aws-sdk-s3control 1.72.0 → 1.73.0

data/lib/aws-sdk-s3control/client.rb

@@ -400,6 +400,363 @@ module Aws::S3Control
 
     # @!group API Operations
 
+    # Associate your S3 Access Grants instance with an Amazon Web Services
+    # IAM Identity Center instance. Use this action if you want to create
+    # access grants for users or groups from your corporate identity
+    # directory. First, you must add your corporate identity directory to
+    # Amazon Web Services IAM Identity Center. Then, you can associate this
+    # IAM Identity Center instance with your S3 Access Grants instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:AssociateAccessGrantsIdentityCenter`
+    #   permission to use this operation.
+    #
+    # Additional Permissions
+    #
+    # : You must also have the following permissions:
+    #   `sso:CreateApplication`, `sso:PutApplicationGrant`, and
+    #   `sso:PutApplicationAuthenticationMethod`.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :identity_center_arn
+    #   The Amazon Resource Name (ARN) of the Amazon Web Services IAM Identity
+    #   Center instance that you are associating with your S3 Access Grants
+    #   instance. An IAM Identity Center instance is your corporate identity
+    #   directory that you added to the IAM Identity Center. You can use the
+    #   [ListInstances][1] API operation to retrieve a list of your Identity
+    #   Center instances and their ARNs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.associate_access_grants_identity_center({
+    #     account_id: "AccountId",
+    #     identity_center_arn: "IdentityCenterArn", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/AssociateAccessGrantsIdentityCenter AWS API Documentation
+    #
+    # @overload associate_access_grants_identity_center(params = {})
+    # @param [Hash] params ({})
+    def associate_access_grants_identity_center(params = {}, options = {})
+      req = build_request(:associate_access_grants_identity_center, params)
+      req.send_request(options)
+    end
+
+    # Creates an access grant that gives a grantee access to your S3 data.
+    # The grantee can be an IAM user or role or a directory user, or group.
+    # Before you can create a grant, you must have an S3 Access Grants
+    # instance in the same Region as the S3 data. You can create an S3
+    # Access Grants instance using the [CreateAccessGrantsInstance][1]. You
+    # must also have registered at least one S3 data location in your S3
+    # Access Grants instance using [CreateAccessGrantsLocation][2].
+    #
+    # Permissions
+    #
+    # : You must have the `s3:CreateAccessGrant` permission to use this
+    #   operation.
+    #
+    # Additional Permissions
+    #
+    # : For any directory identity - `sso:DescribeInstance` and
+    #   `sso:DescribeApplication`
+    #
+    #   For directory users - `identitystore:DescribeUser`
+    #
+    #   For directory groups - `identitystore:DescribeGroup`
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateAccessGrantsInstance.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateAccessGrantsLocation.html
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :access_grants_location_id
+    #   The ID of the registered location to which you are granting access. S3
+    #   Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location `s3://`
+    #   and assigns an auto-generated ID to other locations that you register.
+    #
+    #   If you are passing the `default` location, you cannot create an access
+    #   grant for the entire default location. You must also specify a bucket
+    #   or a bucket and prefix in the `Subprefix` field.
+    #
+    # @option params [Types::AccessGrantsLocationConfiguration] :access_grants_location_configuration
+    #   The configuration options of the grant location. The grant location is
+    #   the S3 path to the data to which you are granting access. It contains
+    #   the `S3SubPrefix` field. The grant scope is the result of appending
+    #   the subprefix to the location scope of the registered location.
+    #
+    # @option params [required, Types::Grantee] :grantee
+    #   The user, group, or role to which you are granting access. You can
+    #   grant access to an IAM user or role. If you have added your corporate
+    #   directory to Amazon Web Services IAM Identity Center and associated
+    #   your Identity Center instance with your S3 Access Grants instance, the
+    #   grantee can also be a corporate directory user or group.
+    #
+    # @option params [required, String] :permission
+    #   The type of access that you are granting to your S3 data, which can be
+    #   set to one of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
+    #
+    # @option params [String] :application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity
+    #   Center application associated with your Identity Center instance. If
+    #   an application ARN is included in the request to create an access
+    #   grant, the grantee can only access the S3 data through this
+    #   application.
+    #
+    # @option params [String] :s3_prefix_type
+    #   The type of `S3SubPrefix`. The only possible value is `Object`. Pass
+    #   this value if the access grant scope is an object. Do not pass this
+    #   value if the access grant scope is a bucket or a bucket and a prefix.
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   The Amazon Web Services resource tags that you are adding to the
+    #   access grant. Each tag is a label consisting of a user-defined key and
+    #   value. Tags can help you manage, identify, organize, search for, and
+    #   filter resources.
+    #
+    # @return [Types::CreateAccessGrantResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CreateAccessGrantResult#created_at #created_at} => Time
+    #   * {Types::CreateAccessGrantResult#access_grant_id #access_grant_id} => String
+    #   * {Types::CreateAccessGrantResult#access_grant_arn #access_grant_arn} => String
+    #   * {Types::CreateAccessGrantResult#grantee #grantee} => Types::Grantee
+    #   * {Types::CreateAccessGrantResult#access_grants_location_id #access_grants_location_id} => String
+    #   * {Types::CreateAccessGrantResult#access_grants_location_configuration #access_grants_location_configuration} => Types::AccessGrantsLocationConfiguration
+    #   * {Types::CreateAccessGrantResult#permission #permission} => String
+    #   * {Types::CreateAccessGrantResult#application_arn #application_arn} => String
+    #   * {Types::CreateAccessGrantResult#grant_scope #grant_scope} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.create_access_grant({
+    #     account_id: "AccountId",
+    #     access_grants_location_id: "AccessGrantsLocationId", # required
+    #     access_grants_location_configuration: {
+    #       s3_sub_prefix: "S3Prefix",
+    #     },
+    #     grantee: { # required
+    #       grantee_type: "DIRECTORY_USER", # accepts DIRECTORY_USER, DIRECTORY_GROUP, IAM
+    #       grantee_identifier: "GranteeIdentifier",
+    #     },
+    #     permission: "READ", # required, accepts READ, WRITE, READWRITE
+    #     application_arn: "IdentityCenterApplicationArn",
+    #     s3_prefix_type: "Object", # accepts Object
+    #     tags: [
+    #       {
+    #         key: "TagKeyString", # required
+    #         value: "TagValueString", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.created_at #=> Time
+    #   resp.access_grant_id #=> String
+    #   resp.access_grant_arn #=> String
+    #   resp.grantee.grantee_type #=> String, one of "DIRECTORY_USER", "DIRECTORY_GROUP", "IAM"
+    #   resp.grantee.grantee_identifier #=> String
+    #   resp.access_grants_location_id #=> String
+    #   resp.access_grants_location_configuration.s3_sub_prefix #=> String
+    #   resp.permission #=> String, one of "READ", "WRITE", "READWRITE"
+    #   resp.application_arn #=> String
+    #   resp.grant_scope #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrant AWS API Documentation
+    #
+    # @overload create_access_grant(params = {})
+    # @param [Hash] params ({})
+    def create_access_grant(params = {}, options = {})
+      req = build_request(:create_access_grant, params)
+      req.send_request(options)
+    end
+
+    # Creates an S3 Access Grants instance, which serves as a logical
+    # grouping for access grants. You can create one S3 Access Grants
+    # instance per Region per account.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:CreateAccessGrantsInstance` permission to use
+    #   this operation.
