - For directory buckets, there are only two
9810
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
9811
+ # SSE-C isn't supported. For more information, see [Protecting data
9812
+ # with server-side encryption][5] in the *Amazon S3 User Guide*.
9323
9813
  #
9324
9814
  # </note>
9325
9815
  #
@@ -9353,15 +9843,15 @@ module Aws::S3
9353
9843
  # requests in the format
9354
9844
  # `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
9355
9845
  # `. Path-style requests are not supported. For more information, see
9356
- # [Regional and Zonal endpoints][5] in the *Amazon S3 User Guide*.
9846
+ # [Regional and Zonal endpoints][6] in the *Amazon S3 User Guide*.
9357
9847
  #
9358
9848
  # </note>
9359
9849
  #
9360
9850
  # The following actions are related to `HeadObject`:
9361
9851
  #
9362
- # * [GetObject][6]
9852
+ # * [GetObject][7]
9363
9853
  #
9364
- # * [GetObjectAttributes][7]
9854
+ # * [GetObjectAttributes][8]
9365
9855
  #
9366
9856
  #
9367
9857
  #
@@ -9369,9 +9859,10 @@ module Aws::S3
9369
9859
  # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
9370
9860
  # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
9371
9861
  # [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
9372
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9373
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9374
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9862
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
9863
+ # [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
9864
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
9865
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
9375
9866
  #
9376
9867
  # @option params [required, String] :bucket
9377
9868
  # The name of the bucket that contains the object.
@@ -9587,10 +10078,16 @@ module Aws::S3
9587
10078
  # @option params [String] :checksum_mode
9588
10079
  # To retrieve the checksum, this parameter must be enabled.
9589
10080
  #
9590
- # In addition, if you enable checksum mode and the object is uploaded
9591
- # with a [checksum][1] and encrypted with an Key Management Service
9592
- # (KMS) key, you must have permission to use the `kms:Decrypt` action to
9593
- # retrieve the checksum.
10081
+ # **General purpose buckets** - If you enable checksum mode and the
10082
+ # object is uploaded with a [checksum][1] and encrypted with an Key
10083
+ # Management Service (KMS) key, you must have permission to use the
10084
+ # `kms:Decrypt` action to retrieve the checksum.
10085
+ #
10086
+ # **Directory buckets** - If you enable `ChecksumMode` and the object is
10087
+ # encrypted with Amazon Web Services Key Management Service (Amazon Web
10088
+ # Services KMS), you must also have the `kms:GenerateDataKey` and
10089
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
10090
+ # policies for the KMS key to retrieve the checksum of the object.
9594
10091
  #
9595
10092
  #
9596
10093
  #
@@ -12586,24 +13083,73 @@ module Aws::S3
12586
13083
  req.send_request(options)
12587
13084
  end
12588
13085
 
12589
- # <note markdown="1"> This operation is not supported by directory buckets.
13086
+ # This operation configures default encryption and Amazon S3 Bucket Keys
13087
+ # for an existing bucket.
12590
13088
  #
12591
- # </note>
13089
+ # <note markdown="1"> <b>Directory buckets </b> - For directory buckets, you must make
13090
+ # requests for this API operation to the Regional endpoint. These
13091
+ # endpoints support path-style requests in the format
13092
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13093
+ # Virtual-hosted-style requests aren't supported. For more information,
13094
+ # see [Regional and Zonal endpoints][1] in the *Amazon S3 User Guide*.
12592
13095
  #
12593
- # This action uses the `encryption` subresource to configure default
12594
- # encryption and Amazon S3 Bucket Keys for an existing bucket.
13096
+ # </note>
12595
13097
  #
12596
13098
  # By default, all buckets have a default encryption configuration that
12597
- # uses server-side encryption with Amazon S3 managed keys (SSE-S3). You
12598
- # can optionally configure default encryption for a bucket by using
12599
- # server-side encryption with Key Management Service (KMS) keys
12600
- # (SSE-KMS) or dual-layer server-side encryption with Amazon Web
12601
- # Services KMS keys (DSSE-KMS). If you specify default encryption by
12602
- # using SSE-KMS, you can also configure [Amazon S3 Bucket Keys][1]. If
12603
- # you use PutBucketEncryption to set your [default bucket encryption][2]
12604
- # to SSE-KMS, you should verify that your KMS key ID is correct. Amazon
12605
- # S3 does not validate the KMS key ID provided in PutBucketEncryption
12606
- # requests.
13099
+ # uses server-side encryption with Amazon S3 managed keys (SSE-S3).
