aws-sdk-s3 1.162.0 → 1.167.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -634,7 +634,7 @@ module Aws::S3
634
634
  # Contains all the possible checksum or digest values for an object.
635
635
  #
636
636
  # @!attribute [rw] checksum_crc32
637
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
637
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
638
638
  # only be present if it was uploaded with the object. When you use an
639
639
  # API operation on an object that was uploaded using multipart
640
640
  # uploads, this value may not be a direct checksum value of the full
@@ -649,7 +649,7 @@ module Aws::S3
649
649
  # @return [String]
650
650
  #
651
651
  # @!attribute [rw] checksum_crc32c
652
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
652
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
653
653
  # only be present if it was uploaded with the object. When you use an
654
654
  # API operation on an object that was uploaded using multipart
655
655
  # uploads, this value may not be a direct checksum value of the full
@@ -803,7 +803,7 @@ module Aws::S3
803
803
  # @return [String]
804
804
  #
805
805
  # @!attribute [rw] checksum_crc32
806
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
806
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
807
807
  # only be present if it was uploaded with the object. When you use an
808
808
  # API operation on an object that was uploaded using multipart
809
809
  # uploads, this value may not be a direct checksum value of the full
@@ -818,7 +818,7 @@ module Aws::S3
818
818
  # @return [String]
819
819
  #
820
820
  # @!attribute [rw] checksum_crc32c
821
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
821
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
822
822
  # only be present if it was uploaded with the object. When you use an
823
823
  # API operation on an object that was uploaded using multipart
824
824
  # uploads, this value may not be a direct checksum value of the full
@@ -865,11 +865,6 @@ module Aws::S3
865
865
  # @!attribute [rw] server_side_encryption
866
866
  # The server-side encryption algorithm used when storing this object
867
867
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
868
- #
869
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
870
- # managed keys (SSE-S3) (`AES256`) is supported.
871
- #
872
- # </note>
873
868
  # @return [String]
874
869
  #
875
870
  # @!attribute [rw] version_id
@@ -882,23 +877,14 @@ module Aws::S3
882
877
  # @return [String]
883
878
  #
884
879
  # @!attribute [rw] ssekms_key_id
885
- # If present, indicates the ID of the Key Management Service (KMS)
886
- # symmetric encryption customer managed key that was used for the
887
- # object.
888
- #
889
- # <note markdown="1"> This functionality is not supported for directory buckets.
890
- #
891
- # </note>
880
+ # If present, indicates the ID of the KMS key that was used for object
881
+ # encryption.
892
882
  # @return [String]
893
883
  #
894
884
  # @!attribute [rw] bucket_key_enabled
895
885
  # Indicates whether the multipart upload uses an S3 Bucket Key for
896
886
  # server-side encryption with Key Management Service (KMS) keys
897
887
  # (SSE-KMS).
898
- #
899
- # <note markdown="1"> This functionality is not supported for directory buckets.
900
- #
901
- # </note>
902
888
  # @return [Boolean]
903
889
  #
904
890
  # @!attribute [rw] request_charged
@@ -991,7 +977,7 @@ module Aws::S3
991
977
  # @!attribute [rw] checksum_crc32
992
978
  # This header can be used as a data integrity check to verify that the
993
979
  # data received is the same data that was originally sent. This header
994
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
980
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
995
981
  # For more information, see [Checking object integrity][1] in the
996
982
  # *Amazon S3 User Guide*.
997
983
  #
@@ -1003,7 +989,7 @@ module Aws::S3
1003
989
  # @!attribute [rw] checksum_crc32c
1004
990
  # This header can be used as a data integrity check to verify that the
1005
991
  # data received is the same data that was originally sent. This header
1006
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object.
992
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
1007
993
  # For more information, see [Checking object integrity][1] in the
1008
994
  # *Amazon S3 User Guide*.
1009
995
  #
@@ -1173,7 +1159,7 @@ module Aws::S3
1173
1159
  # @return [String]
1174
1160
  #
1175
1161
  # @!attribute [rw] checksum_crc32
1176
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
1162
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
1177
1163
  # only be present if it was uploaded with the object. When you use an
1178
1164
  # API operation on an object that was uploaded using multipart
1179
1165
  # uploads, this value may not be a direct checksum value of the full
@@ -1188,7 +1174,7 @@ module Aws::S3
1188
1174
  # @return [String]
1189
1175
  #
1190
1176
  # @!attribute [rw] checksum_crc32c
1191
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
1177
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
1192
1178
  # only be present if it was uploaded with the object. When you use an
1193
1179
  # API operation on an object that was uploaded using multipart
1194
1180
  # uploads, this value may not be a direct checksum value of the full
@@ -1348,11 +1334,6 @@ module Aws::S3
1348
1334
  # @!attribute [rw] server_side_encryption
1349
1335
  # The server-side encryption algorithm used when you store this object
1350
1336
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1351
- #
1352
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1353
- # managed keys (SSE-S3) (`AES256`) is supported.
1354
- #
1355
- # </note>
1356
1337
  # @return [String]
1357
1338
  #
1358
1339
  # @!attribute [rw] sse_customer_algorithm
@@ -1377,13 +1358,8 @@ module Aws::S3
1377
1358
  # @return [String]
1378
1359
  #
1379
1360
  # @!attribute [rw] ssekms_key_id
1380
- # If present, indicates the ID of the Key Management Service (KMS)
1381
- # symmetric encryption customer managed key that was used for the
1382
- # object.
1383
- #
1384
- # <note markdown="1"> This functionality is not supported for directory buckets.
1385
- #
1386
- # </note>
1361
+ # If present, indicates the ID of the KMS key that was used for object
1362
+ # encryption.
1387
1363
  # @return [String]
1388
1364
  #
1389
1365
  # @!attribute [rw] ssekms_encryption_context
@@ -1391,20 +1367,12 @@ module Aws::S3
1391
1367
  # to use for object encryption. The value of this header is a
1392
1368
  # base64-encoded UTF-8 string holding JSON with the encryption context
1393
1369
  # key-value pairs.
1394
- #
1395
- # <note markdown="1"> This functionality is not supported for directory buckets.
1396
- #
1397
- # </note>
1398
1370
  # @return [String]
1399
1371
  #
1400
1372
  # @!attribute [rw] bucket_key_enabled
1401
1373
  # Indicates whether the copied object uses an S3 Bucket Key for
1402
1374
  # server-side encryption with Key Management Service (KMS) keys
1403
1375
  # (SSE-KMS).
1404
- #
1405
- # <note markdown="1"> This functionality is not supported for directory buckets.
1406
- #
1407
- # </note>
1408
1376
  # @return [Boolean]
1409
1377
  #
1410
1378
  # @!attribute [rw] request_charged
@@ -1832,9 +1800,8 @@ module Aws::S3
1832
1800
  #
1833
1801
  # @!attribute [rw] server_side_encryption
1834
1802
  # The server-side encryption algorithm used when storing this object
1835
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
1836
- # Unrecognized or unsupported values won’t write a destination object
1837
- # and will receive a `400 Bad Request` response.
1803
+ # in Amazon S3. Unrecognized or unsupported values won’t write a
1804
+ # destination object and will receive a `400 Bad Request` response.
1838
1805
  #
1839
1806
  # Amazon S3 automatically encrypts all new objects that are copied to
1840
1807
  # an S3 bucket. When copying an object, if you don't specify
@@ -1843,21 +1810,8 @@ module Aws::S3
1843
1810
  # of the destination bucket. By default, all buckets have a base level
1844
1811
  # of encryption configuration that uses server-side encryption with
1845
1812
  # Amazon S3 managed keys (SSE-S3). If the destination bucket has a
1846
- # default encryption configuration that uses server-side encryption
1847
- # with Key Management Service (KMS) keys (SSE-KMS), dual-layer
1848
- # server-side encryption with Amazon Web Services KMS keys (DSSE-KMS),
1849
- # or server-side encryption with customer-provided encryption keys
1850
- # (SSE-C), Amazon S3 uses the corresponding KMS key, or a
1851
- # customer-provided key to encrypt the target object copy.
1852
- #
1853
- # When you perform a `CopyObject` operation, if you want to use a
1854
- # different type of encryption setting for the target object, you can
1855
- # specify appropriate encryption-related headers to encrypt the target
1856
- # object with an Amazon S3 managed key, a KMS key, or a
1857
- # customer-provided key. If the encryption setting in your request is
1858
- # different from the default encryption configuration of the
1859
- # destination bucket, the encryption setting in your request takes
1860
- # precedence.
1813
+ # different default encryption configuration, Amazon S3 uses the
1814
+ # corresponding encryption key to encrypt the target object copy.
1861
1815
  #
1862
1816
  # With server-side encryption, Amazon S3 encrypts your data as it
1863
1817
  # writes your data to disks in its data centers and decrypts the data
@@ -1865,14 +1819,63 @@ module Aws::S3
1865
1819
  # encryption, see [Using Server-Side Encryption][1] in the *Amazon S3
1866
1820
  # User Guide*.
1867
1821
  #
1868
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
1869
- # managed keys (SSE-S3) (`AES256`) is supported.
1870
- #
1871
- # </note>
1822
+ # <b>General purpose buckets </b>
1823
+ #
1824
+ # * For general purpose buckets, there are the following supported
1825
+ # options for server-side encryption: server-side encryption with
1826
+ # Key Management Service (KMS) keys (SSE-KMS), dual-layer
1827
+ # server-side encryption with Amazon Web Services KMS keys
1828
+ # (DSSE-KMS), and server-side encryption with customer-provided
1829
+ # encryption keys (SSE-C). Amazon S3 uses the corresponding KMS key,
1830
+ # or a customer-provided key to encrypt the target object copy.
1831
+ #
1832
+ # * When you perform a `CopyObject` operation, if you want to use a
1833
+ # different type of encryption setting for the target object, you
1834
+ # can specify appropriate encryption-related headers to encrypt the
1835
+ # target object with an Amazon S3 managed key, a KMS key, or a
1836
+ # customer-provided key. If the encryption setting in your request
1837
+ # is different from the default encryption configuration of the
1838
+ # destination bucket, the encryption setting in your request takes
1839
+ # precedence.
1840
+ #
1841
+ # <b>Directory buckets </b>
1842
+ #
1843
+ # * For directory buckets, there are only two supported options for
1844
+ # server-side encryption: server-side encryption with Amazon S3
1845
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with
1846
+ # KMS keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's
1847
+ # default encryption uses the desired encryption configuration and
1848
+ # you don't override the bucket default encryption in your
1849
+ # `CreateSession` requests or `PUT` object requests. Then, new
1850
+ # objects are automatically encrypted with the desired encryption
1851
+ # settings. For more information, see [Protecting data with
1852
+ # server-side encryption][2] in the *Amazon S3 User Guide*. For more
1853
+ # information about the encryption overriding behaviors in directory
1854
+ # buckets, see [Specifying server-side encryption with KMS for new
1855
+ # object uploads][3].
