aws-sdk-s3control 1.72.0 → 1.74.0

data/lib/aws-sdk-s3control/types.rb

@@ -43,6 +43,36 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # The configuration options of the S3 Access Grants location. It
+    # contains the `S3SubPrefix` field. The grant scope, the data to which
+    # you are granting access, is the result of appending the `Subprefix`
+    # field to the scope of the registered location.
+    #
+    # @!attribute [rw] s3_sub_prefix
+    #   The `S3SubPrefix` is appended to the location scope creating the
+    #   grant scope. Use this field to narrow the scope of the grant to a
+    #   subset of the location scope. This field is required if the location
+    #   scope is the default location `s3://` because you cannot create a
+    #   grant for all of your S3 data in the Region and must narrow the
+    #   scope. For example, if the location scope is the default location
+    #   `s3://`, the `S3SubPrefx` can be a <bucket-name>/*, so the
+    #   full grant scope path would be `s3://<bucket-name>/*`. Or the
+    #   `S3SubPrefx` can be `<bucket-name>/<prefix-name>*`, so the full
+    #   grant scope path would be or `s3://<bucket-name>/<prefix-name>*`.
+    #
+    #   If the `S3SubPrefix` includes a prefix, append the wildcard
+    #   character `*` after the prefix to indicate that you want to include
+    #   all object key names in the bucket that start with that prefix.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/AccessGrantsLocationConfiguration AWS API Documentation
+    #
+    class AccessGrantsLocationConfiguration < Struct.new(
+      :s3_sub_prefix)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An access point used to access a bucket.
     #
     # @!attribute [rw] name
@@ -236,6 +266,33 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] identity_center_arn
+    #   The Amazon Resource Name (ARN) of the Amazon Web Services IAM
+    #   Identity Center instance that you are associating with your S3
+    #   Access Grants instance. An IAM Identity Center instance is your
+    #   corporate identity directory that you added to the IAM Identity
+    #   Center. You can use the [ListInstances][1] API operation to retrieve
+    #   a list of your Identity Center instances and their ARNs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/AssociateAccessGrantsIdentityCenterRequest AWS API Documentation
+    #
+    class AssociateAccessGrantsIdentityCenterRequest < Struct.new(
+      :account_id,
+      :identity_center_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Error details for the failed asynchronous operation.
     #
     # @!attribute [rw] code
@@ -483,6 +540,317 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #
+    #   If you are passing the `default` location, you cannot create an
+    #   access grant for the entire default location. You must also specify
+    #   a bucket or a bucket and prefix in the `Subprefix` field.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_configuration
+    #   The configuration options of the grant location. The grant location
+    #   is the S3 path to the data to which you are granting access. It
+    #   contains the `S3SubPrefix` field. The grant scope is the result of
+    #   appending the subprefix to the location scope of the registered
+    #   location.
+    #   @return [Types::AccessGrantsLocationConfiguration]
+    #
+    # @!attribute [rw] grantee
+    #   The user, group, or role to which you are granting access. You can
+    #   grant access to an IAM user or role. If you have added your
+    #   corporate directory to Amazon Web Services IAM Identity Center and
+    #   associated your Identity Center instance with your S3 Access Grants
+    #   instance, the grantee can also be a corporate directory user or
+    #   group.
+    #   @return [Types::Grantee]
+    #
+    # @!attribute [rw] permission
+    #   The type of access that you are granting to your S3 data, which can
+    #   be set to one of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
+    #   @return [String]
+    #
+    # @!attribute [rw] application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Web Services IAM
+    #   Identity Center application associated with your Identity Center
+    #   instance. If an application ARN is included in the request to create
+    #   an access grant, the grantee can only access the S3 data through
+    #   this application.