13100
+ #
13101
+ # <note markdown="1"> * **General purpose buckets**
13102
+ #
13103
+ # * You can optionally configure default encryption for a bucket by
13104
+ # using server-side encryption with Key Management Service (KMS)
13105
+ # keys (SSE-KMS) or dual-layer server-side encryption with Amazon
13106
+ # Web Services KMS keys (DSSE-KMS). If you specify default
13107
+ # encryption by using SSE-KMS, you can also configure [Amazon S3
13108
+ # Bucket Keys][2]. For information about the bucket default
13109
+ # encryption feature, see [Amazon S3 Bucket Default Encryption][3]
13110
+ # in the *Amazon S3 User Guide*.
13111
+ #
13112
+ # * If you use PutBucketEncryption to set your [default bucket
13113
+ # encryption][3] to SSE-KMS, you should verify that your KMS key ID
13114
+ # is correct. Amazon S3 doesn't validate the KMS key ID provided in
13115
+ # PutBucketEncryption requests.
13116
+ #
13117
+ # * <b>Directory buckets </b> - You can optionally configure default
13118
+ # encryption for a bucket by using server-side encryption with Key
13119
+ # Management Service (KMS) keys (SSE-KMS).
13120
+ #
13121
+ # * We recommend that the bucket's default encryption uses the
13122
+ # desired encryption configuration and you don't override the
13123
+ # bucket default encryption in your `CreateSession` requests or
13124
+ # `PUT` object requests. Then, new objects are automatically
13125
+ # encrypted with the desired encryption settings. For more
13126
+ # information about the encryption overriding behaviors in directory
13127
+ # buckets, see [Specifying server-side encryption with KMS for new
13128
+ # object uploads][4].
13129
+ #
13130
+ # * Your SSE-KMS configuration can only support 1 [customer managed
13131
+ # key][5] per directory bucket for the lifetime of the bucket.
13132
+ # [Amazon Web Services managed key][6] (`aws/s3`) isn't supported.
13133
+ #
13134
+ # * S3 Bucket Keys are always enabled for `GET` and `PUT` operations
13135
+ # in a directory bucket and can’t be disabled. S3 Bucket Keys
13136
+ # aren't supported, when you copy SSE-KMS encrypted objects from
13137
+ # general purpose buckets to directory buckets, from directory
13138
+ # buckets to general purpose buckets, or between directory buckets,
13139
+ # through [CopyObject][7], [UploadPartCopy][8], [the Copy operation
13140
+ # in Batch Operations][9], or [the import jobs][10]. In this case,
13141
+ # Amazon S3 makes a call to KMS every time a copy request is made
13142
+ # for a KMS-encrypted object.
13143
+ #
13144
+ # * When you specify an [KMS customer managed key][5] for encryption
13145
+ # in your directory bucket, only use the key ID or key ARN. The key
13146
+ # alias format of the KMS key isn't supported.
13147
+ #
13148
+ # * For directory buckets, if you use PutBucketEncryption to set your
13149
+ # [default bucket encryption][3] to SSE-KMS, Amazon S3 validates the
13150
+ # KMS key ID provided in PutBucketEncryption requests.
13151
+ #
13152
+ # </note>
12607
13153
  #
12608
13154
  # If you're specifying a customer managed KMS key, we recommend using a
12609
13155
  # fully qualified KMS key ARN. If you use a KMS key alias instead, then
@@ -12613,45 +13159,80 @@ module Aws::S3
12613
13159
  #
12614
13160
  # Also, this action requires Amazon Web Services Signature Version 4.
12615
13161
  # For more information, see [ Authenticating Requests (Amazon Web
12616
- # Services Signature Version 4)][3].
13162
+ # Services Signature Version 4)][11].
12617
13163
  #
12618
- # To use this operation, you must have permission to perform the
12619
- # `s3:PutEncryptionConfiguration` action. The bucket owner has this
12620
- # permission by default. The bucket owner can grant this permission to
12621
- # others. For more information about permissions, see [Permissions
12622
- # Related to Bucket Subresource Operations][4] and [Managing Access
12623
- # Permissions to Your Amazon S3 Resources][5] in the *Amazon S3 User
12624
- # Guide*.
13164
+ # Permissions
13165
+ # : * **General purpose bucket permissions** - The
13166
+ # `s3:PutEncryptionConfiguration` permission is required in a
13167
+ # policy. The bucket owner has this permission by default. The
13168
+ # bucket owner can grant this permission to others. For more
13169
+ # information about permissions, see [Permissions Related to Bucket
13170
+ # Operations][12] and [Managing Access Permissions to Your Amazon S3
13171
+ # Resources][13] in the *Amazon S3 User Guide*.