1856
+ #
1857
+ # * To encrypt new object copies to a directory bucket with SSE-KMS,
1858
+ # we recommend you specify SSE-KMS as the directory bucket's
1859
+ # default encryption configuration with a KMS key (specifically, a
1860
+ # [customer managed key][4]). [Amazon Web Services managed key][5]
1861
+ # (`aws/s3`) isn't supported. Your SSE-KMS configuration can only
1862
+ # support 1 [customer managed key][4] per directory bucket for the
1863
+ # lifetime of the bucket. After you specify a customer managed key
1864
+ # for SSE-KMS, you can't override the customer managed key for the
1865
+ # bucket's SSE-KMS configuration. Then, when you perform a
1866
+ # `CopyObject` operation and want to specify server-side encryption
1867
+ # settings for new object copies with SSE-KMS in the
1868
+ # encryption-related request headers, you must ensure the encryption
1869
+ # key is the same customer managed key that you specified for the
1870
+ # directory bucket's default encryption configuration.
1872
1871
  #
1873
1872
  #
1874
1873
  #
1875
1874
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
1875
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
1876
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
1877
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1878
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1876
1879
  # @return [String]
1877
1880
  #
1878
1881
  # @!attribute [rw] storage_class
@@ -1978,7 +1981,7 @@ module Aws::S3
1978
1981
  # @return [String]
1979
1982
  #
1980
1983
  # @!attribute [rw] ssekms_key_id
1981
- # Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
1984
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
1982
1985
  # object encryption. All GET and PUT requests for an object protected
1983
1986
  # by KMS will fail if they're not made via SSL or using SigV4. For
1984
1987
  # information about configuring any of the officially supported Amazon
@@ -1986,27 +1989,45 @@ module Aws::S3
1986
1989
  # Signature Version in Request Authentication][1] in the *Amazon S3
1987
1990
  # User Guide*.
1988
1991
  #
1989
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
1990
- # directory bucket.
1991
- #
1992
- # </note>
1992
+ # **Directory buckets** - If you specify
1993
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
1994
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
1995
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
1996
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
1997
+ # use the key ID or key ARN. The key alias format of the KMS key
1998
+ # isn't supported. Your SSE-KMS configuration can only support 1
1999
+ # [customer managed key][2] per directory bucket for the lifetime of
2000
+ # the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
2001
+ # supported.
1993
2002
  #
1994
2003
  #
1995
2004
  #
1996
2005
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
2006
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
2007
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1997
2008
  # @return [String]
1998
2009
  #
1999
2010
  # @!attribute [rw] ssekms_encryption_context
2000
- # Specifies the Amazon Web Services KMS Encryption Context to use for
2001
- # object encryption. The value of this header is a base64-encoded
2002
- # UTF-8 string holding JSON with the encryption context key-value
2003
- # pairs. This value must be explicitly added to specify encryption
2004
- # context for `CopyObject` requests.
2011
+ # Specifies the Amazon Web Services KMS Encryption Context as an
2012
+ # additional encryption context to use for the destination object
2013
+ # encryption. The value of this header is a base64-encoded UTF-8
2014
+ # string holding JSON with the encryption context key-value pairs.
2005
2015
  #
2006
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
2007
- # directory bucket.
2016
+ # **General purpose buckets** - This value must be explicitly added to
2017
+ # specify encryption context for `CopyObject` requests if you want an
2018
+ # additional encryption context for your destination object. The
2019
+ # additional encryption context of the source object won't be copied
2020
+ # to the destination object. For more information, see [Encryption
2021
+ # context][1] in the *Amazon S3 User Guide*.
2008
2022
  #
2009
- # </note>
2023
+ # **Directory buckets** - You can optionally provide an explicit
2024
+ # encryption context value. The value must match the default
2025
+ # encryption context - the bucket Amazon Resource Name (ARN). An
2026
+ # additional encryption context value is not supported.
2027
+ #
2028
+ #
2029
+ #
2030
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
2010
2031
  # @return [String]
2011
2032
  #
2012
2033
  # @!attribute [rw] bucket_key_enabled
@@ -2023,14 +2044,19 @@ module Aws::S3
2023
2044
  # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
2024
2045
  # S3 User Guide*.
2025
2046
  #
2026
- # <note markdown="1"> This functionality is not supported when the destination bucket is a
2027
- # directory bucket.
2047
+ # <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
2048
+ # copy SSE-KMS encrypted objects from general purpose buckets to
2049
+ # directory buckets, from directory buckets to general purpose
2050
+ # buckets, or between directory buckets, through [CopyObject][2]. In
2051
+ # this case, Amazon S3 makes a call to KMS every time a copy request
2052
+ # is made for a KMS-encrypted object.
2028
2053
  #
2029
2054
  # </note>
2030
2055
  #
2031
2056
  #
2032
2057
  #
2033
2058
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
2059
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
2034
2060
  # @return [Boolean]
2035
2061
  #
2036
2062
  # @!attribute [rw] copy_source_sse_customer_algorithm
@@ -2247,7 +2273,7 @@ module Aws::S3
2247
2273
  # @return [Time]
2248
2274
  #
2249
2275
  # @!attribute [rw] checksum_crc32
2250
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
2276
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
2251
2277
  # only be present if it was uploaded with the object. For more
2252
2278
  # information, see [ Checking object integrity][1] in the *Amazon S3
2253
2279
  # User Guide*.
@@ -2258,7 +2284,7 @@ module Aws::S3
2258
2284
  # @return [String]
2259
2285
  #
2260
2286
  # @!attribute [rw] checksum_crc32c
2261
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
2287
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
2262
2288
  # only be present if it was uploaded with the object. For more
2263
2289
  # information, see [ Checking object integrity][1] in the *Amazon S3
2264
2290
  # User Guide*.
@@ -2314,7 +2340,7 @@ module Aws::S3
2314
2340
  # @return [Time]
2315
2341
  #
2316
2342
  # @!attribute [rw] checksum_crc32
2317
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
2343
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
2318
2344
  # only be present if it was uploaded with the object. When you use an
2319
2345
  # API operation on an object that was uploaded using multipart
2320
2346
  # uploads, this value may not be a direct checksum value of the full
@@ -2329,7 +2355,7 @@ module Aws::S3
2329
2355
  # @return [String]
2330
2356
  #
2331
2357
  # @!attribute [rw] checksum_crc32c
2332
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
2358
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
2333
2359
  # only be present if it was uploaded with the object. When you use an
2334
2360
  # API operation on an object that was uploaded using multipart
2335
2361
  # uploads, this value may not be a direct checksum value of the full
@@ -2642,11 +2668,6 @@ module Aws::S3
2642
2668
  # @!attribute [rw] server_side_encryption
2643
2669
  # The server-side encryption algorithm used when you store this object
2644
2670
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
2645
- #
2646
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
2647
- # managed keys (SSE-S3) (`AES256`) is supported.
2648
- #
2649
- # </note>
2650
2671
  # @return [String]
2651
2672
  #
2652
2673
  # @!attribute [rw] sse_customer_algorithm
@@ -2671,34 +2692,21 @@ module Aws::S3
2671
2692
  # @return [String]
2672
2693
  #
2673
2694
  # @!attribute [rw] ssekms_key_id
2674
- # If present, indicates the ID of the Key Management Service (KMS)
2675
- # symmetric encryption customer managed key that was used for the
2676
- # object.
2677
- #
2678
- # <note markdown="1"> This functionality is not supported for directory buckets.
2679
- #
2680
- # </note>
2695
+ # If present, indicates the ID of the KMS key that was used for object
2696
+ # encryption.
2681
2697
  # @return [String]
2682
2698
  #
2683
2699
  # @!attribute [rw] ssekms_encryption_context
2684
2700
  # If present, indicates the Amazon Web Services KMS Encryption Context
2685
2701
  # to use for object encryption. The value of this header is a
2686
- # base64-encoded UTF-8 string holding JSON with the encryption context
2687
- # key-value pairs.
2688
- #
2689
- # <note markdown="1"> This functionality is not supported for directory buckets.
2690
- #
2691
- # </note>
2702
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
2703
+ # encryption context as key-value pairs.
2692
2704
  # @return [String]
2693
2705
  #
2694
2706
  # @!attribute [rw] bucket_key_enabled
2695
2707
  # Indicates whether the multipart upload uses an S3 Bucket Key for
2696
2708
  # server-side encryption with Key Management Service (KMS) keys
2697
2709
  # (SSE-KMS).
2698
- #
2699
- # <note markdown="1"> This functionality is not supported for directory buckets.
2700
- #
2701
- # </note>
2702
2710
  # @return [Boolean]
2703
2711
  #
2704
2712
  # @!attribute [rw] request_charged
@@ -3110,10 +3118,53 @@ module Aws::S3
3110
3118
  # The server-side encryption algorithm used when you store this object
3111
3119
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
3112
3120
  #
3113
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
3114
- # managed keys (SSE-S3) (`AES256`) is supported.
3121
+ # * <b>Directory buckets </b> - For directory buckets, there are only
3122
+ # two supported options for server-side encryption: server-side
3123
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
3124
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
3125
+ # recommend that the bucket's default encryption uses the desired
3126
+ # encryption configuration and you don't override the bucket
3127
+ # default encryption in your `CreateSession` requests or `PUT`
3128
+ # object requests. Then, new objects are automatically encrypted
3129
+ # with the desired encryption settings. For more information, see
3130
+ # [Protecting data with server-side encryption][1] in the *Amazon S3
3131
+ # User Guide*. For more information about the encryption overriding
3132
+ # behaviors in directory buckets, see [Specifying server-side
3133
+ # encryption with KMS for new object uploads][2].
3134
+ #
3135
+ # In the Zonal endpoint API calls (except [CopyObject][3] and
3136
+ # [UploadPartCopy][4]) using the REST API, the encryption request
3137
+ # headers must match the encryption settings that are specified in
3138
+ # the `CreateSession` request. You can't override the values of the
3139
+ # encryption settings (`x-amz-server-side-encryption`,
3140
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
3141
+ # `x-amz-server-side-encryption-context`, and
3142
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
3143
+ # specified in the `CreateSession` request. You don't need to
3144
+ # explicitly specify these encryption settings values in Zonal
3145
+ # endpoint API calls, and Amazon S3 will use the encryption settings
3146
+ # values from the `CreateSession` request to protect new objects in
3147
+ # the directory bucket.
