aws-sdk-s3 1.205.0 → 1.208.0

data/lib/aws-sdk-s3/encryptionV3/utils.rb

@@ -0,0 +1,321 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Aws
+  module S3
+    module EncryptionV3
+      # @api private
+      module Utils
+        class << self
+          ##= ../specification/s3-encryption/client.md#encryption-algorithm
+          ##% The S3EC MUST validate that the configured encryption algorithm is not legacy.
+          def validate_cek(content_encryption_schema)
+            ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
+            ##% Objects encrypted with ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY MUST use the V3 message format version only.
+            return '115' if content_encryption_schema.nil?
+
+            case content_encryption_schema
+            when :alg_aes_256_gcm_hkdf_sha512_commit_key
+              '115'
+            else
+              ##= ../specification/s3-encryption/encryption.md#alg-aes-256-ctr-iv16-tag16-no-kdf
+              ##% Attempts to encrypt using AES-CTR MUST fail.
+              ##= ../specification/s3-encryption/encryption.md#alg-aes-256-ctr-hkdf-sha512-commit-key
+              ##% Attempts to encrypt using key committing AES-CTR MUST fail.
+              ##= ../specification/s3-encryption/client.md#encryption-algorithm
+              ##% If the configured encryption algorithm is legacy, then the S3EC MUST throw an exception.
+              ##= ../specification/s3-encryption/client.md#key-commitment
+              ##% If the configured Encryption Algorithm is incompatible with the key commitment policy, then it MUST throw an exception.
+              raise ArgumentError, "Unsupported content_encryption_schema: #{content_encryption_schema}"
+            end
+          end
+
+          def encrypt_aes_gcm(key, data, auth_data)
+            cipher = aes_encryption_cipher(:GCM, key)
+            cipher.iv = (iv = cipher.random_iv)
+            cipher.auth_data = auth_data
+
+            iv + cipher.update(data) + cipher.final + cipher.auth_tag
+          end
+
+          def encrypt_rsa(key, data, auth_data)
+            # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
+            buf = [data.bytesize] + data.unpack('C*') + auth_data.unpack('C*')
+            key.public_encrypt(buf.pack('C*'), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+          end
+
+          def decrypt_aes_gcm(key, data, auth_data)
+            # data is iv (12B) + key + tag (16B)
+            buf = data.unpack('C*')
+            iv = buf[0, 12].pack('C*') # iv will always be 12 bytes
+            tag = buf[-16, 16].pack('C*') # tag is 16 bytes
+            enc_key = buf[12, buf.size - (12 + 16)].pack('C*')
+            cipher = aes_cipher(:decrypt, :GCM, key, iv)
+            cipher.auth_tag = tag
+            cipher.auth_data = auth_data
+            cipher.update(enc_key) + cipher.final
+          end
+
+          # returns the decrypted data + auth_data
+          def decrypt_rsa(key, enc_data)
+            # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
+            buf = key.private_decrypt(enc_data, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING).unpack('C*')
+            key_length = buf[0]
+            data = buf[1, key_length].pack('C*')
+            auth_data = buf[key_length + 1, buf.length - key_length].pack('C*')
+            [data, auth_data]
+          end
+
+          # @param [String] block_mode "CBC" or "ECB"
+          # @param [OpenSSL::PKey::RSA, String, nil] key
+          # @param [String, nil] iv The initialization vector
+          def aes_encryption_cipher(block_mode, key = nil, iv = nil)
+            aes_cipher(:encrypt, block_mode, key, iv)
+          end
+
+          # @param [String] block_mode "CBC" or "ECB"
+          # @param [OpenSSL::PKey::RSA, String, nil] key
+          # @param [String, nil] iv The initialization vector
+          def aes_decryption_cipher(block_mode, key = nil, iv = nil)
+            aes_cipher(:decrypt, block_mode, key, iv)
+          end
+
+          # @param [String] mode "encrypt" or "decrypt"
+          # @param [String] block_mode "CBC" or "ECB"
+          # @param [OpenSSL::PKey::RSA, String, nil] key
+          # @param [String, nil] iv The initialization vector
+          def aes_cipher(mode, block_mode, key, iv)
+            cipher =
+              if key
+                OpenSSL::Cipher.new("aes-#{cipher_size(key)}-#{block_mode.downcase}")
+              else
+                OpenSSL::Cipher.new("aes-256-#{block_mode.downcase}")
+              end
+            cipher.send(mode) # encrypt or decrypt
+            cipher.key = key if key
+            cipher.iv = iv if iv
+            cipher
+          end
+
+          # @param [String] key
+          # @return [Integer]
+          # @raise ArgumentError
+          def cipher_size(key)
+            key.bytesize * 8
+          end
+
+          # There is only 1 supported algorithm suite at this time
+          ENCRYPTION_KEY_INFO = ([0x00, 0x73].pack('C*') + 'DERIVEKEY'.encode('UTF-8')).freeze
+          COMMITMENT_KEY_INFO = ([0x00, 0x73].pack('C*') + 'COMMITKEY'.encode('UTF-8')).freeze
+
+          SHA512_DIGEST = OpenSSL::Digest::SHA512.new.freeze
+          V3_IV_BYTES = ("\x01" * 12).freeze
+          ALGO_ID = [0x00, 0x73].pack('C*').freeze
+
+          def generate_alg_aes_256_gcm_hkdf_sha512_commit_key_cipher(data_key)
+            ##= ../specification/s3-encryption/encryption.md#content-encryption
+            ##% The client MUST generate an IV or Message ID using the length of the IV or Message ID defined in the algorithm suite.