13172
+ #
13173
+ # * **Directory bucket permissions** - To grant access to this API
13174
+ # operation, you must have the
13175
+ # `s3express:PutEncryptionConfiguration` permission in an IAM
13176
+ # identity-based policy instead of a bucket policy. Cross-account
13177
+ # access to this API operation isn't supported. This operation can
13178
+ # only be performed by the Amazon Web Services account that owns the
13179
+ # resource. For more information about directory bucket policies and
13180
+ # permissions, see [Amazon Web Services Identity and Access
13181
+ # Management (IAM) for S3 Express One Zone][14] in the *Amazon S3
13182
+ # User Guide*.
13183
+ #
13184
+ # To set a directory bucket default encryption with SSE-KMS, you
13185
+ # must also have the `kms:GenerateDataKey` and the `kms:Decrypt`
13186
+ # permissions in IAM identity-based policies and KMS key policies
13187
+ # for the target KMS key.
13188
+ #
13189
+ # HTTP Host header syntax
13190
+ #
13191
+ # : <b>Directory buckets </b> - The HTTP Host header syntax is
13192
+ # `s3express-control.region.amazonaws.com`.
12625
13193
  #
12626
13194
  # The following operations are related to `PutBucketEncryption`:
12627
13195
  #
12628
- # * [GetBucketEncryption][6]
13196
+ # * [GetBucketEncryption][15]
12629
13197
  #
12630
- # * [DeleteBucketEncryption][7]
13198
+ # * [DeleteBucketEncryption][16]
12631
13199
  #
12632
13200
  #
12633
13201
  #
12634
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
12635
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12636
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
12637
- # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
12638
- # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
12639
- # [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
12640
- # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
13202
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
13203
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
13204
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13205
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
13206
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
13207
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
13208
+ # [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
13209
+ # [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
13210
+ # [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
13211
+ # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
13212
+ # [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
13213
+ # [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
13214
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
13215
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
13216
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
13217
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
12641
13218
  #
12642
13219
  # @option params [required, String] :bucket
12643
13220
  # Specifies default encryption for a bucket using server-side encryption
12644
- # with different key options. By default, all buckets have a default
12645
- # encryption configuration that uses server-side encryption with Amazon
12646
- # S3 managed keys (SSE-S3). You can optionally configure default
12647
- # encryption for a bucket by using server-side encryption with an Amazon
12648
- # Web Services KMS key (SSE-KMS) or a customer-provided key (SSE-C). For
12649
- # information about the bucket default encryption feature, see [Amazon
12650
- # S3 Bucket Default Encryption][1] in the *Amazon S3 User Guide*.
13221
+ # with different key options.
13222
+ #
13223
+ # <b>Directory buckets </b> - When you use this operation with a
13224
+ # directory bucket, you must use path-style requests in the format
13225
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
13226
+ # Virtual-hosted-style requests aren't supported. Directory bucket
13227
+ # names must be unique in the chosen Availability Zone. Bucket names
13228
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
13229
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
13230
+ # bucket naming restrictions, see [Directory bucket naming rules][1] in
13231
+ # the *Amazon S3 User Guide*
12651
13232
  #
12652
13233
  #
12653
13234
  #
12654
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
13235
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12655
13236
  #
12656
13237
  # @option params [String] :content_md5
12657
13238
  # The base64-encoded 128-bit MD5 digest of the server-side encryption
@@ -12661,6 +13242,10 @@ module Aws::S3
12661
13242
  # (CLI) or Amazon Web Services SDKs, this field is calculated
12662
13243
  # automatically.
12663
13244
  #
13245
+ # <note markdown="1"> This functionality is not supported for directory buckets.
13246
+ #
13247
+ # </note>
13248
+ #
12664
13249
  # @option params [String] :checksum_algorithm
12665
13250
  # Indicates the algorithm used to create the checksum for the object
12666
13251
  # when you use the SDK. This header will not provide any additional
@@ -12673,6 +13258,11 @@ module Aws::S3
12673
13258
  # If you provide an individual checksum, Amazon S3 ignores any provided
12674
13259
  # `ChecksumAlgorithm` parameter.
12675
13260
  #
13261
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
13262
+ # is the default checksum algorithm that's used for performance.
13263
+ #
13264
+ # </note>
13265
+ #
12676
13266
  #
12677
13267
  #
12678
13268
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12685,6 +13275,12 @@ module Aws::S3
12685
13275
  # you provide does not match the actual owner of the bucket, the request
12686
13276
  # fails with the HTTP status code `403 Forbidden` (access denied).
12687
13277
  #
13278
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
13279
+ # operation. If you specify this header, the request fails with the HTTP
13280
+ # status code `501 Not Implemented`.