+    #
+    # Additional Permissions
+    #
+    # : To associate an IAM Identity Center instance with your S3 Access
+    #   Grants instance, you must also have the `sso:DescribeInstance`,
+    #   `sso:CreateApplication`, `sso:PutApplicationGrant`, and
+    #   `sso:PutApplicationAuthenticationMethod` permissions.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [String] :identity_center_arn
+    #   If you would like to associate your S3 Access Grants instance with an
+    #   Amazon Web Services IAM Identity Center instance, use this field to
+    #   pass the Amazon Resource Name (ARN) of the Amazon Web Services IAM
+    #   Identity Center instance that you are associating with your S3 Access
+    #   Grants instance. An IAM Identity Center instance is your corporate
+    #   identity directory that you added to the IAM Identity Center. You can
+    #   use the [ListInstances][1] API operation to retrieve a list of your
+    #   Identity Center instances and their ARNs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   The Amazon Web Services resource tags that you are adding to the S3
+    #   Access Grants instance. Each tag is a label consisting of a
+    #   user-defined key and value. Tags can help you manage, identify,
+    #   organize, search for, and filter resources.
+    #
+    # @return [Types::CreateAccessGrantsInstanceResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CreateAccessGrantsInstanceResult#created_at #created_at} => Time
+    #   * {Types::CreateAccessGrantsInstanceResult#access_grants_instance_id #access_grants_instance_id} => String
+    #   * {Types::CreateAccessGrantsInstanceResult#access_grants_instance_arn #access_grants_instance_arn} => String
+    #   * {Types::CreateAccessGrantsInstanceResult#identity_center_arn #identity_center_arn} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.create_access_grants_instance({
+    #     account_id: "AccountId",
+    #     identity_center_arn: "IdentityCenterArn",
+    #     tags: [
+    #       {
+    #         key: "TagKeyString", # required
+    #         value: "TagValueString", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.created_at #=> Time
+    #   resp.access_grants_instance_id #=> String
+    #   resp.access_grants_instance_arn #=> String
+    #   resp.identity_center_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantsInstance AWS API Documentation
+    #
+    # @overload create_access_grants_instance(params = {})
+    # @param [Hash] params ({})
+    def create_access_grants_instance(params = {}, options = {})
+      req = build_request(:create_access_grants_instance, params)
+      req.send_request(options)
+    end
+
+    # The S3 data location that you would like to register in your S3 Access
+    # Grants instance. Your S3 data must be in the same Region as your S3
+    # Access Grants instance. The location can be one of the following:
+    #
+    # * The default S3 location `s3://`
+    #
+    # * A bucket - `S3://<bucket-name>`
+    #
+    # * A bucket and prefix - `S3://<bucket-name>/<prefix>`
+    #
+    # When you register a location, you must include the IAM role that has
+    # permission to manage the S3 location that you are registering. Give S3
+    # Access Grants permission to assume this role [using a policy][1]. S3
+    # Access Grants assumes this role to manage access to the location and
+    # to vend temporary credentials to grantees or client applications.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:CreateAccessGrantsLocation` permission to use
+    #   this operation.
+    #
+    # Additional Permissions
+    #
+    # : You must also have the following permission for the specified IAM
+    #   role: `iam:PassRole`
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-location.html
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :location_scope
+    #   The S3 path to the location that you are registering. The location
+    #   scope can be the default S3 location `s3://`, the S3 path to a bucket
+    #   `s3://<bucket>`, or the S3 path to a bucket and prefix
+    #   `s3://<bucket>/<prefix>`. A prefix in S3 is a string of characters at
+    #   the beginning of an object key name used to organize the objects that
+    #   you store in your S3 buckets. For example, object key names that start
+    #   with the `engineering/` prefix or object key names that start with the
+    #   `marketing/campaigns/` prefix.
+    #
+    # @option params [required, String] :iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role for the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   The Amazon Web Services resource tags that you are adding to the S3
+    #   Access Grants location. Each tag is a label consisting of a
+    #   user-defined key and value. Tags can help you manage, identify,
+    #   organize, search for, and filter resources.
+    #
+    # @return [Types::CreateAccessGrantsLocationResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CreateAccessGrantsLocationResult#created_at #created_at} => Time
+    #   * {Types::CreateAccessGrantsLocationResult#access_grants_location_id #access_grants_location_id} => String
+    #   * {Types::CreateAccessGrantsLocationResult#access_grants_location_arn #access_grants_location_arn} => String
+    #   * {Types::CreateAccessGrantsLocationResult#location_scope #location_scope} => String
+    #   * {Types::CreateAccessGrantsLocationResult#iam_role_arn #iam_role_arn} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.create_access_grants_location({
+    #     account_id: "AccountId",
+    #     location_scope: "S3Prefix", # required
+    #     iam_role_arn: "IAMRoleArn", # required
+    #     tags: [
+    #       {
+    #         key: "TagKeyString", # required
+    #         value: "TagValueString", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.created_at #=> Time
+    #   resp.access_grants_location_id #=> String
+    #   resp.access_grants_location_arn #=> String
+    #   resp.location_scope #=> String
+    #   resp.iam_role_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantsLocation AWS API Documentation
+    #
+    # @overload create_access_grants_location(params = {})
+    # @param [Hash] params ({})
+    def create_access_grants_location(params = {}, options = {})
+      req = build_request(:create_access_grants_location, params)
+      req.send_request(options)
+    end
+
     # Creates an access point and associates it with the specified bucket.
     # For more information, see [Managing Data Access with Amazon S3 Access
     # Points][1] in the *Amazon S3 User Guide*.
@@ -1226,6 +1583,156 @@ module Aws::S3Control
       req.send_request(options)
     end
 
+    # Deletes the access grant from the S3 Access Grants instance. You
+    # cannot undo an access grant deletion and the grantee will no longer
+    # have access to the S3 data.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:DeleteAccessGrant` permission to use this
+    #   operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :access_grant_id
+    #   The ID of the access grant. S3 Access Grants auto-generates this ID
+    #   when you create the access grant.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_access_grant({
+    #     account_id: "AccountId",
+    #     access_grant_id: "AccessGrantId", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrant AWS API Documentation
+    #
+    # @overload delete_access_grant(params = {})
+    # @param [Hash] params ({})
+    def delete_access_grant(params = {}, options = {})
+      req = build_request(:delete_access_grant, params)
+      req.send_request(options)
+    end
+
+    # Deletes your S3 Access Grants instance. You must first delete the
+    # access grants and locations before S3 Access Grants can delete the
+    # instance. See [DeleteAccessGrant][1] and
+    # [DeleteAccessGrantsLocation][2]. If you have associated an IAM
+    # Identity Center instance with your S3 Access Grants instance, you must
+    # first dissassociate the Identity Center instance from the S3 Access
+    # Grants instance before you can delete the S3 Access Grants instance.