3148
+ #
3149
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
3150
+ # `CreateSession`, the session token refreshes automatically to
3151
+ # avoid service interruptions when a session expires. The CLI or the
3152
+ # Amazon Web Services SDKs use the bucket's default encryption
3153
+ # configuration for the `CreateSession` request. It's not supported
3154
+ # to override the encryption settings values in the `CreateSession`
3155
+ # request. So in the Zonal endpoint API calls (except
3156
+ # [CopyObject][3] and [UploadPartCopy][4]), the encryption request
3157
+ # headers must match the default encryption configuration of the
3158
+ # directory bucket.
3115
3159
  #
3116
- # </note>
3160
+ # </note>
3161
+ #
3162
+ #
3163
+ #
3164
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3165
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
3166
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3167
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3117
3168
  # @return [String]
3118
3169
  #
3119
3170
  # @!attribute [rw] storage_class
@@ -3179,37 +3230,75 @@ module Aws::S3
3179
3230
  # @return [String]
3180
3231
  #
3181
3232
  # @!attribute [rw] ssekms_key_id
3182
- # Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric
3183
- # encryption customer managed key to use for object encryption.
3233
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
3234
+ # object encryption. If the KMS key doesn't exist in the same account
3235
+ # that's issuing the command, you must use the full Key ARN not the
3236
+ # Key ID.
3237
+ #
3238
+ # **General purpose buckets** - If you specify
3239
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
3240
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
3241
+ # KMS key to use. If you specify
3242
+ # `x-amz-server-side-encryption:aws:kms` or
3243
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
3244
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
3245
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
3184
3246
  #
3185
- # <note markdown="1"> This functionality is not supported for directory buckets.
3247
+ # **Directory buckets** - If you specify
3248
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
3249
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
3250
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
3251
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
3252
+ # use the key ID or key ARN. The key alias format of the KMS key
3253
+ # isn't supported. Your SSE-KMS configuration can only support 1
3254
+ # [customer managed key][1] per directory bucket for the lifetime of
3255
+ # the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
3256
+ # supported.
3186
3257
  #
3187
- # </note>
3258
+ #
3259
+ #
3260
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3261
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3188
3262
  # @return [String]
3189
3263
  #
3190
3264
  # @!attribute [rw] ssekms_encryption_context
3191
3265
  # Specifies the Amazon Web Services KMS Encryption Context to use for
3192
- # object encryption. The value of this header is a base64-encoded
3193
- # UTF-8 string holding JSON with the encryption context key-value
3194
- # pairs.
3195
- #
3196
- # <note markdown="1"> This functionality is not supported for directory buckets.
3266
+ # object encryption. The value of this header is a Base64-encoded
3267
+ # string of a UTF-8 encoded JSON, which contains the encryption
3268
+ # context as key-value pairs.
3197
3269
  #
3198
- # </note>
3270
+ # **Directory buckets** - You can optionally provide an explicit
3271
+ # encryption context value. The value must match the default
3272
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3273
+ # additional encryption context value is not supported.
3199
3274
  # @return [String]
3200
3275
  #
3201
3276
  # @!attribute [rw] bucket_key_enabled
3202
3277
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3203
3278
  # encryption with server-side encryption using Key Management Service
3204
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
3205
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
3279
+ # (KMS) keys (SSE-KMS).
3206
3280
  #
3207
- # Specifying this header with an object action doesn’t affect
3208
- # bucket-level settings for S3 Bucket Key.
3281
+ # **General purpose buckets** - Setting this header to `true` causes
3282
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
3283
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
3284
+ # affect bucket-level settings for S3 Bucket Key.
3209
3285
  #
3210
- # <note markdown="1"> This functionality is not supported for directory buckets.
3286
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
3287
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
3288
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
3289
+ # objects from general purpose buckets to directory buckets, from
3290
+ # directory buckets to general purpose buckets, or between directory
3291
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
3292
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
3293
+ # case, Amazon S3 makes a call to KMS every time a copy request is
3294
+ # made for a KMS-encrypted object.
3211
3295
  #
3212
- # </note>
3296
+ #
3297
+ #
3298
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3299
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3300
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3301
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3213
3302
  # @return [Boolean]
3214
3303
  #
3215
3304
  # @!attribute [rw] request_payer
@@ -3319,6 +3408,31 @@ module Aws::S3
3319
3408
  include Aws::Structure
3320
3409
  end
3321
3410
 
3411
+ # @!attribute [rw] server_side_encryption
3412
+ # The server-side encryption algorithm used when you store objects in
3413
+ # the directory bucket.
3414
+ # @return [String]
3415
+ #
3416
+ # @!attribute [rw] ssekms_key_id
3417
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, this
3418
+ # header indicates the ID of the KMS symmetric encryption customer
3419
+ # managed key that was used for object encryption.
3420
+ # @return [String]
3421
+ #
3422
+ # @!attribute [rw] ssekms_encryption_context
3423
+ # If present, indicates the Amazon Web Services KMS Encryption Context
3424
+ # to use for object encryption. The value of this header is a
3425
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
3426
+ # encryption context as key-value pairs. This value is stored as
3427
+ # object metadata and automatically gets passed on to Amazon Web
3428
+ # Services KMS for future `GetObject` operations on this object.
3429
+ # @return [String]
3430
+ #
3431
+ # @!attribute [rw] bucket_key_enabled
3432
+ # Indicates whether to use an S3 Bucket Key for server-side encryption
3433
+ # with KMS keys (SSE-KMS).
3434
+ # @return [Boolean]
3435
+ #
3322
3436
  # @!attribute [rw] credentials
3323
3437
  # The established temporary security credentials for the created
3324
3438
  # session.
@@ -3327,8 +3441,12 @@ module Aws::S3
3327
3441
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionOutput AWS API Documentation
3328
3442
  #
3329
3443
  class CreateSessionOutput < Struct.new(
3444
+ :server_side_encryption,
3445
+ :ssekms_key_id,
3446
+ :ssekms_encryption_context,
3447
+ :bucket_key_enabled,
3330
3448
  :credentials)
3331
- SENSITIVE = []
3449
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3332
3450
  include Aws::Structure
3333
3451
  end
3334
3452
 
@@ -3336,22 +3454,108 @@ module Aws::S3
3336
3454
  # Specifies the mode of the session that will be created, either
3337
3455
  # `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
3338
3456
  # created. A `ReadWrite` session is capable of executing all the Zonal
3339
- # endpoint APIs on a directory bucket. A `ReadOnly` session is
3340
- # constrained to execute the following Zonal endpoint APIs:
3341
- # `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
3342
- # `ListParts`, and `ListMultipartUploads`.
3457
+ # endpoint API operations on a directory bucket. A `ReadOnly` session
3458
+ # is constrained to execute the following Zonal endpoint API
3459
+ # operations: `GetObject`, `HeadObject`, `ListObjectsV2`,
3460
+ # `GetObjectAttributes`, `ListParts`, and `ListMultipartUploads`.
3343
3461
  # @return [String]
3344
3462
  #
3345
3463
  # @!attribute [rw] bucket
3346
3464
  # The name of the bucket that you create a session for.
3347
3465
  # @return [String]
3348
3466
  #
3467
+ # @!attribute [rw] server_side_encryption
3468
+ # The server-side encryption algorithm to use when you store objects
3469
+ # in the directory bucket.
3470
+ #
3471
+ # For directory buckets, there are only two supported options for
3472
+ # server-side encryption: server-side encryption with Amazon S3
3473
+ # managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
3474
+ # keys (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
3475
+ # SSE-S3. For more information, see [Protecting data with server-side
3476
+ # encryption][1] in the *Amazon S3 User Guide*.
3477
+ #
3478
+ #
3479
+ #
3480
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
3481
+ # @return [String]
3482
+ #
3483
+ # @!attribute [rw] ssekms_key_id
3484
+ # If you specify `x-amz-server-side-encryption` with `aws:kms`, you
3485
+ # must specify the ` x-amz-server-side-encryption-aws-kms-key-id`
3486
+ # header with the ID (Key ID or Key ARN) of the KMS symmetric
3487
+ # encryption customer managed key to use. Otherwise, you get an HTTP
3488
+ # `400 Bad Request` error. Only use the key ID or key ARN. The key
3489
+ # alias format of the KMS key isn't supported. Also, if the KMS key
3490
+ # doesn't exist in the same account that't issuing the command, you
3491
+ # must use the full Key ARN not the Key ID.
3492
+ #
3493
+ # Your SSE-KMS configuration can only support 1 [customer managed
3494
+ # key][1] per directory bucket for the lifetime of the bucket. [Amazon
3495
+ # Web Services managed key][2] (`aws/s3`) isn't supported.
3496
+ #
3497
+ #
3498
+ #
3499
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3500
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3501
+ # @return [String]
3502
+ #
3503
+ # @!attribute [rw] ssekms_encryption_context
3504
+ # Specifies the Amazon Web Services KMS Encryption Context as an
3505
+ # additional encryption context to use for object encryption. The
3506
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
3507
+ # JSON, which contains the encryption context as key-value pairs. This
3508
+ # value is stored as object metadata and automatically gets passed on
3509
+ # to Amazon Web Services KMS for future `GetObject` operations on this
3510
+ # object.
3511
+ #
3512
+ # **General purpose buckets** - This value must be explicitly added
3513
+ # during `CopyObject` operations if you want an additional encryption
3514
+ # context for your object. For more information, see [Encryption
3515
+ # context][1] in the *Amazon S3 User Guide*.
3516
+ #
3517
+ # **Directory buckets** - You can optionally provide an explicit
3518
+ # encryption context value. The value must match the default
3519
+ # encryption context - the bucket Amazon Resource Name (ARN). An
3520
+ # additional encryption context value is not supported.
3521
+ #
3522
+ #
3523
+ #
3524
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
3525
+ # @return [String]
3526
+ #
3527
+ # @!attribute [rw] bucket_key_enabled
3528
+ # Specifies whether Amazon S3 should use an S3 Bucket Key for object
3529
+ # encryption with server-side encryption using KMS keys (SSE-KMS).
3530
+ #
3531
+ # S3 Bucket Keys are always enabled for `GET` and `PUT` operations in
3532
+ # a directory bucket and can’t be disabled. S3 Bucket Keys aren't
3533
+ # supported, when you copy SSE-KMS encrypted objects from general
3534
+ # purpose buckets to directory buckets, from directory buckets to
3535
+ # general purpose buckets, or between directory buckets, through
3536
+ # [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
3537
+ # Operations][3], or [the import jobs][4]. In this case, Amazon S3
3538
+ # makes a call to KMS every time a copy request is made for a
3539
+ # KMS-encrypted object.