+    #   @return [String]
+    #
+    # @!attribute [rw] s3_prefix_type
+    #   The type of `S3SubPrefix`. The only possible value is `Object`. Pass
+    #   this value if the access grant scope is an object. Do not pass this
+    #   value if the access grant scope is a bucket or a bucket and a
+    #   prefix.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   The Amazon Web Services resource tags that you are adding to the
+    #   access grant. Each tag is a label consisting of a user-defined key
+    #   and value. Tags can help you manage, identify, organize, search for,
+    #   and filter resources.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantRequest AWS API Documentation
+    #
+    class CreateAccessGrantRequest < Struct.new(
+      :account_id,
+      :access_grants_location_id,
+      :access_grants_location_configuration,
+      :grantee,
+      :permission,
+      :application_arn,
+      :s3_prefix_type,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] created_at
+    #   The date and time when you created the access grant.
+    #   @return [Time]
+    #
+    # @!attribute [rw] access_grant_id
+    #   The ID of the access grant. S3 Access Grants auto-generates this ID
+    #   when you create the access grant.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grant_arn
+    #   The Amazon Resource Name (ARN) of the access grant.
+    #   @return [String]
+    #
+    # @!attribute [rw] grantee
+    #   The user, group, or role to which you are granting access. You can
+    #   grant access to an IAM user or role. If you have added your
+    #   corporate directory to Amazon Web Services IAM Identity Center and
+    #   associated your Identity Center instance with your S3 Access Grants
+    #   instance, the grantee can also be a corporate directory user or
+    #   group.
+    #   @return [Types::Grantee]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_configuration
+    #   The configuration options of the grant location. The grant location
+    #   is the S3 path to the data to which you are granting access.
+    #   @return [Types::AccessGrantsLocationConfiguration]
+    #
+    # @!attribute [rw] permission
+    #   The type of access that you are granting to your S3 data, which can
+    #   be set to one of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
+    #   @return [String]
+    #
+    # @!attribute [rw] application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Web Services IAM
+    #   Identity Center application associated with your Identity Center
+    #   instance. If the grant includes an application ARN, the grantee can
+    #   only access the S3 data through this application.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_scope
+    #   The S3 path of the data to which you are granting access. It is the
+    #   result of appending the `Subprefix` to the location scope.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantResult AWS API Documentation
+    #
+    class CreateAccessGrantResult < Struct.new(
+      :created_at,
+      :access_grant_id,
+      :access_grant_arn,
+      :grantee,
+      :access_grants_location_id,
+      :access_grants_location_configuration,
+      :permission,
+      :application_arn,
+      :grant_scope)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] identity_center_arn
+    #   If you would like to associate your S3 Access Grants instance with
+    #   an Amazon Web Services IAM Identity Center instance, use this field
+    #   to pass the Amazon Resource Name (ARN) of the Amazon Web Services
+    #   IAM Identity Center instance that you are associating with your S3
+    #   Access Grants instance. An IAM Identity Center instance is your
+    #   corporate identity directory that you added to the IAM Identity
+    #   Center. You can use the [ListInstances][1] API operation to retrieve
+    #   a list of your Identity Center instances and their ARNs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   The Amazon Web Services resource tags that you are adding to the S3
+    #   Access Grants instance. Each tag is a label consisting of a
+    #   user-defined key and value. Tags can help you manage, identify,
+    #   organize, search for, and filter resources.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantsInstanceRequest AWS API Documentation
+    #
+    class CreateAccessGrantsInstanceRequest < Struct.new(
+      :account_id,
+      :identity_center_arn,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] created_at
+    #   The date and time when you created the S3 Access Grants instance.
+    #   @return [Time]
+    #
+    # @!attribute [rw] access_grants_instance_id
+    #   The ID of the S3 Access Grants instance. The ID is `default`. You
+    #   can have one S3 Access Grants instance per Region per account.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_instance_arn
+    #   The Amazon Resource Name (ARN) of the S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] identity_center_arn
+    #   If you associated your S3 Access Grants instance with an Amazon Web
+    #   Services IAM Identity Center instance, this field returns the Amazon
+    #   Resource Name (ARN) of the IAM Identity Center instance application;
+    #   a subresource of the original Identity Center instance passed in the
+    #   request. S3 Access Grants creates this Identity Center application
+    #   for this specific S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantsInstanceResult AWS API Documentation
+    #
+    class CreateAccessGrantsInstanceResult < Struct.new(
+      :created_at,
+      :access_grants_instance_id,
+      :access_grants_instance_arn,
+      :identity_center_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] location_scope
+    #   The S3 path to the location that you are registering. The location
+    #   scope can be the default S3 location `s3://`, the S3 path to a
+    #   bucket `s3://<bucket>`, or the S3 path to a bucket and prefix
+    #   `s3://<bucket>/<prefix>`. A prefix in S3 is a string of characters
+    #   at the beginning of an object key name used to organize the objects
+    #   that you store in your S3 buckets. For example, object key names
+    #   that start with the `engineering/` prefix or object key names that
+    #   start with the `marketing/campaigns/` prefix.