+            message_id = Utils.generate_message_id
+            ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+            ##% - The salt MUST be the Message ID with the length defined in the algorithm suite.
+            commitment_key = Utils.derive_commitment_key(data_key, message_id)
+            cipher = alg_aes_256_gcm_hkdf_sha512_commit_key_cipher(:encrypt, data_key, message_id)
+
+            [
+              cipher,
+              ##= ../specification/s3-encryption/encryption.md#content-encryption
+              ##% The generated IV or Message ID MUST be set or returned from the encryption process such that it can be included in the content metadata.
+              message_id,
+              ##= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-hkdf-sha512-commit-key
+              ##% The derived key commitment value MUST be set or returned from the encryption process such that it can be included in the content metadata.
+              commitment_key
+            ]
+          end
+
+          def derive_alg_aes_256_gcm_hkdf_sha512_commit_key_cipher(data_key, message_id, stored_commitment_key)
+            raise Errors::DecryptionError, 'Data key length does not match algorithm suite' unless data_key.length == 32
+
+            raise Errors::DecryptionError, 'Message id length does not match algorithm suite' unless message_id.length == 28
+
+            unless stored_commitment_key.length == 28
+              raise Errors::DecryptionError, 'Commitment key length does not match algorithm suite'
+            end
+
+            ##= ../specification/s3-encryption/decryption.md#decrypting-with-commitment
+            ##= type=implication
+            ##% When using an algorithm suite which supports key commitment,
+            ##% the verification of the derived key commitment value MUST be done in constant time.
+            unless timing_safe_equal?(
+              ##= ../specification/s3-encryption/decryption.md#decrypting-with-commitment
+              ##% When using an algorithm suite which supports key commitment,
+              ##% the client MUST verify that the [derived key commitment](./key-derivation.md#hkdf-operation) contains the same bytes
+              ##% as the stored key commitment retrieved from the stored object's metadata.
+              Utils.derive_commitment_key(data_key, message_id),
+              stored_commitment_key
+            )
+              ##= ../specification/s3-encryption/decryption.md#decrypting-with-commitment
+              ##% When using an algorithm suite which supports key commitment,
+              ##% the client MUST throw an exception when the derived key commitment value and stored key commitment value do not match.
+              raise Errors::DecryptionError, 'Commitment key verification failed'
+            end
+
+            ##= ../specification/s3-encryption/decryption.md#decrypting-with-commitment
+            ##% When using an algorithm suite which supports key commitment,
+            ##% the client MUST verify the key commitment values match before deriving the [derived encryption key](./key-derivation.md#hkdf-operation).
+
+            alg_aes_256_gcm_hkdf_sha512_commit_key_cipher(:decrypt, data_key, message_id)
+          end
+
+          def alg_aes_256_gcm_hkdf_sha512_commit_key_cipher(mode, data_key, message_id)
+            ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+            ##% The client MUST initialize the cipher, or call an AES-GCM encryption API, with the derived encryption key, an IV containing only bytes with the value 0x01,
+            ##% and the tag length defined in the Algorithm Suite when encrypting or decrypting with ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY.
+            cipher = Utils.aes_cipher(
+              mode,
+              :GCM,
+              ##= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-hkdf-sha512-commit-key
+              ##% The client MUST use HKDF to derive the key commitment value and the derived encrypting key as described in [Key Derivation](key-derivation.md).
+              Utils.derive_encryption_key(data_key, message_id),
+              ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+              ##% When encrypting or decrypting with ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY,
+              ##% the IV used in the AES-GCM content encryption/decryption MUST consist entirely of bytes with the value 0x01.
+              ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+              ##% The IV's total length MUST match the IV length defined by the algorithm suite.
+              V3_IV_BYTES
+            ) #OpenSSL::Cipher.new("aes-256-gcm")
+            ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+            ##% The client MUST set the AAD to the Algorithm Suite ID represented as bytes.
+            cipher.auth_data = ALGO_ID # auth_data must be set after key and iv
+            cipher
+          end
+
+          def generate_data_key
+            OpenSSL::Random.random_bytes(32)
+          end
+
+          def generate_message_id
+            ##= ../specification/s3-encryption/encryption.md#cipher-initialization
+            ##= type=exception
+            ##= reason=This would be a new runtime error that happens randomly.
+            ##% The client SHOULD validate that the generated IV or Message ID is not zeros.
+
+            ##= ../specification/s3-encryption/encryption.md#content-encryption
+            ##% The client MUST generate an IV or Message ID using the length of the IV or Message ID defined in the algorithm suite.