3540
+ #
3541
+ #
3542
+ #
3543
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
3544
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
3545
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
3546
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
3547
+ # @return [Boolean]
3548
+ #
3349
3549
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateSessionRequest AWS API Documentation
3350
3550
  #
3351
3551
  class CreateSessionRequest < Struct.new(
3352
3552
  :session_mode,
3353
- :bucket)
3354
- SENSITIVE = []
3553
+ :bucket,
3554
+ :server_side_encryption,
3555
+ :ssekms_key_id,
3556
+ :ssekms_encryption_context,
3557
+ :bucket_key_enabled)
3558
+ SENSITIVE = [:ssekms_key_id, :ssekms_encryption_context]
3355
3559
  include Aws::Structure
3356
3560
  end
3357
3561
 
@@ -3470,6 +3674,20 @@ module Aws::S3
3470
3674
  # @!attribute [rw] bucket
3471
3675
  # The name of the bucket containing the server-side encryption
3472
3676
  # configuration to delete.
3677
+ #
3678
+ # <b>Directory buckets </b> - When you use this operation with a
3679
+ # directory bucket, you must use path-style requests in the format
3680
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
3681
+ # Virtual-hosted-style requests aren't supported. Directory bucket
3682
+ # names must be unique in the chosen Availability Zone. Bucket names
3683
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
3684
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
3685
+ # about bucket naming restrictions, see [Directory bucket naming
3686
+ # rules][1] in the *Amazon S3 User Guide*
3687
+ #
3688
+ #
3689
+ #
3690
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
3473
3691
  # @return [String]
3474
3692
  #
3475
3693
  # @!attribute [rw] expected_bucket_owner
@@ -3477,6 +3695,12 @@ module Aws::S3
3477
3695
  # you provide does not match the actual owner of the bucket, the
3478
3696
  # request fails with the HTTP status code `403 Forbidden` (access
3479
3697
  # denied).
3698
+ #
3699
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
3700
+ # operation. If you specify this header, the request fails with the
3701
+ # HTTP status code `501 Not Implemented`.
3702
+ #
3703
+ # </note>
3480
3704
  # @return [String]
3481
3705
  #
3482
3706
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/DeleteBucketEncryptionRequest AWS API Documentation
@@ -4190,13 +4414,13 @@ module Aws::S3
4190
4414
  # For the `x-amz-checksum-algorithm ` header, replace ` algorithm `
4191
4415
  # with the supported algorithm from the following list:
4192
4416
  #
4193
- # * CRC32
4417
+ # * `CRC32`
4194
4418
  #
4195
- # * CRC32C
4419
+ # * `CRC32C`
4196
4420
  #
4197
- # * SHA1
4421
+ # * `SHA1`
4198
4422
  #
4199
- # * SHA256
4423
+ # * `SHA256`
4200
4424
  #
4201
4425
  # For more information, see [Checking object integrity][1] in the
4202
4426
  # *Amazon S3 User Guide*.
@@ -5326,12 +5550,16 @@ module Aws::S3
5326
5550
  class EventBridgeConfiguration < Aws::EmptyStructure; end
5327
5551
 
5328
5552
  # Optional configuration to replicate existing source bucket objects.
5329
- # For more information, see [Replicating Existing Objects][1] in the
5553
+ #
5554
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing objects,
5555
+ # see [Replicating existing objects with S3 Batch Replication][1] in the
5330
5556
  # *Amazon S3 User Guide*.
5331
5557
  #
5558
+ # </note>
5332
5559
  #
5333
5560
  #
5334
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
5561
+ #
5562
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
5335
5563
  #
5336
5564
  # @!attribute [rw] status
5337
5565
  # Specifies whether Amazon S3 replicates existing source bucket
@@ -5595,6 +5823,20 @@ module Aws::S3
5595
5823
  # @!attribute [rw] bucket
5596
5824
  # The name of the bucket from which the server-side encryption
5597
5825
  # configuration is retrieved.
5826
+ #
5827
+ # <b>Directory buckets </b> - When you use this operation with a
5828
+ # directory bucket, you must use path-style requests in the format
5829
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
5830
+ # Virtual-hosted-style requests aren't supported. Directory bucket
5831
+ # names must be unique in the chosen Availability Zone. Bucket names
5832
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
5833
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
5834
+ # about bucket naming restrictions, see [Directory bucket naming
5835
+ # rules][1] in the *Amazon S3 User Guide*
5836
+ #
5837
+ #
5838
+ #
5839
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
5598
5840
  # @return [String]
5599
5841
  #
5600
5842
  # @!attribute [rw] expected_bucket_owner
@@ -5602,6 +5844,12 @@ module Aws::S3
5602
5844
  # you provide does not match the actual owner of the bucket, the
5603
5845
  # request fails with the HTTP status code `403 Forbidden` (access
5604
5846
  # denied).
5847
+ #
5848
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
5849
+ # operation. If you specify this header, the request fails with the
5850
+ # HTTP status code `501 Not Implemented`.
5851
+ #
5852
+ # </note>
5605
5853
  # @return [String]
5606
5854
  #
5607
5855
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketEncryptionRequest AWS API Documentation
@@ -5685,10 +5933,29 @@ module Aws::S3
5685
5933
  # Container for a lifecycle rule.
5686
5934
  # @return [Array<Types::LifecycleRule>]
5687
5935
  #
5936
+ # @!attribute [rw] transition_default_minimum_object_size
5937
+ # Indicates which default minimum object size behavior is applied to
5938
+ # the lifecycle configuration.
5939
+ #
5940
+ # * `all_storage_classes_128K` - Objects smaller than 128 KB will not
5941
+ # transition to any storage class by default.
5942
+ #
5943
+ # * `varies_by_storage_class` - Objects smaller than 128 KB will
5944
+ # transition to Glacier Flexible Retrieval or Glacier Deep Archive
5945
+ # storage classes. By default, all other storage classes will
5946
+ # prevent transitions smaller than 128 KB.
5947
+ #
5948
+ # To customize the minimum object size for any transition you can add
5949
+ # a filter that specifies a custom `ObjectSizeGreaterThan` or
5950
+ # `ObjectSizeLessThan` in the body of your transition rule. Custom
5951
+ # filters always take precedence over the default transition behavior.
5952
+ # @return [String]
5953
+ #
5688
5954
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetBucketLifecycleConfigurationOutput AWS API Documentation
5689
5955
  #
5690
5956
  class GetBucketLifecycleConfigurationOutput < Struct.new(
5691
- :rules)
5957
+ :rules,
5958
+ :transition_default_minimum_object_size)
5692
5959
  SENSITIVE = []
5693
5960
  include Aws::Structure
5694
5961
  end
@@ -6814,7 +7081,7 @@ module Aws::S3
6814
7081
  # @return [String]
6815
7082
  #
6816
7083
  # @!attribute [rw] checksum_crc32
6817
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
7084
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
6818
7085
  # only be present if it was uploaded with the object. For more
6819
7086
  # information, see [ Checking object integrity][1] in the *Amazon S3
6820
7087
  # User Guide*.
@@ -6825,7 +7092,7 @@ module Aws::S3
6825
7092
  # @return [String]
6826
7093
  #
6827
7094
  # @!attribute [rw] checksum_crc32c
6828
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
7095
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
6829
7096
  # only be present if it was uploaded with the object. For more
6830
7097
  # information, see [ Checking object integrity][1] in the *Amazon S3
6831
7098
  # User Guide*.
@@ -6923,12 +7190,7 @@ module Aws::S3
6923
7190
  #
6924
7191
  # @!attribute [rw] server_side_encryption
6925
7192
  # The server-side encryption algorithm used when you store this object
6926
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
6927
- #
6928
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
6929
- # managed keys (SSE-S3) (`AES256`) is supported.
6930
- #
6931
- # </note>
7193
+ # in Amazon S3.
6932
7194
  # @return [String]
6933
7195
  #
6934
7196
  # @!attribute [rw] metadata
@@ -6957,22 +7219,13 @@ module Aws::S3
6957
7219
  # @return [String]
6958
7220
  #
6959
7221
  # @!attribute [rw] ssekms_key_id
6960
- # If present, indicates the ID of the Key Management Service (KMS)
6961
- # symmetric encryption customer managed key that was used for the
6962
- # object.
6963
- #
6964
- # <note markdown="1"> This functionality is not supported for directory buckets.
6965
- #
6966
- # </note>
7222
+ # If present, indicates the ID of the KMS key that was used for object
7223
+ # encryption.
6967
7224
  # @return [String]
6968
7225
  #
6969
7226
  # @!attribute [rw] bucket_key_enabled
6970
7227
  # Indicates whether the object uses an S3 Bucket Key for server-side
6971
7228
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
6972
- #
6973
- # <note markdown="1"> This functionality is not supported for directory buckets.
6974
- #
6975
- # </note>
6976
7229
  # @return [Boolean]
6977
7230
  #
6978
7231
  # @!attribute [rw] storage_class
@@ -7413,10 +7666,10 @@ module Aws::S3
7413
7666
  # @!attribute [rw] checksum_mode
7414
7667
  # To retrieve the checksum, this mode must be enabled.
7415
7668
  #
7416
- # In addition, if you enable checksum mode and the object is uploaded
7417
- # with a [checksum][1] and encrypted with an Key Management Service
7418
- # (KMS) key, you must have permission to use the `kms:Decrypt` action
7419
- # to retrieve the checksum.
7669
+ # **General purpose buckets** - In addition, if you enable checksum
7670
+ # mode and the object is uploaded with a [checksum][1] and encrypted
7671
+ # with an Key Management Service (KMS) key, you must have permission
7672
+ # to use the `kms:Decrypt` action to retrieve the checksum.
7420
7673
  #
7421
7674
  #
7422
7675
  #
@@ -8010,7 +8263,7 @@ module Aws::S3
8010
8263
  # @return [Integer]
8011
8264
  #
8012
8265
  # @!attribute [rw] checksum_crc32
8013
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
8266
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
8014
8267
  # only be present if it was uploaded with the object. When you use an
8015
8268
  # API operation on an object that was uploaded using multipart
8016
8269
  # uploads, this value may not be a direct checksum value of the full
@@ -8025,7 +8278,7 @@ module Aws::S3
8025
8278
  # @return [String]
8026
8279
  #
8027
8280
  # @!attribute [rw] checksum_crc32c
8028
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
8281
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
8029
8282
  # only be present if it was uploaded with the object. When you use an
8030
8283
  # API operation on an object that was uploaded using multipart
8031
8284
  # uploads, this value may not be a direct checksum value of the full
@@ -8137,11 +8390,6 @@ module Aws::S3
8137
8390
  # @!attribute [rw] server_side_encryption
8138
8391
  # The server-side encryption algorithm used when you store this object
8139
8392
  # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
8140
- #
8141
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
8142
- # managed keys (SSE-S3) (`AES256`) is supported.