13281
+ #
13282
+ # </note>
13283
+ #
12688
13284
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
12689
13285
  #
12690
13286
  # @example Request syntax with placeholder values
@@ -15082,6 +15678,10 @@ module Aws::S3
15082
15678
  # interruptions when a session expires. For more information about
15083
15679
  # authorization, see [ `CreateSession` ][5].
15084
15680
  #
15681
+ # If the object is encrypted with SSE-KMS, you must also have the
15682
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
15683
+ # identity-based policies and KMS key policies for the KMS key.
15684
+ #
15085
15685
  # Data integrity with Content-MD5
15086
15686
  # : * **General purpose bucket** - To ensure that data is not corrupted
15087
15687
  # traversing the network, use the `Content-MD5` header. When you use
@@ -15431,25 +16031,65 @@ module Aws::S3
15431
16031
  # object in Amazon S3 (for example, `AES256`, `aws:kms`,
15432
16032
  # `aws:kms:dsse`).
15433
16033
  #
15434
- # <b>General purpose buckets </b> - You have four mutually exclusive
15435
- # options to protect data using server-side encryption in Amazon S3,
15436
- # depending on how you choose to manage the encryption keys.
15437
- # Specifically, the encryption key options are Amazon S3 managed keys
15438
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
15439
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
15440
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
15441
- # default. You can optionally tell Amazon S3 to encrypt data at rest by
15442
- # using server-side encryption with other key options. For more
15443
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
15444
- # User Guide*.
16034
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
16035
+ # options to protect data using server-side encryption in Amazon S3,
16036
+ # depending on how you choose to manage the encryption keys.
16037
+ # Specifically, the encryption key options are Amazon S3 managed keys
16038
+ # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
16039
+ # customer-provided keys (SSE-C). Amazon S3 encrypts data with
16040
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
16041
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
16042
+ # by using server-side encryption with other key options. For more
16043
+ # information, see [Using Server-Side Encryption][1] in the *Amazon S3
16044
+ # User Guide*.
15445
16045
  #
15446
- # <b>Directory buckets </b> - For directory buckets, only the
15447
- # server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`)
15448
- # value is supported.
16046
+ # * <b>Directory buckets </b> - For directory buckets, there are only
16047
+ # two supported options for server-side encryption: server-side
16048
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
16049
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
16050
+ # recommend that the bucket's default encryption uses the desired
16051
+ # encryption configuration and you don't override the bucket default
16052
+ # encryption in your `CreateSession` requests or `PUT` object
16053
+ # requests. Then, new objects are automatically encrypted with the
16054
+ # desired encryption settings. For more information, see [Protecting
16055
+ # data with server-side encryption][2] in the *Amazon S3 User Guide*.
16056
+ # For more information about the encryption overriding behaviors in
16057
+ # directory buckets, see [Specifying server-side encryption with KMS
16058
+ # for new object uploads][3].
16059
+ #
16060
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
16061
+ # [UploadPartCopy][5]) using the REST API, the encryption request
16062
+ # headers must match the encryption settings that are specified in the
16063
+ # `CreateSession` request. You can't override the values of the
16064
+ # encryption settings (`x-amz-server-side-encryption`,
16065
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
16066
+ # `x-amz-server-side-encryption-context`, and
16067
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
16068
+ # specified in the `CreateSession` request. You don't need to
16069
+ # explicitly specify these encryption settings values in Zonal
16070
+ # endpoint API calls, and Amazon S3 will use the encryption settings
16071
+ # values from the `CreateSession` request to protect new objects in
16072
+ # the directory bucket.
16073
+ #
16074
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
16075
+ # `CreateSession`, the session token refreshes automatically to avoid
16076
+ # service interruptions when a session expires. The CLI or the Amazon
16077
+ # Web Services SDKs use the bucket's default encryption configuration
16078
+ # for the `CreateSession` request. It's not supported to override the
16079
+ # encryption settings values in the `CreateSession` request. So in the
16080
+ # Zonal endpoint API calls (except [CopyObject][4] and
16081
+ # [UploadPartCopy][5]), the encryption request headers must match the
16082
+ # default encryption configuration of the directory bucket.