+    # See [AssociateAccessGrantsIdentityCenter][3] and
+    # [DissociateAccessGrantsIdentityCenter][4].
+    #
+    # Permissions
+    #
+    # : You must have the `s3:DeleteAccessGrantsInstance` permission to use
+    #   this operation.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessGrant.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessGrantsLocation.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_AssociateAccessGrantsIdentityCenter.html
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DissociateAccessGrantsIdentityCenter.html
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_access_grants_instance({
+    #     account_id: "AccountId",
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrantsInstance AWS API Documentation
+    #
+    # @overload delete_access_grants_instance(params = {})
+    # @param [Hash] params ({})
+    def delete_access_grants_instance(params = {}, options = {})
+      req = build_request(:delete_access_grants_instance, params)
+      req.send_request(options)
+    end
+
+    # Deletes the resource policy of the S3 Access Grants instance. The
+    # resource policy is used to manage cross-account access to your S3
+    # Access Grants instance. By deleting the resource policy, you delete
+    # any cross-account permissions to your S3 Access Grants instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:DeleteAccessGrantsInstanceResourcePolicy`
+    #   permission to use this operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_access_grants_instance_resource_policy({
+    #     account_id: "AccountId",
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrantsInstanceResourcePolicy AWS API Documentation
+    #
+    # @overload delete_access_grants_instance_resource_policy(params = {})
+    # @param [Hash] params ({})
+    def delete_access_grants_instance_resource_policy(params = {}, options = {})
+      req = build_request(:delete_access_grants_instance_resource_policy, params)
+      req.send_request(options)
+    end
+
+    # Deregisters a location from your S3 Access Grants instance. You can
+    # only delete a location registration from an S3 Access Grants instance
+    # if there are no grants associated with this location. See [Delete a
+    # grant][1] for information on how to delete grants. You need to have at
+    # least one registered location in your S3 Access Grants instance in
+    # order to create access grants.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:DeleteAccessGrantsLocation` permission to use
+    #   this operation.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessGrant.html
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :access_grants_location_id
+    #   The ID of the registered location that you are deregistering from your
+    #   S3 Access Grants instance. S3 Access Grants assigned this ID when you
+    #   registered the location. S3 Access Grants assigns the ID `default` to
+    #   the default location `s3://` and assigns an auto-generated ID to other
+    #   locations that you register.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_access_grants_location({
+    #     account_id: "AccountId",
+    #     access_grants_location_id: "AccessGrantsLocationId", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrantsLocation AWS API Documentation
+    #
+    # @overload delete_access_grants_location(params = {})
+    # @param [Hash] params ({})
+    def delete_access_grants_location(params = {}, options = {})
+      req = build_request(:delete_access_grants_location, params)
+      req.send_request(options)
+    end
+
     # Deletes the specified access point.
     #
     # All Amazon S3 on Outposts REST API requests for this action require an
@@ -2296,70 +2803,330 @@ module Aws::S3Control
     #
     # * [DeleteMultiRegionAccessPoint][3]
     #
-    # * [GetMultiRegionAccessPoint][4]
+    # * [GetMultiRegionAccessPoint][4]
+    #
+    # * [ListMultiRegionAccessPoints][5]
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManagingMultiRegionAccessPoints.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateMultiRegionAccessPoint.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteMultiRegionAccessPoint.html
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPoint.html
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListMultiRegionAccessPoints.html
+    #
+    # @option params [String] :account_id
+    #   The Amazon Web Services account ID for the owner of the Multi-Region
+    #   Access Point.
+    #
+    # @option params [required, String] :request_token_arn
+    #   The request token associated with the request you want to know about.
+    #   This request token is returned as part of the response when you make
+    #   an asynchronous request. You provide this token to query about the
+    #   status of the asynchronous action.
+    #
+    # @return [Types::DescribeMultiRegionAccessPointOperationResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DescribeMultiRegionAccessPointOperationResult#async_operation #async_operation} => Types::AsyncOperation
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.describe_multi_region_access_point_operation({
+    #     account_id: "AccountId",
+    #     request_token_arn: "AsyncRequestTokenARN", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.async_operation.creation_time #=> Time
+    #   resp.async_operation.operation #=> String, one of "CreateMultiRegionAccessPoint", "DeleteMultiRegionAccessPoint", "PutMultiRegionAccessPointPolicy"
+    #   resp.async_operation.request_token_arn #=> String
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.name #=> String
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.block_public_acls #=> Boolean
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.ignore_public_acls #=> Boolean
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.block_public_policy #=> Boolean
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.restrict_public_buckets #=> Boolean
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.regions #=> Array
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.regions[0].bucket #=> String
+    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.regions[0].bucket_account_id #=> String
+    #   resp.async_operation.request_parameters.delete_multi_region_access_point_request.name #=> String
+    #   resp.async_operation.request_parameters.put_multi_region_access_point_policy_request.name #=> String
+    #   resp.async_operation.request_parameters.put_multi_region_access_point_policy_request.policy #=> String
+    #   resp.async_operation.request_status #=> String
+    #   resp.async_operation.response_details.multi_region_access_point_details.regions #=> Array
+    #   resp.async_operation.response_details.multi_region_access_point_details.regions[0].name #=> String
+    #   resp.async_operation.response_details.multi_region_access_point_details.regions[0].request_status #=> String
+    #   resp.async_operation.response_details.error_details.code #=> String
+    #   resp.async_operation.response_details.error_details.message #=> String
+    #   resp.async_operation.response_details.error_details.resource #=> String
+    #   resp.async_operation.response_details.error_details.request_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DescribeMultiRegionAccessPointOperation AWS API Documentation
+    #
+    # @overload describe_multi_region_access_point_operation(params = {})
+    # @param [Hash] params ({})
+    def describe_multi_region_access_point_operation(params = {}, options = {})
+      req = build_request(:describe_multi_region_access_point_operation, params)
+      req.send_request(options)
+    end
+
+    # Dissociates the Amazon Web Services IAM Identity Center instance from
+    # the S3 Access Grants instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:DissociateAccessGrantsIdentityCenter`
+    #   permission to use this operation.