8143
- #
8144
- # </note>
8145
8393
  # @return [String]
8146
8394
  #
8147
8395
  # @!attribute [rw] metadata
@@ -8170,22 +8418,13 @@ module Aws::S3
8170
8418
  # @return [String]
8171
8419
  #
8172
8420
  # @!attribute [rw] ssekms_key_id
8173
- # If present, indicates the ID of the Key Management Service (KMS)
8174
- # symmetric encryption customer managed key that was used for the
8175
- # object.
8176
- #
8177
- # <note markdown="1"> This functionality is not supported for directory buckets.
8178
- #
8179
- # </note>
8421
+ # If present, indicates the ID of the KMS key that was used for object
8422
+ # encryption.
8180
8423
  # @return [String]
8181
8424
  #
8182
8425
  # @!attribute [rw] bucket_key_enabled
8183
8426
  # Indicates whether the object uses an S3 Bucket Key for server-side
8184
8427
  # encryption with Key Management Service (KMS) keys (SSE-KMS).
8185
- #
8186
- # <note markdown="1"> This functionality is not supported for directory buckets.
8187
- #
8188
- # </note>
8189
8428
  # @return [Boolean]
8190
8429
  #
8191
8430
  # @!attribute [rw] storage_class
@@ -8587,10 +8826,16 @@ module Aws::S3
8587
8826
  # @!attribute [rw] checksum_mode
8588
8827
  # To retrieve the checksum, this parameter must be enabled.
8589
8828
  #
8590
- # In addition, if you enable checksum mode and the object is uploaded
8591
- # with a [checksum][1] and encrypted with an Key Management Service
8592
- # (KMS) key, you must have permission to use the `kms:Decrypt` action
8593
- # to retrieve the checksum.
8829
+ # **General purpose buckets** - If you enable checksum mode and the
8830
+ # object is uploaded with a [checksum][1] and encrypted with an Key
8831
+ # Management Service (KMS) key, you must have permission to use the
8832
+ # `kms:Decrypt` action to retrieve the checksum.
8833
+ #
8834
+ # **Directory buckets** - If you enable `ChecksumMode` and the object
8835
+ # is encrypted with Amazon Web Services Key Management Service (Amazon
8836
+ # Web Services KMS), you must also have the `kms:GenerateDataKey` and
8837
+ # `kms:Decrypt` permissions in IAM identity-based policies and KMS key
8838
+ # policies for the KMS key to retrieve the checksum of the object.
8594
8839
  #
8595
8840
  #
8596
8841
  #
@@ -11736,7 +11981,7 @@ module Aws::S3
11736
11981
  # @!attribute [rw] checksum_crc32
11737
11982
  # This header can be used as a data integrity check to verify that the
11738
11983
  # data received is the same data that was originally sent. This header
11739
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
11984
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
11740
11985
  # For more information, see [Checking object integrity][1] in the
11741
11986
  # *Amazon S3 User Guide*.
11742
11987
  #
@@ -11746,7 +11991,7 @@ module Aws::S3
11746
11991
  # @return [String]
11747
11992
  #
11748
11993
  # @!attribute [rw] checksum_crc32c
11749
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
11994
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
11750
11995
  # only be present if it was uploaded with the object. When you use an
11751
11996
  # API operation on an object that was uploaded using multipart
11752
11997
  # uploads, this value may not be a direct checksum value of the full
@@ -12036,7 +12281,7 @@ module Aws::S3
12036
12281
  # @!attribute [rw] checksum_crc32
12037
12282
  # This header can be used as a data integrity check to verify that the
12038
12283
  # data received is the same data that was originally sent. This header
12039
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
12284
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
12040
12285
  # For more information, see [Checking object integrity][1] in the
12041
12286
  # *Amazon S3 User Guide*.
12042
12287
  #
@@ -12046,7 +12291,7 @@ module Aws::S3
12046
12291
  # @return [String]
12047
12292
  #
12048
12293
  # @!attribute [rw] checksum_crc32c
12049
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
12294
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
12050
12295
  # only be present if it was uploaded with the object. When you use an
12051
12296
  # API operation on an object that was uploaded using multipart
12052
12297
  # uploads, this value may not be a direct checksum value of the full
@@ -12490,18 +12735,21 @@ module Aws::S3
12490
12735
 
12491
12736
  # @!attribute [rw] bucket
12492
12737
  # Specifies default encryption for a bucket using server-side
12493
- # encryption with different key options. By default, all buckets have
12494
- # a default encryption configuration that uses server-side encryption
12495
- # with Amazon S3 managed keys (SSE-S3). You can optionally configure
12496
- # default encryption for a bucket by using server-side encryption with
12497
- # an Amazon Web Services KMS key (SSE-KMS) or a customer-provided key
12498
- # (SSE-C). For information about the bucket default encryption
12499
- # feature, see [Amazon S3 Bucket Default Encryption][1] in the *Amazon
12500
- # S3 User Guide*.
12738
+ # encryption with different key options.
12739
+ #
12740
+ # <b>Directory buckets </b> - When you use this operation with a
12741
+ # directory bucket, you must use path-style requests in the format
12742
+ # `https://s3express-control.region_code.amazonaws.com/bucket-name `.
12743
+ # Virtual-hosted-style requests aren't supported. Directory bucket
12744
+ # names must be unique in the chosen Availability Zone. Bucket names
12745
+ # must also follow the format ` bucket_base_name--az_id--x-s3` (for
12746
+ # example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information
12747
+ # about bucket naming restrictions, see [Directory bucket naming
12748
+ # rules][1] in the *Amazon S3 User Guide*
12501
12749
  #
12502
12750
  #
12503
12751
  #
12504
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
12752
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
12505
12753
  # @return [String]
12506
12754
  #
12507
12755
  # @!attribute [rw] content_md5
@@ -12511,6 +12759,10 @@ module Aws::S3
12511
12759
  # For requests made using the Amazon Web Services Command Line
12512
12760
  # Interface (CLI) or Amazon Web Services SDKs, this field is
12513
12761
  # calculated automatically.
12762
+ #
12763
+ # <note markdown="1"> This functionality is not supported for directory buckets.
12764
+ #
12765
+ # </note>
12514
12766
  # @return [String]
12515
12767
  #
12516
12768
  # @!attribute [rw] checksum_algorithm
@@ -12525,6 +12777,12 @@ module Aws::S3
12525
12777
  # If you provide an individual checksum, Amazon S3 ignores any
12526
12778
  # provided `ChecksumAlgorithm` parameter.
12527
12779
  #
12780
+ # <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs,
12781
+ # `CRC32` is the default checksum algorithm that's used for
12782
+ # performance.
12783
+ #
12784
+ # </note>
12785
+ #
12528
12786
  #
12529
12787
  #
12530
12788
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
@@ -12539,6 +12797,12 @@ module Aws::S3
12539
12797
  # you provide does not match the actual owner of the bucket, the
12540
12798
  # request fails with the HTTP status code `403 Forbidden` (access
12541
12799
  # denied).
12800
+ #
12801
+ # <note markdown="1"> For directory buckets, this header is not supported in this API
12802
+ # operation. If you specify this header, the request fails with the
12803
+ # HTTP status code `501 Not Implemented`.
12804
+ #
12805
+ # </note>
12542
12806
  # @return [String]
12543
12807
  #
12544
12808
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketEncryptionRequest AWS API Documentation
@@ -12607,6 +12871,32 @@ module Aws::S3
12607
12871
  include Aws::Structure
12608
12872
  end
12609
12873
 
12874
+ # @!attribute [rw] transition_default_minimum_object_size
12875
+ # Indicates which default minimum object size behavior is applied to
12876
+ # the lifecycle configuration.
12877
+ #
12878
+ # * `all_storage_classes_128K` - Objects smaller than 128 KB will not
12879
+ # transition to any storage class by default.
12880
+ #
12881
+ # * `varies_by_storage_class` - Objects smaller than 128 KB will
12882
+ # transition to Glacier Flexible Retrieval or Glacier Deep Archive
12883
+ # storage classes. By default, all other storage classes will
12884
+ # prevent transitions smaller than 128 KB.
12885
+ #
12886
+ # To customize the minimum object size for any transition you can add
12887
+ # a filter that specifies a custom `ObjectSizeGreaterThan` or
12888
+ # `ObjectSizeLessThan` in the body of your transition rule. Custom
12889
+ # filters always take precedence over the default transition behavior.
12890
+ # @return [String]
12891
+ #
12892
+ # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketLifecycleConfigurationOutput AWS API Documentation
12893
+ #
12894
+ class PutBucketLifecycleConfigurationOutput < Struct.new(
12895
+ :transition_default_minimum_object_size)
12896
+ SENSITIVE = []
12897
+ include Aws::Structure
12898
+ end
12899
+
12610
12900
  # @!attribute [rw] bucket
12611
12901
  # The name of the bucket for which to set the configuration.
12612
12902
  # @return [String]
@@ -12639,13 +12929,32 @@ module Aws::S3
12639
12929
  # denied).
12640
12930
  # @return [String]
12641
12931
  #
12932
+ # @!attribute [rw] transition_default_minimum_object_size
12933
+ # Indicates which default minimum object size behavior is applied to
12934
+ # the lifecycle configuration.
12935
+ #
12936
+ # * `all_storage_classes_128K` - Objects smaller than 128 KB will not
12937
+ # transition to any storage class by default.
12938
+ #
12939
+ # * `varies_by_storage_class` - Objects smaller than 128 KB will
12940
+ # transition to Glacier Flexible Retrieval or Glacier Deep Archive
12941
+ # storage classes. By default, all other storage classes will
12942
+ # prevent transitions smaller than 128 KB.
12943
+ #
12944
+ # To customize the minimum object size for any transition you can add
12945
+ # a filter that specifies a custom `ObjectSizeGreaterThan` or
12946
+ # `ObjectSizeLessThan` in the body of your transition rule. Custom
12947
+ # filters always take precedence over the default transition behavior.