16083
+ #
16084
+ # </note>
15449
16085
  #
15450
16086
  #
15451
16087
  #
15452
16088
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
16089
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
16090
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
16091
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16092
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
15453
16093
  #
15454
16094
  # @option params [String] :storage_class
15455
16095
  # By default, Amazon S3 uses the STANDARD Storage Class to store newly
@@ -15529,46 +16169,83 @@ module Aws::S3
15529
16169
  # </note>
15530
16170
  #
15531
16171
  # @option params [String] :ssekms_key_id
15532
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
15533
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or Key
15534
- # Alias) of the Key Management Service (KMS) symmetric encryption
15535
- # customer managed key that was used for the object. If you specify
15536
- # `x-amz-server-side-encryption:aws:kms` or
15537
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
15538
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
15539
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If the
15540
- # KMS key does not exist in the same account that's issuing the
15541
- # command, you must use the full ARN and not just the ID.
16172
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
16173
+ # object encryption. If the KMS key doesn't exist in the same account
16174
+ # that's issuing the command, you must use the full Key ARN not the Key
16175
+ # ID.
16176
+ #
16177
+ # **General purpose buckets** - If you specify
16178
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
16179
+ # header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
16180
+ # to use. If you specify `x-amz-server-side-encryption:aws:kms` or
16181
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
16182
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
16183
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
16184
+ #
16185
+ # **Directory buckets** - If you specify `x-amz-server-side-encryption`
16186
+ # with `aws:kms`, you must specify the `
16187
+ # x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
16188
+ # ID or Key ARN) of the KMS symmetric encryption customer managed key to
16189
+ # use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
16190
+ # key ID or key ARN. The key alias format of the KMS key isn't
16191
+ # supported. Your SSE-KMS configuration can only support 1 [customer
16192
+ # managed key][1] per directory bucket for the lifetime of the bucket.
16193
+ # [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
16194
+ #
16195
+ #
16196
+ #
16197
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16198
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
15542
16199
  #
15543
- # <note markdown="1"> This functionality is not supported for directory buckets.
16200
+ # @option params [String] :ssekms_encryption_context
16201
+ # Specifies the Amazon Web Services KMS Encryption Context as an
16202
+ # additional encryption context to use for object encryption. The value
16203
+ # of this header is a Base64-encoded string of a UTF-8 encoded JSON,
16204
+ # which contains the encryption context as key-value pairs. This value
16205
+ # is stored as object metadata and automatically gets passed on to
16206
+ # Amazon Web Services KMS for future `GetObject` operations on this
16207
+ # object.
15544
16208
  #
15545
- # </note>
16209
+ # **General purpose buckets** - This value must be explicitly added
16210
+ # during `CopyObject` operations if you want an additional encryption
16211
+ # context for your object. For more information, see [Encryption
16212
+ # context][1] in the *Amazon S3 User Guide*.
15546
16213
  #
15547
- # @option params [String] :ssekms_encryption_context
15548
- # Specifies the Amazon Web Services KMS Encryption Context to use for
15549
- # object encryption. The value of this header is a base64-encoded UTF-8
15550
- # string holding JSON with the encryption context key-value pairs. This
15551
- # value is stored as object metadata and automatically gets passed on to
15552
- # Amazon Web Services KMS for future `GetObject` or `CopyObject`
15553
- # operations on this object. This value must be explicitly added during
15554
- # `CopyObject` operations.
16214
+ # **Directory buckets** - You can optionally provide an explicit
16215
+ # encryption context value. The value must match the default encryption
16216
+ # context - the bucket Amazon Resource Name (ARN). An additional
16217
+ # encryption context value is not supported.
15555
16218
  #
15556
- # <note markdown="1"> This functionality is not supported for directory buckets.
15557
16219
  #
15558
- # </note>
16220
+ #
16221
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
15559
16222
  #
15560
16223
  # @option params [Boolean] :bucket_key_enabled
15561
16224
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
15562
16225
  # encryption with server-side encryption using Key Management Service
15563
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
15564
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
16226
+ # (KMS) keys (SSE-KMS).
16227
+ #
16228
+ # **General purpose buckets** - Setting this header to `true` causes
16229
+ # Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
16230
+ # Also, specifying this header with a PUT action doesn't affect
16231
+ # bucket-level settings for S3 Bucket Key.
15565
16232
  #
15566
- # Specifying this header with a PUT action doesn’t affect bucket-level
15567
- # settings for S3 Bucket Key.
16233
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
16234
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
16235
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
16236
+ # from general purpose buckets to directory buckets, from directory
16237
+ # buckets to general purpose buckets, or between directory buckets,
16238
+ # through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
16239
+ # Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
16240
+ # makes a call to KMS every time a copy request is made for a
16241
+ # KMS-encrypted object.
15568
16242
  #
15569
- # <note markdown="1"> This functionality is not supported for directory buckets.