+    #
+    # Additional Permissions
+    #
+    # : You must have the `sso:DeleteApplication` permission to use this
+    #   operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.dissociate_access_grants_identity_center({
+    #     account_id: "AccountId",
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DissociateAccessGrantsIdentityCenter AWS API Documentation
+    #
+    # @overload dissociate_access_grants_identity_center(params = {})
+    # @param [Hash] params ({})
+    def dissociate_access_grants_identity_center(params = {}, options = {})
+      req = build_request(:dissociate_access_grants_identity_center, params)
+      req.send_request(options)
+    end
+
+    # Get the details of an access grant from your S3 Access Grants
+    # instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:GetAccessGrant` permission to use this
+    #   operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :access_grant_id
+    #   The ID of the access grant. S3 Access Grants auto-generates this ID
+    #   when you create the access grant.
+    #
+    # @return [Types::GetAccessGrantResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetAccessGrantResult#created_at #created_at} => Time
+    #   * {Types::GetAccessGrantResult#access_grant_id #access_grant_id} => String
+    #   * {Types::GetAccessGrantResult#access_grant_arn #access_grant_arn} => String
+    #   * {Types::GetAccessGrantResult#grantee #grantee} => Types::Grantee
+    #   * {Types::GetAccessGrantResult#permission #permission} => String
+    #   * {Types::GetAccessGrantResult#access_grants_location_id #access_grants_location_id} => String
+    #   * {Types::GetAccessGrantResult#access_grants_location_configuration #access_grants_location_configuration} => Types::AccessGrantsLocationConfiguration
+    #   * {Types::GetAccessGrantResult#grant_scope #grant_scope} => String
+    #   * {Types::GetAccessGrantResult#application_arn #application_arn} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_access_grant({
+    #     account_id: "AccountId",
+    #     access_grant_id: "AccessGrantId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.created_at #=> Time
+    #   resp.access_grant_id #=> String
+    #   resp.access_grant_arn #=> String
+    #   resp.grantee.grantee_type #=> String, one of "DIRECTORY_USER", "DIRECTORY_GROUP", "IAM"
+    #   resp.grantee.grantee_identifier #=> String
+    #   resp.permission #=> String, one of "READ", "WRITE", "READWRITE"
+    #   resp.access_grants_location_id #=> String
+    #   resp.access_grants_location_configuration.s3_sub_prefix #=> String
+    #   resp.grant_scope #=> String
+    #   resp.application_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrant AWS API Documentation
+    #
+    # @overload get_access_grant(params = {})
+    # @param [Hash] params ({})
+    def get_access_grant(params = {}, options = {})
+      req = build_request(:get_access_grant, params)
+      req.send_request(options)
+    end
+
+    # Retrieves the S3 Access Grants instance for a Region in your account.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:GetAccessGrantsInstance` permission to use
+    #   this operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @return [Types::GetAccessGrantsInstanceResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetAccessGrantsInstanceResult#access_grants_instance_arn #access_grants_instance_arn} => String
+    #   * {Types::GetAccessGrantsInstanceResult#access_grants_instance_id #access_grants_instance_id} => String
+    #   * {Types::GetAccessGrantsInstanceResult#identity_center_arn #identity_center_arn} => String
+    #   * {Types::GetAccessGrantsInstanceResult#created_at #created_at} => Time
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_access_grants_instance({
+    #     account_id: "AccountId",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.access_grants_instance_arn #=> String
+    #   resp.access_grants_instance_id #=> String
+    #   resp.identity_center_arn #=> String
+    #   resp.created_at #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstance AWS API Documentation
+    #
+    # @overload get_access_grants_instance(params = {})
+    # @param [Hash] params ({})
+    def get_access_grants_instance(params = {}, options = {})
+      req = build_request(:get_access_grants_instance, params)
+      req.send_request(options)
+    end
+
+    # Retrieve the S3 Access Grants instance that contains a particular
+    # prefix.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:GetAccessGrantsInstanceForPrefix` permission
+    #   for the caller account to use this operation.
+    #
+    # Additional Permissions
+    #
+    # : The prefix owner account must grant you the following permissions to
+    #   their S3 Access Grants instance:
+    #   `s3:GetAccessGrantsInstanceForPrefix`.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :s3_prefix
+    #   The S3 prefix of the access grants that you would like to retrieve.
+    #
+    # @return [Types::GetAccessGrantsInstanceForPrefixResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetAccessGrantsInstanceForPrefixResult#access_grants_instance_arn #access_grants_instance_arn} => String
+    #   * {Types::GetAccessGrantsInstanceForPrefixResult#access_grants_instance_id #access_grants_instance_id} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_access_grants_instance_for_prefix({
+    #     account_id: "AccountId",
+    #     s3_prefix: "S3Prefix", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.access_grants_instance_arn #=> String
+    #   resp.access_grants_instance_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceForPrefix AWS API Documentation
+    #
+    # @overload get_access_grants_instance_for_prefix(params = {})
+    # @param [Hash] params ({})
+    def get_access_grants_instance_for_prefix(params = {}, options = {})
+      req = build_request(:get_access_grants_instance_for_prefix, params)
+      req.send_request(options)
+    end
+
+    # Returns the resource policy of the S3 Access Grants instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:GetAccessGrantsInstanceResourcePolicy`
+    #   permission to use this operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @return [Types::GetAccessGrantsInstanceResourcePolicyResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetAccessGrantsInstanceResourcePolicyResult#policy #policy} => String
+    #   * {Types::GetAccessGrantsInstanceResourcePolicyResult#organization #organization} => String
+    #   * {Types::GetAccessGrantsInstanceResourcePolicyResult#created_at #created_at} => Time
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_access_grants_instance_resource_policy({
+    #     account_id: "AccountId",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.policy #=> String
+    #   resp.organization #=> String
+    #   resp.created_at #=> Time
     #
-    # * [ListMultiRegionAccessPoints][5]
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceResourcePolicy AWS API Documentation
     #
+    # @overload get_access_grants_instance_resource_policy(params = {})
+    # @param [Hash] params ({})
+    def get_access_grants_instance_resource_policy(params = {}, options = {})
+      req = build_request(:get_access_grants_instance_resource_policy, params)
+      req.send_request(options)
+    end
+
+    # Retrieves the details of a particular location registered in your S3
+    # Access Grants instance.
     #
+    # Permissions
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManagingMultiRegionAccessPoints.html
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateMultiRegionAccessPoint.html
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteMultiRegionAccessPoint.html
-    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPoint.html
-    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListMultiRegionAccessPoints.html
+    # : You must have the `s3:GetAccessGrantsLocation` permission to use
+    #   this operation.