12948
+ # @return [String]
12949
+ #
12642
12950
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/PutBucketLifecycleConfigurationRequest AWS API Documentation
12643
12951
  #
12644
12952
  class PutBucketLifecycleConfigurationRequest < Struct.new(
12645
12953
  :bucket,
12646
12954
  :checksum_algorithm,
12647
12955
  :lifecycle_configuration,
12648
- :expected_bucket_owner)
12956
+ :expected_bucket_owner,
12957
+ :transition_default_minimum_object_size)
12649
12958
  SENSITIVE = []
12650
12959
  include Aws::Structure
12651
12960
  end
@@ -12944,13 +13253,13 @@ module Aws::S3
12944
13253
  # For the `x-amz-checksum-algorithm ` header, replace ` algorithm `
12945
13254
  # with the supported algorithm from the following list:
12946
13255
  #
12947
- # * CRC32
13256
+ # * `CRC32`
12948
13257
  #
12949
- # * CRC32C
13258
+ # * `CRC32C`
12950
13259
  #
12951
- # * SHA1
13260
+ # * `SHA1`
12952
13261
  #
12953
- # * SHA256
13262
+ # * `SHA256`
12954
13263
  #
12955
13264
  # For more information, see [Checking object integrity][1] in the
12956
13265
  # *Amazon S3 User Guide*.
@@ -13746,7 +14055,7 @@ module Aws::S3
13746
14055
  # @return [String]
13747
14056
  #
13748
14057
  # @!attribute [rw] checksum_crc32
13749
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
14058
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
13750
14059
  # only be present if it was uploaded with the object. When you use an
13751
14060
  # API operation on an object that was uploaded using multipart
13752
14061
  # uploads, this value may not be a direct checksum value of the full
@@ -13761,7 +14070,7 @@ module Aws::S3
13761
14070
  # @return [String]
13762
14071
  #
13763
14072
  # @!attribute [rw] checksum_crc32c
13764
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
14073
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
13765
14074
  # only be present if it was uploaded with the object. When you use an
13766
14075
  # API operation on an object that was uploaded using multipart
13767
14076
  # uploads, this value may not be a direct checksum value of the full
@@ -13807,12 +14116,7 @@ module Aws::S3
13807
14116
  #
13808
14117
  # @!attribute [rw] server_side_encryption
13809
14118
  # The server-side encryption algorithm used when you store this object
13810
- # in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`).
13811
- #
13812
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
13813
- # managed keys (SSE-S3) (`AES256`) is supported.
13814
- #
13815
- # </note>
14119
+ # in Amazon S3.
13816
14120
  # @return [String]
13817
14121
  #
13818
14122
  # @!attribute [rw] version_id
@@ -13860,37 +14164,23 @@ module Aws::S3
13860
14164
  # @return [String]
13861
14165
  #
13862
14166
  # @!attribute [rw] ssekms_key_id
13863
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
13864
- # `aws:kms:dsse`, this header indicates the ID of the Key Management
13865
- # Service (KMS) symmetric encryption customer managed key that was
13866
- # used for the object.
13867
- #
13868
- # <note markdown="1"> This functionality is not supported for directory buckets.
13869
- #
13870
- # </note>
14167
+ # If present, indicates the ID of the KMS key that was used for object
14168
+ # encryption.
13871
14169
  # @return [String]
13872
14170
  #
13873
14171
  # @!attribute [rw] ssekms_encryption_context
13874
14172
  # If present, indicates the Amazon Web Services KMS Encryption Context
13875
14173
  # to use for object encryption. The value of this header is a
13876
- # base64-encoded UTF-8 string holding JSON with the encryption context
13877
- # key-value pairs. This value is stored as object metadata and
13878
- # automatically gets passed on to Amazon Web Services KMS for future
13879
- # `GetObject` or `CopyObject` operations on this object.
13880
- #
13881
- # <note markdown="1"> This functionality is not supported for directory buckets.
13882
- #
13883
- # </note>
14174
+ # Base64-encoded string of a UTF-8 encoded JSON, which contains the
14175
+ # encryption context as key-value pairs. This value is stored as
14176
+ # object metadata and automatically gets passed on to Amazon Web
14177
+ # Services KMS for future `GetObject` operations on this object.
13884
14178
  # @return [String]
13885
14179
  #
13886
14180
  # @!attribute [rw] bucket_key_enabled
13887
14181
  # Indicates whether the uploaded object uses an S3 Bucket Key for
13888
14182
  # server-side encryption with Key Management Service (KMS) keys
13889
14183
  # (SSE-KMS).
13890
- #
13891
- # <note markdown="1"> This functionality is not supported for directory buckets.
13892
- #
13893
- # </note>
13894
14184
  # @return [Boolean]
13895
14185
  #
13896
14186
  # @!attribute [rw] request_charged
@@ -14105,13 +14395,13 @@ module Aws::S3
14105
14395
  # For the `x-amz-checksum-algorithm ` header, replace ` algorithm `
14106
14396
  # with the supported algorithm from the following list:
14107
14397
  #
14108
- # * CRC32
14398
+ # * `CRC32`
14109
14399
  #
14110
- # * CRC32C
14400
+ # * `CRC32C`
14111
14401
  #
14112
- # * SHA1
14402
+ # * `SHA1`
14113
14403
  #
14114
- # * SHA256
14404
+ # * `SHA256`
14115
14405
  #
14116
14406
  # For more information, see [Checking object integrity][1] in the
14117
14407
  # *Amazon S3 User Guide*.
@@ -14137,7 +14427,7 @@ module Aws::S3
14137
14427
  # @!attribute [rw] checksum_crc32
14138
14428
  # This header can be used as a data integrity check to verify that the
14139
14429
  # data received is the same data that was originally sent. This header
14140
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
14430
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
14141
14431
  # For more information, see [Checking object integrity][1] in the
14142
14432
  # *Amazon S3 User Guide*.
14143
14433
  #
@@ -14149,7 +14439,7 @@ module Aws::S3
14149
14439
  # @!attribute [rw] checksum_crc32c
14150
14440
  # This header can be used as a data integrity check to verify that the
14151
14441
  # data received is the same data that was originally sent. This header
14152
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object.
14442
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
14153
14443
  # For more information, see [Checking object integrity][1] in the
14154
14444
  # *Amazon S3 User Guide*.
14155
14445
  #
@@ -14266,25 +14556,66 @@ module Aws::S3
14266
14556
  # this object in Amazon S3 (for example, `AES256`, `aws:kms`,
14267
14557
  # `aws:kms:dsse`).
14268
14558
  #
14269
- # <b>General purpose buckets </b> - You have four mutually exclusive
14270
- # options to protect data using server-side encryption in Amazon S3,
14271
- # depending on how you choose to manage the encryption keys.
14272
- # Specifically, the encryption key options are Amazon S3 managed keys
14273
- # (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
14274
- # customer-provided keys (SSE-C). Amazon S3 encrypts data with
14275
- # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14276
- # default. You can optionally tell Amazon S3 to encrypt data at rest
14277
- # by using server-side encryption with other key options. For more
14278
- # information, see [Using Server-Side Encryption][1] in the *Amazon S3
14279
- # User Guide*.
14559
+ # * <b>General purpose buckets </b> - You have four mutually exclusive
14560
+ # options to protect data using server-side encryption in Amazon S3,
14561
+ # depending on how you choose to manage the encryption keys.
14562
+ # Specifically, the encryption key options are Amazon S3 managed
14563
+ # keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS),
14564
+ # and customer-provided keys (SSE-C). Amazon S3 encrypts data with
14565
+ # server-side encryption by using Amazon S3 managed keys (SSE-S3) by
14566
+ # default. You can optionally tell Amazon S3 to encrypt data at rest
14567
+ # by using server-side encryption with other key options. For more
14568
+ # information, see [Using Server-Side Encryption][1] in the *Amazon
14569
+ # S3 User Guide*.
14570
+ #
14571
+ # * <b>Directory buckets </b> - For directory buckets, there are only
14572
+ # two supported options for server-side encryption: server-side
14573
+ # encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
14574
+ # server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
14575
+ # recommend that the bucket's default encryption uses the desired
14576
+ # encryption configuration and you don't override the bucket
14577
+ # default encryption in your `CreateSession` requests or `PUT`
14578
+ # object requests. Then, new objects are automatically encrypted
14579
+ # with the desired encryption settings. For more information, see
14580
+ # [Protecting data with server-side encryption][2] in the *Amazon S3
14581
+ # User Guide*. For more information about the encryption overriding
14582
+ # behaviors in directory buckets, see [Specifying server-side
14583
+ # encryption with KMS for new object uploads][3].
14584
+ #
14585
+ # In the Zonal endpoint API calls (except [CopyObject][4] and
14586
+ # [UploadPartCopy][5]) using the REST API, the encryption request
14587
+ # headers must match the encryption settings that are specified in
14588
+ # the `CreateSession` request. You can't override the values of the
14589
+ # encryption settings (`x-amz-server-side-encryption`,
14590
+ # `x-amz-server-side-encryption-aws-kms-key-id`,
14591
+ # `x-amz-server-side-encryption-context`, and
14592
+ # `x-amz-server-side-encryption-bucket-key-enabled`) that are
14593
+ # specified in the `CreateSession` request. You don't need to
14594
+ # explicitly specify these encryption settings values in Zonal
14595
+ # endpoint API calls, and Amazon S3 will use the encryption settings
14596
+ # values from the `CreateSession` request to protect new objects in
14597
+ # the directory bucket.
14598
+ #
14599
+ # <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
14600
+ # `CreateSession`, the session token refreshes automatically to
14601
+ # avoid service interruptions when a session expires. The CLI or the
14602
+ # Amazon Web Services SDKs use the bucket's default encryption
14603
+ # configuration for the `CreateSession` request. It's not supported
14604
+ # to override the encryption settings values in the `CreateSession`
14605
+ # request. So in the Zonal endpoint API calls (except
14606
+ # [CopyObject][4] and [UploadPartCopy][5]), the encryption request
14607
+ # headers must match the default encryption configuration of the
14608
+ # directory bucket.
14280
14609
  #
14281
- # <b>Directory buckets </b> - For directory buckets, only the
14282
- # server-side encryption with Amazon S3 managed keys (SSE-S3)
14283
- # (`AES256`) value is supported.
14610
+ # </note>
14284
14611
  #
14285
14612
  #
14286
14613
  #
14287
14614
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
14615
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
14616
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
14617
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14618
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14288
14619
  # @return [String]
14289
14620
  #
14290
14621
  # @!attribute [rw] storage_class
@@ -14370,48 +14701,87 @@ module Aws::S3
14370
14701
  # @return [String]
14371
14702
  #
14372
14703
  # @!attribute [rw] ssekms_key_id
14373
- # If `x-amz-server-side-encryption` has a valid value of `aws:kms` or
14374
- # `aws:kms:dsse`, this header specifies the ID (Key ID, Key ARN, or
14375
- # Key Alias) of the Key Management Service (KMS) symmetric encryption
14376
- # customer managed key that was used for the object. If you specify
14704
+ # Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
14705
+ # object encryption. If the KMS key doesn't exist in the same account
14706
+ # that's issuing the command, you must use the full Key ARN not the
14707
+ # Key ID.
14708
+ #
14709
+ # **General purpose buckets** - If you specify
14710
+ # `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`,
14711
+ # this header specifies the ID (Key ID, Key ARN, or Key Alias) of the
14712
+ # KMS key to use. If you specify
14377
14713
  # `x-amz-server-side-encryption:aws:kms` or
14378
- # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide`
14379
- # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14380
- # Amazon Web Services managed key (`aws/s3`) to protect the data. If
14381
- # the KMS key does not exist in the same account that's issuing the
14382
- # command, you must use the full ARN and not just the ID.