+            OpenSSL::Random.random_bytes(28)
+          end
+
+          def derive_encryption_key(data_key, message_id)
+            ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+            ##% - The DEK input pseudorandom key MUST be the output from the extract step.
+            hkdf(
+              data_key,
+              ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+              ##% - The salt MUST be the Message ID with the length defined in the algorithm suite.
+              message_id,
+              ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+              ##% - The input info MUST be a concatenation of the algorithm suite ID as bytes followed by the string DERIVEKEY as UTF8 encoded bytes.
+              ENCRYPTION_KEY_INFO,
+              ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+              ##% - The length of the output keying material MUST equal the encryption key length specified by the algorithm suite encryption settings.
+              32
+            )
+          end
+
+          def derive_commitment_key(data_key, message_id)
+            ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+            ##% - The CK input pseudorandom key MUST be the output from the extract step.
+            hkdf(
+              data_key,
+              message_id,
+              ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+              ##% - The input info MUST be a concatenation of the algorithm suite ID as bytes followed by the string COMMITKEY as UTF8 encoded bytes.
+              COMMITMENT_KEY_INFO,
+              ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+              ##% - The length of the output keying material MUST equal the commit key length specified by the supported algorithm suites.
+              28
+            )
+          end
+
+          ONE_BYTE = [1].pack('C').freeze
+          # assert: the following function is equivalent to `OpenSSL::KDF.hkdf` for all desired_length <= 64
+          # see spec: 'produces identical output to native hkdf for random inputs (property-based test)'
+          def hkdf_fallback(input_key_material, salt, info, desired_length)
+            # Extract from RFC 5869
+            # PRK = HMAC-Hash(salt, IKM)
+            prk = OpenSSL::HMAC.digest(SHA512_DIGEST, salt, input_key_material)
+
+            # Expand from RFC 5869
+            # N = ceil(L/HashLen)
+            # T = T(1) | T(2) | T(3) | ... | T(N)
+            # OKM = first L octets of T
+            #
+            # where:
+            # T(0) = empty string (zero length)
+            # T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
+            # T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
+            # T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
+            #
+            # L == desired_length
+            # HashLen == 64 (because SHA512_DIGEST is fixed)
+            # N = ceil(desired_length/64)
+            # The only supported suites have desired_length less than 64
+            # This will result in a single iteration of the expand loop.
+            # This check verifies that it is safe to do not do a loop
+            raise Errors::DecryptionError, "Unsupported length: #{desired_length}" if desired_length > 64
+
+            # assert N == 1
+            #
+            # For a single iteration of the loop we then get:
+            # OKM = first L of T(0) | T(1)
+            # ==
+            #   (T(0) + T(1))[0, desired_length]
+            # == {assert T(0) == ''}
+            #   ('' +  HMAC-Hash(PRK, '' + info + 0x01))[0, desired_length]
+            # == HMAC-Hash(PRK, info + 0x01)[0, desired_length]
+            # == {assert ONE_BYTE == 0x01}
+            # HMAC-Hash(PRK, info + ONE_BYTE)[0, desired_length]
+            # ==
+            OpenSSL::HMAC.digest(SHA512_DIGEST, prk, info + ONE_BYTE)[0, desired_length]
+          end
+
+          if defined?(OpenSSL::KDF) && OpenSSL::KDF.respond_to?(:hkdf)
+            def hkdf(input_key_material, salt, info, desired_length)
+              OpenSSL::KDF.hkdf(
+                ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+                ##% - The input keying material MUST be the plaintext data key (PDK) generated by the key provider.
+                input_key_material,
+                salt: salt,
+                info: info,
+                ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+                ##% - The length of the input keying material MUST equal the key derivation input length specified by the algorithm suite commit key derivation setting.
+                length: desired_length,
+                ##= ../specification/s3-encryption/key-derivation.md#hkdf-operation
+                ##% - The hash function MUST be specified by the algorithm suite commitment settings.
+                hash: SHA512_DIGEST
+              )
+            end
+          else
+            # This is done so that we can test hkdf_fallback when we have `OpenSSL::KDF.hkdf`
+            alias hkdf hkdf_fallback
+          end
+
+          if defined?(OpenSSL) && OpenSSL.respond_to?(:secure_compare)
+            def timing_safe_equal?(a, b)
+              OpenSSL.secure_compare(a, b)
+            end
+          else
+            def timing_safe_equal?(a, b)
+              return false unless a.bytesize == b.bytesize
+
+              l = a.unpack('C*')
+              r = 0
+              b.each_byte { |byte| r |= byte ^ l.shift }
+              r.zero?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption_v2.rb