     #
     # @option params [String] :account_id
-    #   The Amazon Web Services account ID for the owner of the Multi-Region
-    #   Access Point.
+    #   The ID of the Amazon Web Services account that is making this request.
     #
-    # @option params [required, String] :request_token_arn
-    #   The request token associated with the request you want to know about.
-    #   This request token is returned as part of the response when you make
-    #   an asynchronous request. You provide this token to query about the
-    #   status of the asynchronous action.
+    # @option params [required, String] :access_grants_location_id
+    #   The ID of the registered location that you are retrieving. S3 Access
+    #   Grants assigns this ID when you register the location. S3 Access
+    #   Grants assigns the ID `default` to the default location `s3://` and
+    #   assigns an auto-generated ID to other locations that you register.
     #
-    # @return [Types::DescribeMultiRegionAccessPointOperationResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    # @return [Types::GetAccessGrantsLocationResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
-    #   * {Types::DescribeMultiRegionAccessPointOperationResult#async_operation #async_operation} => Types::AsyncOperation
+    #   * {Types::GetAccessGrantsLocationResult#created_at #created_at} => Time
+    #   * {Types::GetAccessGrantsLocationResult#access_grants_location_id #access_grants_location_id} => String
+    #   * {Types::GetAccessGrantsLocationResult#access_grants_location_arn #access_grants_location_arn} => String
+    #   * {Types::GetAccessGrantsLocationResult#location_scope #location_scope} => String
+    #   * {Types::GetAccessGrantsLocationResult#iam_role_arn #iam_role_arn} => String
     #
     # @example Request syntax with placeholder values
     #
-    #   resp = client.describe_multi_region_access_point_operation({
+    #   resp = client.get_access_grants_location({
     #     account_id: "AccountId",
-    #     request_token_arn: "AsyncRequestTokenARN", # required
+    #     access_grants_location_id: "AccessGrantsLocationId", # required
     #   })
     #
     # @example Response structure
     #
-    #   resp.async_operation.creation_time #=> Time
-    #   resp.async_operation.operation #=> String, one of "CreateMultiRegionAccessPoint", "DeleteMultiRegionAccessPoint", "PutMultiRegionAccessPointPolicy"
-    #   resp.async_operation.request_token_arn #=> String
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.name #=> String
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.block_public_acls #=> Boolean
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.ignore_public_acls #=> Boolean
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.block_public_policy #=> Boolean
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.public_access_block.restrict_public_buckets #=> Boolean
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.regions #=> Array
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.regions[0].bucket #=> String
-    #   resp.async_operation.request_parameters.create_multi_region_access_point_request.regions[0].bucket_account_id #=> String
-    #   resp.async_operation.request_parameters.delete_multi_region_access_point_request.name #=> String
-    #   resp.async_operation.request_parameters.put_multi_region_access_point_policy_request.name #=> String
-    #   resp.async_operation.request_parameters.put_multi_region_access_point_policy_request.policy #=> String
-    #   resp.async_operation.request_status #=> String
-    #   resp.async_operation.response_details.multi_region_access_point_details.regions #=> Array
-    #   resp.async_operation.response_details.multi_region_access_point_details.regions[0].name #=> String
-    #   resp.async_operation.response_details.multi_region_access_point_details.regions[0].request_status #=> String
-    #   resp.async_operation.response_details.error_details.code #=> String
-    #   resp.async_operation.response_details.error_details.message #=> String
-    #   resp.async_operation.response_details.error_details.resource #=> String
-    #   resp.async_operation.response_details.error_details.request_id #=> String
+    #   resp.created_at #=> Time
+    #   resp.access_grants_location_id #=> String
+    #   resp.access_grants_location_arn #=> String
+    #   resp.location_scope #=> String
+    #   resp.iam_role_arn #=> String
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DescribeMultiRegionAccessPointOperation AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsLocation AWS API Documentation
     #
-    # @overload describe_multi_region_access_point_operation(params = {})
+    # @overload get_access_grants_location(params = {})
     # @param [Hash] params ({})
-    def describe_multi_region_access_point_operation(params = {}, options = {})
-      req = build_request(:describe_multi_region_access_point_operation, params)
+    def get_access_grants_location(params = {}, options = {})
+      req = build_request(:get_access_grants_location, params)
       req.send_request(options)
     end
 
@@ -3346,6 +4113,102 @@ module Aws::S3Control
       req.send_request(options)
     end
 
+    # Returns a temporary access credential from S3 Access Grants to the
+    # grantee or client application. The [temporary credential][1] is an
+    # Amazon Web Services STS token that grants them access to the S3 data.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:GetDataAccess` permission to use this
+    #   operation.
+    #
+    # Additional Permissions
+    #
+    # : The IAM role that S3 Access Grants assumes must have the following
+    #   permissions specified in the trust policy when registering the
+    #   location: `sts:AssumeRole`, for directory users or groups
+    #   `sts:SetContext`, and for IAM users or roles `sts:SourceIdentity`.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :target
+    #   The S3 URI path of the data to which you are requesting temporary
+    #   access credentials. If the requesting account has an access grant for
+    #   this data, S3 Access Grants vends temporary access credentials in the
+    #   response.
+    #
+    # @option params [required, String] :permission
+    #   The type of permission granted to your S3 data, which can be set to
+    #   one of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
+    #
+    # @option params [Integer] :duration_seconds
+    #   The session duration, in seconds, of the temporary access credential
+    #   that S3 Access Grants vends to the grantee or client application. The
+    #   default value is 1 hour, but the grantee can specify a range from 900
+    #   seconds (15 minutes) up to 43200 seconds (12 hours). If the grantee
+    #   requests a value higher than this maximum, the operation fails.
+    #
+    # @option params [String] :privilege
+    #   The scope of the temporary access credential that S3 Access Grants
+    #   vends to the grantee or client application.
+    #
+    #   * `Default` – The scope of the returned temporary access token is the
+    #     scope of the grant that is closest to the target scope.
+    #
+    #   * `Minimal` – The scope of the returned temporary access token is the
+    #     same as the requested target scope as long as the requested scope is
+    #     the same as or a subset of the grant scope.
+    #
+    # @option params [String] :target_type
+    #   The type of `Target`. The only possible value is `Object`. Pass this
+    #   value if the target data that you would like to access is a path to an
+    #   object. Do not pass this value if the target data is a bucket or a
+    #   bucket and a prefix.