14714
+ # `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
14715
+ # `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
14716
+ # Amazon Web Services managed key (`aws/s3`) to protect the data.
14383
14717
  #
14384
- # <note markdown="1"> This functionality is not supported for directory buckets.
14718
+ # **Directory buckets** - If you specify
14719
+ # `x-amz-server-side-encryption` with `aws:kms`, you must specify the
14720
+ # ` x-amz-server-side-encryption-aws-kms-key-id` header with the ID
14721
+ # (Key ID or Key ARN) of the KMS symmetric encryption customer managed
14722
+ # key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only
14723
+ # use the key ID or key ARN. The key alias format of the KMS key
14724
+ # isn't supported. Your SSE-KMS configuration can only support 1
14725
+ # [customer managed key][1] per directory bucket for the lifetime of
14726
+ # the bucket. [Amazon Web Services managed key][2] (`aws/s3`) isn't
14727
+ # supported.
14385
14728
  #
14386
- # </note>
14729
+ #
14730
+ #
14731
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
14732
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
14387
14733
  # @return [String]
14388
14734
  #
14389
14735
  # @!attribute [rw] ssekms_encryption_context
14390
- # Specifies the Amazon Web Services KMS Encryption Context to use for
14391
- # object encryption. The value of this header is a base64-encoded
14392
- # UTF-8 string holding JSON with the encryption context key-value
14393
- # pairs. This value is stored as object metadata and automatically
14394
- # gets passed on to Amazon Web Services KMS for future `GetObject` or
14395
- # `CopyObject` operations on this object. This value must be
14396
- # explicitly added during `CopyObject` operations.
14736
+ # Specifies the Amazon Web Services KMS Encryption Context as an
14737
+ # additional encryption context to use for object encryption. The
14738
+ # value of this header is a Base64-encoded string of a UTF-8 encoded
14739
+ # JSON, which contains the encryption context as key-value pairs. This
14740
+ # value is stored as object metadata and automatically gets passed on
14741
+ # to Amazon Web Services KMS for future `GetObject` operations on this
14742
+ # object.
14397
14743
  #
14398
- # <note markdown="1"> This functionality is not supported for directory buckets.
14744
+ # **General purpose buckets** - This value must be explicitly added
14745
+ # during `CopyObject` operations if you want an additional encryption
14746
+ # context for your object. For more information, see [Encryption
14747
+ # context][1] in the *Amazon S3 User Guide*.
14399
14748
  #
14400
- # </note>
14749
+ # **Directory buckets** - You can optionally provide an explicit
14750
+ # encryption context value. The value must match the default
14751
+ # encryption context - the bucket Amazon Resource Name (ARN). An
14752
+ # additional encryption context value is not supported.
14753
+ #
14754
+ #
14755
+ #
14756
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
14401
14757
  # @return [String]
14402
14758
  #
14403
14759
  # @!attribute [rw] bucket_key_enabled
14404
14760
  # Specifies whether Amazon S3 should use an S3 Bucket Key for object
14405
14761
  # encryption with server-side encryption using Key Management Service
14406
- # (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3
14407
- # to use an S3 Bucket Key for object encryption with SSE-KMS.
14762
+ # (KMS) keys (SSE-KMS).
14408
14763
  #
14409
- # Specifying this header with a PUT action doesn’t affect bucket-level
14410
- # settings for S3 Bucket Key.
14764
+ # **General purpose buckets** - Setting this header to `true` causes
14765
+ # Amazon S3 to use an S3 Bucket Key for object encryption with
14766
+ # SSE-KMS. Also, specifying this header with a PUT action doesn't
14767
+ # affect bucket-level settings for S3 Bucket Key.
14411
14768
  #
14412
- # <note markdown="1"> This functionality is not supported for directory buckets.
14769
+ # **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
14770
+ # and `PUT` operations in a directory bucket and can’t be disabled. S3
14771
+ # Bucket Keys aren't supported, when you copy SSE-KMS encrypted
14772
+ # objects from general purpose buckets to directory buckets, from
14773
+ # directory buckets to general purpose buckets, or between directory
14774
+ # buckets, through [CopyObject][1], [UploadPartCopy][2], [the Copy
14775
+ # operation in Batch Operations][3], or [the import jobs][4]. In this
14776
+ # case, Amazon S3 makes a call to KMS every time a copy request is
14777
+ # made for a KMS-encrypted object.
14413
14778
  #
14414
- # </note>
14779
+ #
14780
+ #
14781
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
14782
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
14783
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
14784
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
14415
14785
  # @return [Boolean]
14416
14786
  #
14417
14787
  # @!attribute [rw] request_payer
@@ -15125,12 +15495,16 @@ module Aws::S3
15125
15495
  #
15126
15496
  # @!attribute [rw] existing_object_replication
15127
15497
  # Optional configuration to replicate existing source bucket objects.
15128
- # For more information, see [Replicating Existing Objects][1] in the
15129
- # *Amazon S3 User Guide*.
15498
+ #
15499
+ # <note markdown="1"> This parameter is no longer supported. To replicate existing
15500
+ # objects, see [Replicating existing objects with S3 Batch
15501
+ # Replication][1] in the *Amazon S3 User Guide*.
15502
+ #
15503
+ # </note>
15130
15504
  #
15131
15505
  #
15132
15506
  #
15133
- # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-what-is-isnot-replicated.html#existing-object-replication
15507
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html
15134
15508
  # @return [Types::ExistingObjectReplication]
15135
15509
  #
15136
15510
  # @!attribute [rw] destination
@@ -16002,35 +16376,51 @@ module Aws::S3
16002
16376
 
16003
16377
  # Describes the default server-side encryption to apply to new objects
16004
16378
  # in the bucket. If a PUT Object request doesn't specify any
16005
- # server-side encryption, this default encryption will be applied. If
16006
- # you don't specify a customer managed key at configuration, Amazon S3
16007
- # automatically creates an Amazon Web Services KMS key in your Amazon
16008
- # Web Services account the first time that you add an object encrypted
16009
- # with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for
16010
- # SSE-KMS. For more information, see [PUT Bucket encryption][1] in the
16011
- # *Amazon S3 API Reference*.
16379
+ # server-side encryption, this default encryption will be applied. For
16380
+ # more information, see [PutBucketEncryption][1].
16012
16381
  #
16013
- # <note markdown="1"> If you're specifying a customer managed KMS key, we recommend using a
16014
- # fully qualified KMS key ARN. If you use a KMS key alias instead, then
16015
- # KMS resolves the key within the requester’s account. This behavior can
16016
- # result in data that's encrypted with a KMS key that belongs to the
16017
- # requester, and not the bucket owner.
16382
+ # <note markdown="1"> * **General purpose buckets** - If you don't specify a customer
16383
+ # managed key at configuration, Amazon S3 automatically creates an
16384
+ # Amazon Web Services KMS key (`aws/s3`) in your Amazon Web Services
16385
+ # account the first time that you add an object encrypted with SSE-KMS
16386
+ # to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
16387
+ #
16388
+ # * **Directory buckets** - Your SSE-KMS configuration can only support
16389
+ # 1 [customer managed key][2] per directory bucket for the lifetime of
16390
+ # the bucket. [Amazon Web Services managed key][3] (`aws/s3`) isn't
16391
+ # supported.
16392
+ #
16393
+ # * **Directory buckets** - For directory buckets, there are only two
16394
+ # supported options for server-side encryption: SSE-S3 and SSE-KMS.
16018
16395
  #
16019
16396
  # </note>
16020
16397
  #
16021
16398
  #
16022
16399
  #
16023
16400
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html
16401
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16402
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
16024
16403
  #
16025
16404
  # @!attribute [rw] sse_algorithm
16026
16405
  # Server-side encryption algorithm to use for the default encryption.
16406
+ #
16407
+ # <note markdown="1"> For directory buckets, there are only two supported values for
16408
+ # server-side encryption: `AES256` and `aws:kms`.
16409
+ #
16410
+ # </note>
16027
16411
  # @return [String]
16028
16412
  #
16029
16413
  # @!attribute [rw] kms_master_key_id
16030
- # Amazon Web Services Key Management Service (KMS) customer Amazon Web
16031
- # Services KMS key ID to use for the default encryption. This
16032
- # parameter is allowed if and only if `SSEAlgorithm` is set to
16033
- # `aws:kms` or `aws:kms:dsse`.
16414
+ # Amazon Web Services Key Management Service (KMS) customer managed
16415
+ # key ID to use for the default encryption.
16416
+ #
16417
+ # <note markdown="1"> * **General purpose buckets** - This parameter is allowed if and
16418
+ # only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`.
16419
+ #
16420
+ # * **Directory buckets** - This parameter is allowed if and only if
16421
+ # `SSEAlgorithm` is set to `aws:kms`.
16422
+ #
16423
+ # </note>
16034
16424
  #
16035
16425
  # You can specify the key ID, key alias, or the Amazon Resource Name
16036
16426
  # (ARN) of the KMS key.
@@ -16042,22 +16432,36 @@ module Aws::S3
16042
16432
  #
16043
16433
  # * Key Alias: `alias/alias-name`
16044
16434
  #
16045
- # If you use a key ID, you can run into a LogDestination undeliverable
16046
- # error when creating a VPC flow log.
16047
- #
16048
16435
  # If you are using encryption with cross-account or Amazon Web
16049
- # Services service operations you must use a fully qualified KMS key
16436
+ # Services service operations, you must use a fully qualified KMS key
16050
16437
  # ARN. For more information, see [Using encryption for cross-account
16051
16438
  # operations][1].
16052
16439
  #
16440
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16441
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16442
+ # If you use a KMS key alias instead, then KMS resolves the key
16443
+ # within the requester’s account. This behavior can result in data
16444
+ # that's encrypted with a KMS key that belongs to the requester,
16445
+ # and not the bucket owner. Also, if you use a key ID, you can run
16446
+ # into a LogDestination undeliverable error when creating a VPC flow
16447
+ # log.
16448
+ #
16449
+ # * **Directory buckets** - When you specify an [KMS customer managed
16450
+ # key][2] for encryption in your directory bucket, only use the key
16451
+ # ID or key ARN. The key alias format of the KMS key isn't
16452
+ # supported.