@@ -1,4 +1,5 @@
 require 'aws-sdk-s3/encryptionV2/client'
+require 'aws-sdk-s3/encryptionV2/decryption'
 require 'aws-sdk-s3/encryptionV2/decrypt_handler'
 require 'aws-sdk-s3/encryptionV2/default_cipher_provider'
 require 'aws-sdk-s3/encryptionV2/encrypt_handler'

data/lib/aws-sdk-s3/encryption_v3.rb

@@ -0,0 +1,24 @@
+require 'aws-sdk-s3/encryptionV3/client'
+require 'aws-sdk-s3/encryptionV3/decryption'
+require 'aws-sdk-s3/encryptionV3/decrypt_handler'
+require 'aws-sdk-s3/encryptionV3/default_cipher_provider'
+require 'aws-sdk-s3/encryptionV3/encrypt_handler'
+require 'aws-sdk-s3/encryptionV3/errors'
+require 'aws-sdk-s3/encryptionV3/io_encrypter'
+require 'aws-sdk-s3/encryptionV3/io_decrypter'
+require 'aws-sdk-s3/encryptionV3/io_auth_decrypter'
+require 'aws-sdk-s3/encryptionV3/key_provider'
+require 'aws-sdk-s3/encryptionV3/kms_cipher_provider'
+require 'aws-sdk-s3/encryptionV3/materials'
+require 'aws-sdk-s3/encryptionV3/utils'
+require 'aws-sdk-s3/encryptionV3/default_key_provider'
+
+module Aws
+  module S3
+    module EncryptionV3
+      AES_GCM_TAG_LEN_BYTES = 16
+      EC_USER_AGENT = 'S3CryptoV3'
+    end
+  end
+end
+