+    #
+    # @return [Types::GetDataAccessResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetDataAccessResult#credentials #credentials} => Types::Credentials
+    #   * {Types::GetDataAccessResult#matched_grant_target #matched_grant_target} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_data_access({
+    #     account_id: "AccountId",
+    #     target: "S3Prefix", # required
+    #     permission: "READ", # required, accepts READ, WRITE, READWRITE
+    #     duration_seconds: 1,
+    #     privilege: "Minimal", # accepts Minimal, Default
+    #     target_type: "Object", # accepts Object
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.credentials.access_key_id #=> String
+    #   resp.credentials.secret_access_key #=> String
+    #   resp.credentials.session_token #=> String
+    #   resp.credentials.expiration #=> Time
+    #   resp.matched_grant_target #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetDataAccess AWS API Documentation
+    #
+    # @overload get_data_access(params = {})
+    # @param [Hash] params ({})
+    def get_data_access(params = {}, options = {})
+      req = build_request(:get_data_access, params)
+      req.send_request(options)
+    end
+
     # Returns the tags on an S3 Batch Operations job. To use the
     # `GetJobTagging` operation, you must have permission to perform the
     # `s3:GetJobTagging` action. For more information, see [Controlling
@@ -3916,6 +4779,239 @@ module Aws::S3Control
       req.send_request(options)
     end
 
+    # Returns the list of access grants in your S3 Access Grants instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:ListAccessGrants` permission to use this
+    #   operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [String] :next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants` request in order to
+    #   retrieve the next page of results.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of access grants that you would like returned in
+    #   the `List Access Grants` response. If the results include the
+    #   pagination token `NextToken`, make another call using the `NextToken`
+    #   to determine if there are more results.
+    #
+    # @option params [String] :grantee_type
+    #   The type of the grantee to which access has been granted. It can be
+    #   one of the following values:
+    #
+    #   * `IAM` - An IAM user or role.
+    #
+    #   * `DIRECTORY_USER` - Your corporate directory user. You can use this
+    #     option if you have added your corporate identity directory to IAM
+    #     Identity Center and associated the IAM Identity Center instance with
+    #     your S3 Access Grants instance.
+    #
+    #   * `DIRECTORY_GROUP` - Your corporate directory group. You can use this
+    #     option if you have added your corporate identity directory to IAM
+    #     Identity Center and associated the IAM Identity Center instance with
+    #     your S3 Access Grants instance.
+    #
+    # @option params [String] :grantee_identifier
+    #   The unique identifer of the `Grantee`. If the grantee type is `IAM`,
+    #   the identifier is the IAM Amazon Resource Name (ARN) of the user or
+    #   role. If the grantee type is a directory user or group, the identifier
+    #   is 128-bit universally unique identifier (UUID) in the format
+    #   `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. You can obtain this UUID from
+    #   your Amazon Web Services IAM Identity Center instance.
+    #
+    # @option params [String] :permission
+    #   The type of permission granted to your S3 data, which can be set to
+    #   one of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
+    #
+    # @option params [String] :grant_scope
+    #   The S3 path of the data to which you are granting access. It is the
+    #   result of appending the `Subprefix` to the location scope.
+    #
+    # @option params [String] :application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity
+    #   Center application associated with your Identity Center instance. If
+    #   the grant includes an application ARN, the grantee can only access the
+    #   S3 data through this application.
+    #
+    # @return [Types::ListAccessGrantsResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListAccessGrantsResult#next_token #next_token} => String
+    #   * {Types::ListAccessGrantsResult#access_grants_list #access_grants_list} => Array&lt;Types::ListAccessGrantEntry&gt;
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_access_grants({
+    #     account_id: "AccountId",
+    #     next_token: "ContinuationToken",
+    #     max_results: 1,
+    #     grantee_type: "DIRECTORY_USER", # accepts DIRECTORY_USER, DIRECTORY_GROUP, IAM
+    #     grantee_identifier: "GranteeIdentifier",
+    #     permission: "READ", # accepts READ, WRITE, READWRITE
+    #     grant_scope: "S3Prefix",
+    #     application_arn: "IdentityCenterApplicationArn",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.next_token #=> String
+    #   resp.access_grants_list #=> Array
+    #   resp.access_grants_list[0].created_at #=> Time
+    #   resp.access_grants_list[0].access_grant_id #=> String
+    #   resp.access_grants_list[0].access_grant_arn #=> String
+    #   resp.access_grants_list[0].grantee.grantee_type #=> String, one of "DIRECTORY_USER", "DIRECTORY_GROUP", "IAM"
+    #   resp.access_grants_list[0].grantee.grantee_identifier #=> String
+    #   resp.access_grants_list[0].permission #=> String, one of "READ", "WRITE", "READWRITE"
+    #   resp.access_grants_list[0].access_grants_location_id #=> String
+    #   resp.access_grants_list[0].access_grants_location_configuration.s3_sub_prefix #=> String
+    #   resp.access_grants_list[0].grant_scope #=> String
+    #   resp.access_grants_list[0].application_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrants AWS API Documentation
+    #
+    # @overload list_access_grants(params = {})
+    # @param [Hash] params ({})
+    def list_access_grants(params = {}, options = {})
+      req = build_request(:list_access_grants, params)
+      req.send_request(options)
+    end
+
+    # Returns a list of S3 Access Grants instances. An S3 Access Grants
+    # instance serves as a logical grouping for your individual access
+    # grants. You can only have one S3 Access Grants instance per Region per
+    # account.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:ListAccessGrantsInstances` permission to use
+    #   this operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [String] :next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants Instances` request in
+    #   order to retrieve the next page of results.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of access grants that you would like returned in
+    #   the `List Access Grants` response. If the results include the
+    #   pagination token `NextToken`, make another call using the `NextToken`
+    #   to determine if there are more results.
+    #
+    # @return [Types::ListAccessGrantsInstancesResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListAccessGrantsInstancesResult#next_token #next_token} => String
+    #   * {Types::ListAccessGrantsInstancesResult#access_grants_instances_list #access_grants_instances_list} => Array&lt;Types::ListAccessGrantsInstanceEntry&gt;
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_access_grants_instances({
+    #     account_id: "AccountId",
+    #     next_token: "ContinuationToken",
+    #     max_results: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.next_token #=> String
+    #   resp.access_grants_instances_list #=> Array
+    #   resp.access_grants_instances_list[0].access_grants_instance_id #=> String
+    #   resp.access_grants_instances_list[0].access_grants_instance_arn #=> String
+    #   resp.access_grants_instances_list[0].created_at #=> Time
+    #   resp.access_grants_instances_list[0].identity_center_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsInstances AWS API Documentation
+    #
+    # @overload list_access_grants_instances(params = {})
+    # @param [Hash] params ({})
+    def list_access_grants_instances(params = {}, options = {})
+      req = build_request(:list_access_grants_instances, params)
+      req.send_request(options)
+    end
+
+    # Returns a list of the locations registered in your S3 Access Grants
+    # instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:ListAccessGrantsLocations` permission to use
+    #   this operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [String] :next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants Locations` request in
+    #   order to retrieve the next page of results.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of access grants that you would like returned in
+    #   the `List Access Grants` response. If the results include the
+    #   pagination token `NextToken`, make another call using the `NextToken`
+    #   to determine if there are more results.