+    #   @return [String]
+    #
+    # @!attribute [rw] iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role for the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   The Amazon Web Services resource tags that you are adding to the S3
+    #   Access Grants location. Each tag is a label consisting of a
+    #   user-defined key and value. Tags can help you manage, identify,
+    #   organize, search for, and filter resources.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantsLocationRequest AWS API Documentation
+    #
+    class CreateAccessGrantsLocationRequest < Struct.new(
+      :account_id,
+      :location_scope,
+      :iam_role_arn,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] created_at
+    #   The date and time when you registered the location.
+    #   @return [Time]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_arn
+    #   The Amazon Resource Name (ARN) of the location you are registering.
+    #   @return [String]
+    #
+    # @!attribute [rw] location_scope
+    #   The S3 URI path to the location that you are registering. The
+    #   location scope can be the default S3 location `s3://`, the S3 path
+    #   to a bucket, or the S3 path to a bucket and prefix. A prefix in S3
+    #   is a string of characters at the beginning of an object key name
+    #   used to organize the objects that you store in your S3 buckets. For
+    #   example, object key names that start with the `engineering/` prefix
+    #   or object key names that start with the `marketing/campaigns/`
+    #   prefix.
+    #   @return [String]
+    #
+    # @!attribute [rw] iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role for the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/CreateAccessGrantsLocationResult AWS API Documentation
+    #
+    class CreateAccessGrantsLocationResult < Struct.new(
+      :created_at,
+      :access_grants_location_id,
+      :access_grants_location_arn,
+      :location_scope,
+      :iam_role_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] account_id
     #   The Amazon Web Services account ID for owner of the specified Object
     #   Lambda Access Point.
@@ -962,6 +1330,109 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # The Amazon Web Services Security Token Service temporary credential
+    # that S3 Access Grants vends to grantees and client applications.
+    #
+    # @!attribute [rw] access_key_id
+    #   The unique access key ID of the Amazon Web Services STS temporary
+    #   credential that S3 Access Grants vends to grantees and client
+    #   applications.
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_access_key
+    #   The secret access key of the Amazon Web Services STS temporary
+    #   credential that S3 Access Grants vends to grantees and client
+    #   applications.
+    #   @return [String]
+    #
+    # @!attribute [rw] session_token
+    #   The Amazon Web Services STS temporary credential that S3 Access
+    #   Grants vends to grantees and client applications.
+    #   @return [String]
+    #
+    # @!attribute [rw] expiration
+    #   The expiration date and time of the temporary credential that S3
+    #   Access Grants vends to grantees and client applications.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/Credentials AWS API Documentation
+    #
+    class Credentials < Struct.new(
+      :access_key_id,
+      :secret_access_key,
+      :session_token,
+      :expiration)
+      SENSITIVE = [:access_key_id, :secret_access_key, :session_token]
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grant_id
+    #   The ID of the access grant. S3 Access Grants auto-generates this ID
+    #   when you create the access grant.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrantRequest AWS API Documentation
+    #
+    class DeleteAccessGrantRequest < Struct.new(
+      :account_id,
+      :access_grant_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrantsInstanceRequest AWS API Documentation
+    #
+    class DeleteAccessGrantsInstanceRequest < Struct.new(
+      :account_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrantsInstanceResourcePolicyRequest AWS API Documentation
+    #
+    class DeleteAccessGrantsInstanceResourcePolicyRequest < Struct.new(
+      :account_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location that you are deregistering from
+    #   your S3 Access Grants instance. S3 Access Grants assigned this ID
+    #   when you registered the location. S3 Access Grants assigns the ID
+    #   `default` to the default location `s3://` and assigns an
+    #   auto-generated ID to other locations that you register.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DeleteAccessGrantsLocationRequest AWS API Documentation
+    #
+    class DeleteAccessGrantsLocationRequest < Struct.new(
+      :account_id,
+      :access_grants_location_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] account_id