15570
16243
  #
15571
- # </note>
16244
+ #
16245
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16246
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16247
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16248
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
15572
16249
  #
15573
16250
  # @option params [String] :request_payer
15574
16251
  # Confirms that the requester knows that they will be charged for the
@@ -15646,24 +16323,22 @@ module Aws::S3
15646
16323
  # * {Types::PutObjectOutput#request_charged #request_charged} => String
15647
16324
  #
15648
16325
  #
15649
- # @example Example: To upload an object (specify optional headers)
16326
+ # @example Example: To upload an object and specify optional tags
15650
16327
  #
15651
- # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
15652
- # # storage class and use server-side encryption.
16328
+ # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
16329
+ # # S3 returns version ID of the newly created object.
15653
16330
  #
15654
16331
  # resp = client.put_object({
15655
- # body: "HappyFace.jpg",
16332
+ # body: "c:\\HappyFace.jpg",
15656
16333
  # bucket: "examplebucket",
15657
16334
  # key: "HappyFace.jpg",
15658
- # server_side_encryption: "AES256",
15659
- # storage_class: "STANDARD_IA",
16335
+ # tagging: "key1=value1&key2=value2",
15660
16336
  # })
15661
16337
  #
15662
16338
  # resp.to_h outputs the following:
15663
16339
  # {
15664
16340
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15665
- # server_side_encryption: "AES256",
15666
- # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
16341
+ # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
15667
16342
  # }
15668
16343
  #
15669
16344
  # @example Example: To create an object.
@@ -15682,98 +16357,100 @@ module Aws::S3
15682
16357
  # version_id: "Bvq0EDKxOcXLJXNo_Lkz37eM3R4pfzyQ",
15683
16358
  # }
15684
16359
  #
15685
- # @example Example: To upload an object
16360
+ # @example Example: To upload object and specify user-defined metadata
15686
16361
  #
15687
- # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
15688
- # # syntax. S3 returns VersionId of the newly created object.
16362
+ # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
16363
+ # # enabled, S3 returns version ID in response.
15689
16364
  #
15690
16365
  # resp = client.put_object({
15691
- # body: "HappyFace.jpg",
16366
+ # body: "filetoupload",
15692
16367
  # bucket: "examplebucket",
15693
- # key: "HappyFace.jpg",
16368
+ # key: "exampleobject",
16369
+ # metadata: {
16370
+ # "metadata1" => "value1",
16371
+ # "metadata2" => "value2",
16372
+ # },
15694
16373
  # })
15695
16374
  #
15696
16375
  # resp.to_h outputs the following:
15697
16376
  # {
15698
16377
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15699
- # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
16378
+ # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
15700
16379
  # }
15701
16380
  #
15702
- # @example Example: To upload an object and specify optional tags
16381
+ # @example Example: To upload an object
15703
16382
  #
15704
- # # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
15705
- # # S3 returns version ID of the newly created object.
16383
+ # # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
16384
+ # # syntax. S3 returns VersionId of the newly created object.
15706
16385
  #
15707
16386
  # resp = client.put_object({
15708
- # body: "c:\\HappyFace.jpg",
16387
+ # body: "HappyFace.jpg",
15709
16388
  # bucket: "examplebucket",
15710
16389
  # key: "HappyFace.jpg",
15711
- # tagging: "key1=value1&key2=value2",
15712
16390
  # })
15713
16391
  #
15714
16392
  # resp.to_h outputs the following:
15715
16393
  # {
15716
16394
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15717
- # version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
16395
+ # version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
15718
16396
  # }
15719
16397
  #
15720
- # @example Example: To upload an object and specify canned ACL.
16398
+ # @example Example: To upload an object and specify server-side encryption and object tags
15721
16399
  #
15722
- # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
15723
- # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
16400
+ # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
16401
+ # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
15724
16402
  #
15725
16403
  # resp = client.put_object({
15726
- # acl: "authenticated-read",
15727
16404
  # body: "filetoupload",
15728
16405
  # bucket: "examplebucket",
15729
16406
  # key: "exampleobject",
16407
+ # server_side_encryption: "AES256",
16408
+ # tagging: "key1=value1&key2=value2",
15730
16409
  # })
15731
16410
  #
15732
16411
  # resp.to_h outputs the following:
15733
16412
  # {
15734
16413
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15735
- # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
16414
+ # server_side_encryption: "AES256",
16415
+ # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
15736
16416
  # }
15737
16417
  #
15738
- # @example Example: To upload object and specify user-defined metadata
16418
+ # @example Example: To upload an object and specify canned ACL.
15739
16419
  #
15740
- # # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
15741
- # # enabled, S3 returns version ID in response.