16453
+ #
16454
+ # </note>
16455
+ #
16053
16456
  # Amazon S3 only supports symmetric encryption KMS keys. For more
16054
- # information, see [Asymmetric keys in Amazon Web Services KMS][2] in
16457
+ # information, see [Asymmetric keys in Amazon Web Services KMS][3] in
16055
16458
  # the *Amazon Web Services Key Management Service Developer Guide*.
16056
16459
  #
16057
16460
  #
16058
16461
  #
16059
16462
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy
16060
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
16463
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16464
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
16061
16465
  # @return [String]
16062
16466
  #
16063
16467
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionByDefault AWS API Documentation
@@ -16086,14 +16490,23 @@ module Aws::S3
16086
16490
 
16087
16491
  # Specifies the default server-side encryption configuration.
16088
16492
  #
16089
- # <note markdown="1"> If you're specifying a customer managed KMS key, we recommend using a
16090
- # fully qualified KMS key ARN. If you use a KMS key alias instead, then
16091
- # KMS resolves the key within the requester’s account. This behavior can
16092
- # result in data that's encrypted with a KMS key that belongs to the
16093
- # requester, and not the bucket owner.
16493
+ # <note markdown="1"> * **General purpose buckets** - If you're specifying a customer
16494
+ # managed KMS key, we recommend using a fully qualified KMS key ARN.
16495
+ # If you use a KMS key alias instead, then KMS resolves the key within
16496
+ # the requester’s account. This behavior can result in data that's
16497
+ # encrypted with a KMS key that belongs to the requester, and not the
16498
+ # bucket owner.
16499
+ #
16500
+ # * **Directory buckets** - When you specify an [KMS customer managed
16501
+ # key][1] for encryption in your directory bucket, only use the key ID
16502
+ # or key ARN. The key alias format of the KMS key isn't supported.
16094
16503
  #
16095
16504
  # </note>
16096
16505
  #
16506
+ #
16507
+ #
16508
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
16509
+ #
16097
16510
  # @!attribute [rw] apply_server_side_encryption_by_default
16098
16511
  # Specifies the default server-side encryption to apply to new objects
16099
16512
  # in the bucket. If a PUT Object request doesn't specify any
@@ -16105,14 +16518,31 @@ module Aws::S3
16105
16518
  # server-side encryption using KMS (SSE-KMS) for new objects in the
16106
16519
  # bucket. Existing objects are not affected. Setting the
16107
16520
  # `BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3
16108
- # Bucket Key. By default, S3 Bucket Key is not enabled.
16521
+ # Bucket Key.
16109
16522
  #
16110
- # For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon
16111
- # S3 User Guide*.
16523
+ # <note markdown="1"> * **General purpose buckets** - By default, S3 Bucket Key is not
16524
+ # enabled. For more information, see [Amazon S3 Bucket Keys][1] in
16525
+ # the *Amazon S3 User Guide*.
16526
+ #
16527
+ # * **Directory buckets** - S3 Bucket Keys are always enabled for
16528
+ # `GET` and `PUT` operations in a directory bucket and can’t be
16529
+ # disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS
16530
+ # encrypted objects from general purpose buckets to directory
16531
+ # buckets, from directory buckets to general purpose buckets, or
16532
+ # between directory buckets, through [CopyObject][2],
16533
+ # [UploadPartCopy][3], [the Copy operation in Batch Operations][4],
16534
+ # or [the import jobs][5]. In this case, Amazon S3 makes a call to
16535
+ # KMS every time a copy request is made for a KMS-encrypted object.
16536
+ #
16537
+ # </note>
16112
16538
  #
16113
16539
  #
16114
16540
  #
16115
16541
  # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
16542
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
16543
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
16544
+ # [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
16545
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
16116
16546
  # @return [Boolean]
16117
16547
  #
16118
16548
  # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionRule AWS API Documentation
@@ -16127,8 +16557,8 @@ module Aws::S3
16127
16557
  # The established temporary security credentials of the session.
16128
16558
  #
16129
16559
  # <note markdown="1"> **Directory buckets** - These session credentials are only supported
16130
- # for the authentication and authorization of Zonal endpoint APIs on
16131
- # directory buckets.
16560
+ # for the authentication and authorization of Zonal endpoint API
16561
+ # operations on directory buckets.
16132
16562
  #
16133
16563
  # </note>
16134
16564
  #
@@ -16562,11 +16992,6 @@ module Aws::S3
16562
16992
  # @!attribute [rw] server_side_encryption
16563
16993
  # The server-side encryption algorithm used when you store this object
16564
16994
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16565
- #
16566
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16567
- # managed keys (SSE-S3) (`AES256`) is supported.
16568
- #
16569
- # </note>
16570
16995
  # @return [String]
16571
16996
  #
16572
16997
  # @!attribute [rw] sse_customer_algorithm
@@ -16591,23 +17016,14 @@ module Aws::S3
16591
17016
  # @return [String]
16592
17017
  #
16593
17018
  # @!attribute [rw] ssekms_key_id
16594
- # If present, indicates the ID of the Key Management Service (KMS)
16595
- # symmetric encryption customer managed key that was used for the
16596
- # object.
16597
- #
16598
- # <note markdown="1"> This functionality is not supported for directory buckets.
16599
- #
16600
- # </note>
17019
+ # If present, indicates the ID of the KMS key that was used for object
17020
+ # encryption.
16601
17021
  # @return [String]
16602
17022
  #
16603
17023
  # @!attribute [rw] bucket_key_enabled
16604
17024
  # Indicates whether the multipart upload uses an S3 Bucket Key for
16605
17025
  # server-side encryption with Key Management Service (KMS) keys
16606
17026
  # (SSE-KMS).
16607
- #
16608
- # <note markdown="1"> This functionality is not supported for directory buckets.
16609
- #
16610
- # </note>
16611
17027
  # @return [Boolean]
16612
17028
  #
16613
17029
  # @!attribute [rw] request_charged
@@ -16958,11 +17374,6 @@ module Aws::S3
16958
17374
  # @!attribute [rw] server_side_encryption
16959
17375
  # The server-side encryption algorithm used when you store this object
16960
17376
  # in Amazon S3 (for example, `AES256`, `aws:kms`).
16961
- #
16962
- # <note markdown="1"> For directory buckets, only server-side encryption with Amazon S3
16963
- # managed keys (SSE-S3) (`AES256`) is supported.
16964
- #
16965
- # </note>
16966
17377
  # @return [String]
16967
17378
  #
16968
17379
  # @!attribute [rw] etag
@@ -16970,7 +17381,7 @@ module Aws::S3
16970
17381
  # @return [String]
16971
17382
  #
16972
17383
  # @!attribute [rw] checksum_crc32
16973
- # The base64-encoded, 32-bit CRC32 checksum of the object. This will
17384
+ # The base64-encoded, 32-bit CRC-32 checksum of the object. This will
16974
17385
  # only be present if it was uploaded with the object. When you use an
16975
17386
  # API operation on an object that was uploaded using multipart
16976
17387
  # uploads, this value may not be a direct checksum value of the full
@@ -16985,7 +17396,7 @@ module Aws::S3
16985
17396
  # @return [String]
16986
17397
  #
16987
17398
  # @!attribute [rw] checksum_crc32c
16988
- # The base64-encoded, 32-bit CRC32C checksum of the object. This will
17399
+ # The base64-encoded, 32-bit CRC-32C checksum of the object. This will
16989
17400
  # only be present if it was uploaded with the object. When you use an
16990
17401
  # API operation on an object that was uploaded using multipart
16991
17402
  # uploads, this value may not be a direct checksum value of the full
@@ -17051,23 +17462,14 @@ module Aws::S3
17051
17462
  # @return [String]
17052
17463
  #
17053
17464
  # @!attribute [rw] ssekms_key_id
17054
- # If present, indicates the ID of the Key Management Service (KMS)
17055
- # symmetric encryption customer managed key that was used for the
17056
- # object.
17057
- #
17058
- # <note markdown="1"> This functionality is not supported for directory buckets.
17059
- #
17060
- # </note>
17465
+ # If present, indicates the ID of the KMS key that was used for object
17466
+ # encryption.
17061
17467
  # @return [String]
17062
17468
  #
17063
17469
  # @!attribute [rw] bucket_key_enabled
17064
17470
  # Indicates whether the multipart upload uses an S3 Bucket Key for
17065
17471
  # server-side encryption with Key Management Service (KMS) keys
17066
17472
  # (SSE-KMS).
17067
- #
17068
- # <note markdown="1"> This functionality is not supported for directory buckets.
17069
- #
17070
- # </note>
17071
17473
  # @return [Boolean]
17072
17474
  #
17073
17475
  # @!attribute [rw] request_charged
@@ -17184,7 +17586,7 @@ module Aws::S3
17184
17586
  # @!attribute [rw] checksum_crc32
17185
17587
  # This header can be used as a data integrity check to verify that the
17186
17588
  # data received is the same data that was originally sent. This header
17187
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object.
17589
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object.
17188
17590
  # For more information, see [Checking object integrity][1] in the
17189
17591
  # *Amazon S3 User Guide*.
17190
17592
  #
@@ -17196,7 +17598,7 @@ module Aws::S3
17196
17598
  # @!attribute [rw] checksum_crc32c
17197
17599
  # This header can be used as a data integrity check to verify that the
17198
17600
  # data received is the same data that was originally sent. This header
17199
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object.
17601
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object.
17200
17602
  # For more information, see [Checking object integrity][1] in the
17201
17603
  # *Amazon S3 User Guide*.
17202
17604
  #
@@ -17486,7 +17888,7 @@ module Aws::S3
17486
17888
  # @!attribute [rw] checksum_crc32
17487
17889
  # This header can be used as a data integrity check to verify that the
17488
17890
  # data received is the same data that was originally sent. This
17489
- # specifies the base64-encoded, 32-bit CRC32 checksum of the object
17891
+ # specifies the base64-encoded, 32-bit CRC-32 checksum of the object
17490
17892
  # returned by the Object Lambda function. This may not match the
17491
17893
  # checksum for the object stored in Amazon S3. Amazon S3 will perform
17492
17894
  # validation of the checksum values only when the original `GetObject`
@@ -17507,7 +17909,7 @@ module Aws::S3
17507
17909
  # @!attribute [rw] checksum_crc32c
17508
17910
  # This header can be used as a data integrity check to verify that the
17509
17911
  # data received is the same data that was originally sent. This
17510
- # specifies the base64-encoded, 32-bit CRC32C checksum of the object
17912
+ # specifies the base64-encoded, 32-bit CRC-32C checksum of the object
17511
17913
  # returned by the Object Lambda function. This may not match the
17512
17914
  # checksum for the object stored in Amazon S3. Amazon S3 will perform
17513
17915
  # validation of the checksum values only when the original `GetObject`
@@ -17770,3 +18172,6 @@ module Aws::S3
17770
18172
 
17771
18173
  end
17772
18174
  end
18175
+
18176
+ require "aws-sdk-s3/customizations/types/list_object_versions_output"
18177
+ require "aws-sdk-s3/customizations/types/permanent_redirect"