data/lib/aws-sdk-s3/object.rb

@@ -765,7 +765,7 @@ module Aws::S3
     #     metadata_directive: "COPY", # accepts COPY, REPLACE
     #     tagging_directive: "COPY", # accepts COPY, REPLACE
     #     server_side_encryption: "AES256", # accepts AES256, aws:fsx, aws:kms, aws:kms:dsse
-    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #     website_redirect_location: "WebsiteRedirectLocation",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
@@ -1889,7 +1889,7 @@ module Aws::S3
     #       "MetadataKey" => "MetadataValue",
     #     },
     #     server_side_encryption: "AES256", # accepts AES256, aws:fsx, aws:kms, aws:kms:dsse
-    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #     website_redirect_location: "WebsiteRedirectLocation",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
@@ -2490,7 +2490,7 @@ module Aws::S3
     #       "MetadataKey" => "MetadataValue",
     #     },
     #     server_side_encryption: "AES256", # accepts AES256, aws:fsx, aws:kms, aws:kms:dsse
-    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #     website_redirect_location: "WebsiteRedirectLocation",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
@@ -3165,7 +3165,7 @@ module Aws::S3
     #               value: "MetadataValue",
     #             },
     #           ],
-    #           storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #           storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #         },
     #       },
     #     },

data/lib/aws-sdk-s3/object_acl.rb

@@ -42,7 +42,7 @@ module Aws::S3
       @object_key
     end
 
-    # Container for the bucket owner's display name and ID.
+    # Container for the bucket owner's ID.
     # @return [Types::Owner]
     def owner
       data[:owner]

data/lib/aws-sdk-s3/object_summary.rb

@@ -362,7 +362,7 @@ module Aws::S3
     #     metadata_directive: "COPY", # accepts COPY, REPLACE
     #     tagging_directive: "COPY", # accepts COPY, REPLACE
     #     server_side_encryption: "AES256", # accepts AES256, aws:fsx, aws:kms, aws:kms:dsse
-    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #     website_redirect_location: "WebsiteRedirectLocation",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
@@ -1486,7 +1486,7 @@ module Aws::S3
     #       "MetadataKey" => "MetadataValue",
     #     },
     #     server_side_encryption: "AES256", # accepts AES256, aws:fsx, aws:kms, aws:kms:dsse
-    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #     website_redirect_location: "WebsiteRedirectLocation",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
@@ -2087,7 +2087,7 @@ module Aws::S3
     #       "MetadataKey" => "MetadataValue",
     #     },
     #     server_side_encryption: "AES256", # accepts AES256, aws:fsx, aws:kms, aws:kms:dsse
-    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #     storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #     website_redirect_location: "WebsiteRedirectLocation",
     #     sse_customer_algorithm: "SSECustomerAlgorithm",
     #     sse_customer_key: "SSECustomerKey",
@@ -2762,7 +2762,7 @@ module Aws::S3
     #               value: "MetadataValue",
     #             },
     #           ],
-    #           storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS
+    #           storage_class: "STANDARD", # accepts STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
     #         },
     #       },
     #     },