16420
+ # # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
16421
+ # # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
15742
16422
  #
15743
16423
  # resp = client.put_object({
16424
+ # acl: "authenticated-read",
15744
16425
  # body: "filetoupload",
15745
16426
  # bucket: "examplebucket",
15746
16427
  # key: "exampleobject",
15747
- # metadata: {
15748
- # "metadata1" => "value1",
15749
- # "metadata2" => "value2",
15750
- # },
15751
16428
  # })
15752
16429
  #
15753
16430
  # resp.to_h outputs the following:
15754
16431
  # {
15755
16432
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15756
- # version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
16433
+ # version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
15757
16434
  # }
15758
16435
  #
15759
- # @example Example: To upload an object and specify server-side encryption and object tags
16436
+ # @example Example: To upload an object (specify optional headers)
15760
16437
  #
15761
- # # The following example uploads an object. The request specifies the optional server-side encryption option. The request
15762
- # # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
16438
+ # # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
16439
+ # # storage class and use server-side encryption.
15763
16440
  #
15764
16441
  # resp = client.put_object({
15765
- # body: "filetoupload",
16442
+ # body: "HappyFace.jpg",
15766
16443
  # bucket: "examplebucket",
15767
- # key: "exampleobject",
16444
+ # key: "HappyFace.jpg",
15768
16445
  # server_side_encryption: "AES256",
15769
- # tagging: "key1=value1&key2=value2",
16446
+ # storage_class: "STANDARD_IA",
15770
16447
  # })
15771
16448
  #
15772
16449
  # resp.to_h outputs the following:
15773
16450
  # {
15774
16451
  # etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
15775
16452
  # server_side_encryption: "AES256",
15776
- # version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
16453
+ # version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
15777
16454
  # }
15778
16455
  #
15779
16456
  # @example Streaming a file from disk
@@ -17786,6 +18463,10 @@ module Aws::S3
17786
18463
  # interruptions when a session expires. For more information about
17787
18464
  # authorization, see [ `CreateSession` ][9].
17788
18465
  #
18466
+ # If the object is encrypted with SSE-KMS, you must also have the
18467
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18468
+ # identity-based policies and KMS key policies for the KMS key.
18469
+ #
17789
18470
  # Data integrity
17790
18471
  #
17791
18472
  # : **General purpose bucket** - To ensure that data is not corrupted
@@ -17837,12 +18518,13 @@ module Aws::S3
17837
18518
  #
17838
18519
  # * x-amz-server-side-encryption-customer-key-MD5
17839
18520
  #
17840
- # * **Directory bucket** - For directory buckets, only server-side
17841
- # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is
17842
- # supported.
18521
+ # For more information, see [Using Server-Side Encryption][11] in
18522
+ # the *Amazon S3 User Guide*.
17843
18523
  #
17844
- # For more information, see [Using Server-Side Encryption][11] in the
17845
- # *Amazon S3 User Guide*.
18524
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18525
+ # two supported options for server-side encryption: server-side
18526
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18527
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`).
17846
18528
  #
17847
18529
  # Special errors
17848
18530
  # : * Error Code: `NoSuchUpload`
@@ -18255,6 +18937,10 @@ module Aws::S3
18255
18937
  # destination. The `s3express:SessionMode` condition key cannot be
18256
18938
  # set to `ReadOnly` on the copy destination.
18257
18939
  #
18940
+ # If the object is encrypted with SSE-KMS, you must also have the
18941
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
18942
+ # identity-based policies and KMS key policies for the KMS key.
18943
+ #
18258
18944
  # For example policies, see [Example bucket policies for S3 Express
18259
18945
  # One Zone][10] and [Amazon Web Services Identity and Access
18260
18946
  # Management (IAM) identity-based policies for S3 Express One
@@ -18266,9 +18952,26 @@ module Aws::S3
18266
18952
  # the `UploadPartCopy` operation, see [CopyObject][12] and
18267
18953
  # [UploadPart][2].
18268
18954
  #
18269
- # * <b>Directory buckets </b> - For directory buckets, only
18270
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
18271
- # (`AES256`) is supported.
18955
+ # * <b>Directory buckets </b> - For directory buckets, there are only
18956
+ # two supported options for server-side encryption: server-side
18957
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
18958
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). For
18959
+ # more information, see [Protecting data with server-side
18960
+ # encryption][13] in the *Amazon S3 User Guide*.
18961
+ #
18962
+ # <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
18963
+ # operation and an `UploadPartCopy` operation, the request headers
18964
+ # you provide in the `CreateMultipartUpload` request must match the
18965
+ # default encryption configuration of the destination bucket.