+    #
+    # @option params [String] :location_scope
+    #   The S3 path to the location that you are registering. The location
+    #   scope can be the default S3 location `s3://`, the S3 path to a bucket
+    #   `s3://<bucket>`, or the S3 path to a bucket and prefix
+    #   `s3://<bucket>/<prefix>`. A prefix in S3 is a string of characters at
+    #   the beginning of an object key name used to organize the objects that
+    #   you store in your S3 buckets. For example, object key names that start
+    #   with the `engineering/` prefix or object key names that start with the
+    #   `marketing/campaigns/` prefix.
+    #
+    # @return [Types::ListAccessGrantsLocationsResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListAccessGrantsLocationsResult#next_token #next_token} => String
+    #   * {Types::ListAccessGrantsLocationsResult#access_grants_locations_list #access_grants_locations_list} => Array&lt;Types::ListAccessGrantsLocationsEntry&gt;
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_access_grants_locations({
+    #     account_id: "AccountId",
+    #     next_token: "ContinuationToken",
+    #     max_results: 1,
+    #     location_scope: "S3Prefix",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.next_token #=> String
+    #   resp.access_grants_locations_list #=> Array
+    #   resp.access_grants_locations_list[0].created_at #=> Time
+    #   resp.access_grants_locations_list[0].access_grants_location_id #=> String
+    #   resp.access_grants_locations_list[0].access_grants_location_arn #=> String
+    #   resp.access_grants_locations_list[0].location_scope #=> String
+    #   resp.access_grants_locations_list[0].iam_role_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsLocations AWS API Documentation
+    #
+    # @overload list_access_grants_locations(params = {})
+    # @param [Hash] params ({})
+    def list_access_grants_locations(params = {}, options = {})
+      req = build_request(:list_access_grants_locations, params)
+      req.send_request(options)
+    end
+
     # Returns a list of the access points that are owned by the current
     # account that's associated with the specified bucket. You can retrieve
     # up to 1000 access points per call. If the specified bucket has more
@@ -4425,32 +5521,43 @@ module Aws::S3Control
     end
 
     # This operation allows you to list all the Amazon Web Services resource
-    # tags for the specified resource.
+    # tags for a specified resource. Each tag is a label consisting of a
+    # user-defined key and value. Tags can help you manage, identify,
+    # organize, search for, and filter resources.
     #
-    # To use this operation, you must have the permission to perform the
-    # `s3:ListTagsForResource` action. For more information about the
-    # required Storage Lens Groups permissions, see [Setting account
-    # permissions to use S3 Storage Lens groups][1].
+    # Permissions
     #
-    # For information about S3 Tagging errors, see [List of Amazon S3
-    # Tagging error codes][2].
+    # : You must have the `s3:ListTagsForResource` permission to use this
+    #   operation.
     #
-    # <note markdown="1"> This operation is only supported for [S3 Storage Lens groups][3].
+    # <note markdown="1"> This operation is only supported for [S3 Storage Lens groups][1] and
+    # for [S3 Access Grants][2]. The tagged resource can be an S3 Storage
+    # Lens group or S3 Access Grants instance, registered location, or
+    # grant.
     #
     #  </note>
     #
+    # For more information about the required Storage Lens Groups
+    # permissions, see [Setting account permissions to use S3 Storage Lens
+    # groups][3].
     #
+    # For information about S3 Tagging errors, see [List of Amazon S3
+    # Tagging error codes][4].
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_iam_permissions.html#storage_lens_groups_permissions
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#S3TaggingErrorCodeList
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups.html
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-tagging.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_iam_permissions.html#storage_lens_groups_permissions
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#S3TaggingErrorCodeList
     #
     # @option params [String] :account_id
     #   The Amazon Web Services account ID of the resource owner.
     #
     # @option params [required, String] :resource_arn
     #   The Amazon Resource Name (ARN) of the S3 resource that you want to
-    #   list the tags for.
+    #   list the tags for. The tagged resource can be an S3 Storage Lens group
+    #   or S3 Access Grants instance, registered location, or grant.
     #
     # @return [Types::ListTagsForResourceResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -4478,6 +5585,53 @@ module Aws::S3Control
       req.send_request(options)
     end
 
+    # Updates the resource policy of the S3 Access Grants instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:PutAccessGrantsInstanceResourcePolicy`
+    #   permission to use this operation.
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :policy
+    #   The resource policy of the S3 Access Grants instance that you are
+    #   updating.
+    #
+    # @option params [String] :organization
+    #   The Organization of the resource policy of the S3 Access Grants
+    #   instance.
+    #
+    # @return [Types::PutAccessGrantsInstanceResourcePolicyResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::PutAccessGrantsInstanceResourcePolicyResult#policy #policy} => String
+    #   * {Types::PutAccessGrantsInstanceResourcePolicyResult#organization #organization} => String
+    #   * {Types::PutAccessGrantsInstanceResourcePolicyResult#created_at #created_at} => Time
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.put_access_grants_instance_resource_policy({
+    #     account_id: "AccountId",
+    #     policy: "PolicyDocument", # required
+    #     organization: "Organization",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.policy #=> String
+    #   resp.organization #=> String
+    #   resp.created_at #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/PutAccessGrantsInstanceResourcePolicy AWS API Documentation
+    #
+    # @overload put_access_grants_instance_resource_policy(params = {})
+    # @param [Hash] params ({})
+    def put_access_grants_instance_resource_policy(params = {}, options = {})
+      req = build_request(:put_access_grants_instance_resource_policy, params)
+      req.send_request(options)
+    end
+
     # Replaces configuration for an Object Lambda Access Point.
     #
     # The following actions are related to
@@ -5798,34 +6952,44 @@ module Aws::S3Control
     end
 
     # Creates a new Amazon Web Services resource tag or updates an existing
-    # resource tag. You can add up to 50 Amazon Web Services resource tags
-    # for each S3 resource.
+    # resource tag. Each tag is a label consisting of a user-defined key and
+    # value. Tags can help you manage, identify, organize, search for, and
+    # filter resources. You can add up to 50 Amazon Web Services resource
+    # tags for each S3 resource.
     #
-    # To use this operation, you must have the permission to perform the
-    # `s3:TagResource` action. For more information about the required
-    # Storage Lens Groups permissions, see [Setting account permissions to
-    # use S3 Storage Lens groups][1].
+    # <note markdown="1"> This operation is only supported for [S3 Storage Lens groups][1] and
+    # for [S3 Access Grants][2]. The tagged resource can be an S3 Storage
+    # Lens group or S3 Access Grants instance, registered location, or
+    # grant.