data/lib/aws-sdk-s3/types.rb

@@ -385,7 +385,7 @@ module Aws::S3
     # and replication requests to the bucket for objects with the specified
     # encryption type. However, you can continue to read and list any
     # pre-existing objects already encrypted with the specified encryption
-    # type. For more information, see [Blocking an encryption type for a
+    # type. For more information, see [Blocking or unblocking SSE-C for a
     # general purpose bucket][1].
     #
     # This data type is used with the following actions:
@@ -406,7 +406,7 @@ module Aws::S3
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/userguide/block-encryption-type.html
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html
     # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
     # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
     # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
@@ -2820,17 +2820,18 @@ module Aws::S3
     #   creating. Tags are key-value pairs of metadata used to categorize
     #   and organize your buckets, track costs, and control access.
     #
-    #   <note markdown="1"> This parameter is only supported for S3 directory buckets. For more
-    #   information, see [Using tags with directory buckets][1].
-    #
-    #    You must have the `s3express:TagResource` permission to create a
-    #   directory bucket with tags.
+    #   You must have the `s3:TagResource` permission to create a general
+    #   purpose bucket with tags or the `s3express:TagResource` permission
+    #   to create a directory bucket with tags.
     #
-    #    </note>
+    #   When creating buckets with tags, note that tag-based conditions
+    #   using `aws:ResourceTag` and `s3:BucketTag` condition keys are
+    #   applicable only after ABAC is enabled on the bucket. To learn more,
+    #   see [Enabling ABAC in general purpose buckets][1].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/buckets-tagging-enable-abac.html
     #   @return [Array<Types::Tag>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/CreateBucketConfiguration AWS API Documentation
@@ -6544,7 +6545,7 @@ module Aws::S3
     end
 
     # @!attribute [rw] owner
-    #   Container for the bucket owner's display name and ID.
+    #   Container for the bucket owner's ID.
     #   @return [Types::Owner]
     #
     # @!attribute [rw] grants
@@ -7519,7 +7520,7 @@ module Aws::S3
     end
 
     # @!attribute [rw] owner
-    #   Container for the bucket owner's display name and ID.
+    #   Container for the bucket owner's ID.
     #   @return [Types::Owner]
     #
     # @!attribute [rw] grants
@@ -9115,56 +9116,12 @@ module Aws::S3
       include Aws::Structure
     end
 
-    # End of support notice: Beginning November 21, 2025, Amazon S3 will
-    # stop returning `DisplayName`. Update your applications to use
-    # canonical IDs (unique identifier for Amazon Web Services accounts),
-    # Amazon Web Services account ID (12 digit identifier) or IAM ARNs (full
-    # resource naming) as a direct replacement of `DisplayName`.
-    #
-    #  This change affects the following Amazon Web Services Regions: US
-    # East
-    # (N. Virginia) Region, US West (N. California) Region, US West (Oregon)
-    # Region, Asia Pacific (Singapore) Region, Asia Pacific (Sydney) Region,
-    # Asia Pacific (Tokyo) Region, Europe (Ireland) Region, and South
-    # America (São Paulo) Region.
-    #
     # Container for the person being granted permissions.
     #
     # @!attribute [rw] display_name
-    #   Screen name of the grantee.
     #   @return [String]
     #
     # @!attribute [rw] email_address
-    #   Email address of the grantee.
-    #
-    #   <note markdown="1"> Using email addresses to specify a grantee is only supported in the
-    #   following Amazon Web Services Regions:
-    #
-    #    * US East (N. Virginia)
-    #
-    #   * US West (N. California)
-    #
-    #   * US West (Oregon)
-    #
-    #   * Asia Pacific (Singapore)
-    #
-    #   * Asia Pacific (Sydney)
-    #
-    #   * Asia Pacific (Tokyo)
-    #
-    #   * Europe (Ireland)
-    #
-    #   * South America (São Paulo)
-    #
-    #    For a list of all the Amazon S3 supported Regions and endpoints, see
-    #   [Regions and Endpoints][1] in the Amazon Web Services General
-    #   Reference.
-    #
-    #    </note>
-    #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -10137,8 +10094,6 @@ module Aws::S3
     #   @return [String]
     #
     # @!attribute [rw] display_name
-    #   Name of the Principal.
-    #
     #   <note markdown="1"> This functionality is not supported for directory buckets.
     #
     #    </note>
@@ -12660,14 +12615,13 @@ module Aws::S3
     #   Container element that identifies who initiated the multipart
     #   upload. If the initiator is an Amazon Web Services account, this
     #   element provides the same information as the `Owner` element. If the
-    #   initiator is an IAM User, this element provides the user ARN and
-    #   display name.
+    #   initiator is an IAM User, this element provides the user ARN.
     #   @return [Types::Initiator]
     #
     # @!attribute [rw] owner
     #   Container element that identifies the object owner, after the object
     #   is created. If multipart upload is initiated by an IAM user, this
-    #   element provides the parent account ID and display name.
+    #   element provides the parent account ID.
     #
     #   <note markdown="1"> **Directory buckets** - The bucket owner is returned as the object
     #   owner for all the parts.
@@ -13983,44 +13937,9 @@ module Aws::S3
       include Aws::Structure
     end
 