18966
+ #
18967
+ # </note>
18968
+ #
18969
+ # S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted
18970
+ # objects from general purpose buckets to directory buckets, from
18971
+ # directory buckets to general purpose buckets, or between directory
18972
+ # buckets, through [UploadPartCopy][14]. In this case, Amazon S3
18973
+ # makes a call to KMS every time a copy request is made for a
18974
+ # KMS-encrypted object.
18272
18975
  #
18273
18976
  # Special errors
18274
18977
  # : * Error Code: `NoSuchUpload`
@@ -18293,17 +18996,17 @@ module Aws::S3
18293
18996
  #
18294
18997
  # The following operations are related to `UploadPartCopy`:
18295
18998
  #
18296
- # * [CreateMultipartUpload][13]
18999
+ # * [CreateMultipartUpload][15]
18297
19000
  #
18298
19001
  # * [UploadPart][2]
18299
19002
  #
18300
- # * [CompleteMultipartUpload][14]
19003
+ # * [CompleteMultipartUpload][16]
18301
19004
  #
18302
- # * [AbortMultipartUpload][15]
19005
+ # * [AbortMultipartUpload][17]
18303
19006
  #
18304
- # * [ListParts][16]
19007
+ # * [ListParts][18]
18305
19008
  #
18306
- # * [ListMultipartUploads][17]
19009
+ # * [ListMultipartUploads][19]
18307
19010
  #
18308
19011
  #
18309
19012
  #
@@ -18319,11 +19022,13 @@ module Aws::S3
18319
19022
  # [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
18320
19023
  # [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
18321
19024
  # [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
18322
- # [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
18323
- # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
18324
- # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
18325
- # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
18326
- # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
19025
+ # [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
19026
+ # [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
19027
+ # [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
19028
+ # [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
19029
+ # [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
19030
+ # [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
19031
+ # [19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
18327
19032
  #
18328
19033
  # @option params [required, String] :bucket
18329
19034
  # The bucket name.
@@ -18609,45 +19314,45 @@ module Aws::S3
18609
19314
  # * {Types::UploadPartCopyOutput#request_charged #request_charged} => String
18610
19315
  #
18611
19316
  #
18612
- # @example Example: To upload a part by copying data from an existing object as data source
19317
+ # @example Example: To upload a part by copying byte range from an existing object as data source
18613
19318
  #
18614
- # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
19319
+ # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
19320
+ # # data source.
18615
19321
  #
18616
19322
  # resp = client.upload_part_copy({
18617
19323
  # bucket: "examplebucket",
18618
19324
  # copy_source: "/bucketname/sourceobjectkey",
19325
+ # copy_source_range: "bytes=1-100000",
18619
19326
  # key: "examplelargeobject",
18620
- # part_number: 1,
19327
+ # part_number: 2,
18621
19328
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18622
19329
  # })
18623
19330
  #
18624
19331
  # resp.to_h outputs the following:
18625
19332
  # {
18626
19333
  # copy_part_result: {
18627
- # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
18628
- # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
19334
+ # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
19335
+ # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
18629
19336
  # },
18630
19337
  # }
18631
19338
  #
18632
- # @example Example: To upload a part by copying byte range from an existing object as data source
19339
+ # @example Example: To upload a part by copying data from an existing object as data source
18633
19340
  #
18634
- # # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
18635
- # # data source.
19341
+ # # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
18636
19342
  #
18637
19343
  # resp = client.upload_part_copy({
18638
19344
  # bucket: "examplebucket",
18639
19345
  # copy_source: "/bucketname/sourceobjectkey",
18640
- # copy_source_range: "bytes=1-100000",
18641
19346
  # key: "examplelargeobject",
18642
- # part_number: 2,
19347
+ # part_number: 1,
18643
19348
  # upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
18644
19349
  # })
18645
19350
  #
18646
19351
  # resp.to_h outputs the following:
18647
19352
  # {
18648
19353
  # copy_part_result: {
18649
- # etag: "\"65d16d19e65a7508a51f043180edcc36\"",
18650
- # last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
19354
+ # etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
19355
+ # last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
18651
19356
  # },
18652
19357
  # }
18653
19358
  #
@@ -19109,7 +19814,7 @@ module Aws::S3
19109
19814
  tracer: tracer
19110
19815
  )
19111
19816
  context[:gem_name] = 'aws-sdk-s3'
19112
- context[:gem_version] = '1.160.0'
19817
+ context[:gem_version] = '1.164.0'
19113
19818
  Seahorse::Client::Request.new(handlers, context)
19114
19819
  end
19115
19820