     #
-    # For information about S3 Tagging errors, see [List of Amazon S3
-    # Tagging error codes][2].
+    #  </note>
     #
-    # <note markdown="1"> This operation is only supported for [S3 Storage Lens groups][3].
+    # Permissions
     #
-    #  </note>
+    # : You must have the `s3:TagResource` permission to use this operation.
     #
+    # For more information about the required Storage Lens Groups
+    # permissions, see [Setting account permissions to use S3 Storage Lens
+    # groups][3].
     #
+    # For information about S3 Tagging errors, see [List of Amazon S3
+    # Tagging error codes][4].
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_iam_permissions.html#storage_lens_groups_permissions
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#S3TaggingErrorCodeList
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups.html
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-tagging.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_iam_permissions.html#storage_lens_groups_permissions
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#S3TaggingErrorCodeList
     #
     # @option params [String] :account_id
     #   The Amazon Web Services account ID that created the S3 resource that
-    #   you're trying to add tags to.
+    #   you're trying to add tags to or the requester's account ID.
     #
     # @option params [required, String] :resource_arn
     #   The Amazon Resource Name (ARN) of the S3 resource that you're trying
-    #   to add tags to.
+    #   to add tags to. The tagged resource can be an S3 Storage Lens group or
+    #   S3 Access Grants instance, registered location, or grant.
     #
     # @option params [required, Array<Types::Tag>] :tags
     #   The Amazon Web Services resource tags that you want to add to the
@@ -5856,36 +7020,47 @@ module Aws::S3Control
     end
 
     # This operation removes the specified Amazon Web Services resource tags
-    # from an S3 resource.
+    # from an S3 resource. Each tag is a label consisting of a user-defined
+    # key and value. Tags can help you manage, identify, organize, search
+    # for, and filter resources.
     #
-    # To use this operation, you must have the permission to perform the
-    # `s3:UntagResource` action. For more information about the required
-    # Storage Lens Groups permissions, see [Setting account permissions to
-    # use S3 Storage Lens groups][1].
+    # <note markdown="1"> This operation is only supported for [S3 Storage Lens groups][1] and
+    # for [S3 Access Grants][2]. The tagged resource can be an S3 Storage
+    # Lens group or S3 Access Grants instance, registered location, or
+    # grant.
     #
-    # For information about S3 Tagging errors, see [List of Amazon S3
-    # Tagging error codes][2].
+    #  </note>
     #
-    # <note markdown="1"> This operation is only supported for [S3 Storage Lens groups][3].
+    # Permissions
     #
-    #  </note>
+    # : You must have the `s3:UntagResource` permission to use this
+    #   operation.
     #
+    # For more information about the required Storage Lens Groups
+    # permissions, see [Setting account permissions to use S3 Storage Lens
+    # groups][3].
     #
+    # For information about S3 Tagging errors, see [List of Amazon S3
+    # Tagging error codes][4].
     #
-    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_iam_permissions.html#storage_lens_groups_permissions
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#S3TaggingErrorCodeList
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups.html
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-tagging.html
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_iam_permissions.html#storage_lens_groups_permissions
+    # [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#S3TaggingErrorCodeList
     #
     # @option params [String] :account_id
     #   The Amazon Web Services account ID that owns the resource that you're
     #   trying to remove the tags from.
     #
     # @option params [required, String] :resource_arn
-    #   The Amazon Resource Name (ARN) of the S3 resource that you want to
-    #   remove the resource tags from.
+    #   The Amazon Resource Name (ARN) of the S3 resource that you're trying
+    #   to remove the tags from.
     #
     # @option params [required, Array<String>] :tag_keys
-    #   The tag key pair of the S3 resource tag that you're trying to remove.
+    #   The array of tag key-value pairs that you're trying to remove from of
+    #   the S3 resource.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -5906,6 +7081,74 @@ module Aws::S3Control
       req.send_request(options)
     end
 
+    # Updates the IAM role of a registered location in your S3 Access Grants
+    # instance.
+    #
+    # Permissions
+    #
+    # : You must have the `s3:UpdateAccessGrantsLocation` permission to use
+    #   this operation.
+    #
+    # Additional Permissions
+    #
+    # : You must also have the following permission: `iam:PassRole`
+    #
+    # @option params [String] :account_id
+    #   The ID of the Amazon Web Services account that is making this request.
+    #
+    # @option params [required, String] :access_grants_location_id
+    #   The ID of the registered location that you are updating. S3 Access
+    #   Grants assigns this ID when you register the location. S3 Access
+    #   Grants assigns the ID `default` to the default location `s3://` and
+    #   assigns an auto-generated ID to other locations that you register.
+    #
+    #   The ID of the registered location to which you are granting access. S3
+    #   Access Grants assigned this ID when you registered the location. S3
+    #   Access Grants assigns the ID `default` to the default location `s3://`
+    #   and assigns an auto-generated ID to other locations that you register.
+    #
+    #   If you are passing the `default` location, you cannot create an access
+    #   grant for the entire default location. You must also specify a bucket
+    #   or a bucket and prefix in the `Subprefix` field.
+    #
+    # @option params [required, String] :iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role for the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #
+    # @return [Types::UpdateAccessGrantsLocationResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::UpdateAccessGrantsLocationResult#created_at #created_at} => Time
+    #   * {Types::UpdateAccessGrantsLocationResult#access_grants_location_id #access_grants_location_id} => String
+    #   * {Types::UpdateAccessGrantsLocationResult#access_grants_location_arn #access_grants_location_arn} => String
+    #   * {Types::UpdateAccessGrantsLocationResult#location_scope #location_scope} => String
+    #   * {Types::UpdateAccessGrantsLocationResult#iam_role_arn #iam_role_arn} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.update_access_grants_location({
+    #     account_id: "AccountId",
+    #     access_grants_location_id: "AccessGrantsLocationId", # required
+    #     iam_role_arn: "IAMRoleArn", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.created_at #=> Time
+    #   resp.access_grants_location_id #=> String
+    #   resp.access_grants_location_arn #=> String
+    #   resp.location_scope #=> String
+    #   resp.iam_role_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/UpdateAccessGrantsLocation AWS API Documentation
+    #
+    # @overload update_access_grants_location(params = {})
+    # @param [Hash] params ({})
+    def update_access_grants_location(params = {}, options = {})
+      req = build_request(:update_access_grants_location, params)
+      req.send_request(options)
+    end
+
     # Updates an existing S3 Batch Operations job's priority. For more
     # information, see [S3 Batch Operations][1] in the *Amazon S3 User
     # Guide*.
@@ -6149,7 +7392,7 @@ module Aws::S3Control
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-s3control'
-      context[:gem_version] = '1.72.0'
+      context[:gem_version] = '1.73.0'
       Seahorse::Client::Request.new(handlers, context)
     end