-    # End of support notice: Beginning November 21, 2025, Amazon S3 will
-    # stop returning `DisplayName`. Update your applications to use
-    # canonical IDs (unique identifier for Amazon Web Services accounts),
-    # Amazon Web Services account ID (12 digit identifier) or IAM ARNs (full
-    # resource naming) as a direct replacement of `DisplayName`.
-    #
-    #  This change affects the following Amazon Web Services Regions: US
-    # East
-    # (N. Virginia) Region, US West (N. California) Region, US West (Oregon)
-    # Region, Asia Pacific (Singapore) Region, Asia Pacific (Sydney) Region,
-    # Asia Pacific (Tokyo) Region, Europe (Ireland) Region, and South
-    # America (São Paulo) Region.
-    #
     # Container for the owner's display name and ID.
     #
     # @!attribute [rw] display_name
-    #   Container for the display name of the owner. This value is only
-    #   supported in the following Amazon Web Services Regions:
-    #
-    #   * US East (N. Virginia)
-    #
-    #   * US West (N. California)
-    #
-    #   * US West (Oregon)
-    #
-    #   * Asia Pacific (Singapore)
-    #
-    #   * Asia Pacific (Sydney)
-    #
-    #   * Asia Pacific (Tokyo)
-    #
-    #   * Europe (Ireland)
-    #
-    #   * South America (São Paulo)
-    #
-    #   <note markdown="1"> This functionality is not supported for directory buckets.
-    #
-    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -14283,9 +14202,11 @@ module Aws::S3
 
     # The PublicAccessBlock configuration that you want to apply to this
     # Amazon S3 bucket. You can enable the configuration options in any
-    # combination. For more information about when Amazon S3 considers a
-    # bucket or object public, see [The Meaning of "Public"][1] in the
-    # *Amazon S3 User Guide*.
+    # combination. Bucket-level settings work alongside account-level
+    # settings (which may inherit from organization-level policies). For
+    # more information about when Amazon S3 considers a bucket or object
+    # public, see [The Meaning of "Public"][1] in the *Amazon S3 User
+    # Guide*.
     #
     #
     #
@@ -18915,11 +18836,11 @@ module Aws::S3
     #   upload, and replication requests to the bucket for objects with the
     #   specified encryption type. However, you can continue to read and
     #   list any pre-existing objects already encrypted with the specified
-    #   encryption type. For more information, see [Blocking an encryption
-    #   type for a general purpose bucket][1].
+    #   encryption type. For more information, see [Blocking or unblocking
+    #   SSE-C for a general purpose bucket][1].
     #
     #   <note markdown="1"> Currently, this parameter only supports blocking or unblocking
-    #   Server Side Encryption with Customer Provided Keys (SSE-C). For more
+    #   server-side encryption with customer-provided keys (SSE-C). For more
     #   information about SSE-C, see [Using server-side encryption with
     #   customer-provided keys (SSE-C)][2].
     #
@@ -18927,7 +18848,7 @@ module Aws::S3
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/AmazonS3/userguide/block-encryption-type.html
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html
     #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
     #   @return [Types::BlockedEncryptionTypes]
     #