     #   The account ID for the account that owns the specified Object Lambda
     #   Access Point.
@@ -1520,7 +1991,7 @@ module Aws::S3Control
     #   S3 on Outposts uses the `OUTPOSTS` storage class to create the
     #   object replicas.
     #
-    #   <note markdown="1"> Values other than `OUTPOSTS` are not supported by Amazon S3 on
+    #   <note markdown="1"> Values other than `OUTPOSTS` aren't supported by Amazon S3 on
     #   Outposts.
     #
     #    </note>
@@ -1568,6 +2039,19 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/DissociateAccessGrantsIdentityCenterRequest AWS API Documentation
+    #
+    class DissociateAccessGrantsIdentityCenterRequest < Struct.new(
+      :account_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Specifies encryption-related information for an Amazon S3 bucket that
     # is a destination for replicated objects.
     #
@@ -1678,50 +2162,326 @@ module Aws::S3Control
     end
 
     # @!attribute [rw] account_id
-    #   The account ID for the account that owns the specified Object Lambda
-    #   Access Point.
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
     #   @return [String]
     #
-    # @!attribute [rw] name
-    #   The name of the Object Lambda Access Point you want to return the
-    #   configuration for.
+    # @!attribute [rw] access_grant_id
+    #   The ID of the access grant. S3 Access Grants auto-generates this ID
+    #   when you create the access grant.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessPointConfigurationForObjectLambdaRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantRequest AWS API Documentation
     #
-    class GetAccessPointConfigurationForObjectLambdaRequest < Struct.new(
+    class GetAccessGrantRequest < Struct.new(
       :account_id,
-      :name)
+      :access_grant_id)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @!attribute [rw] configuration
-    #   Object Lambda Access Point configuration document.
-    #   @return [Types::ObjectLambdaConfiguration]
+    # @!attribute [rw] created_at
+    #   The date and time when you created the access grant.
+    #   @return [Time]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessPointConfigurationForObjectLambdaResult AWS API Documentation
+    # @!attribute [rw] access_grant_id
+    #   The ID of the access grant. S3 Access Grants auto-generates this ID
+    #   when you create the access grant.
+    #   @return [String]
     #
-    class GetAccessPointConfigurationForObjectLambdaResult < Struct.new(
-      :configuration)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # @!attribute [rw] account_id
-    #   The account ID for the account that owns the specified Object Lambda
-    #   Access Point.
+    # @!attribute [rw] access_grant_arn
+    #   The Amazon Resource Name (ARN) of the access grant.
     #   @return [String]
     #
-    # @!attribute [rw] name
-    #   The name of the Object Lambda Access Point.
+    # @!attribute [rw] grantee
+    #   The user, group, or role to which you are granting access. You can
+    #   grant access to an IAM user or role. If you have added a corporate
+    #   directory to Amazon Web Services IAM Identity Center and associated
+    #   this Identity Center instance with the S3 Access Grants instance,
+    #   the grantee can also be a corporate directory user or group.
+    #   @return [Types::Grantee]
+    #
+    # @!attribute [rw] permission
+    #   The type of permission that was granted in the access grant. Can be
+    #   one of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessPointForObjectLambdaRequest AWS API Documentation
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #   @return [String]
     #
-    class GetAccessPointForObjectLambdaRequest < Struct.new(
-      :account_id,
-      :name)
+    # @!attribute [rw] access_grants_location_configuration
+    #   The configuration options of the grant location. The grant location
+    #   is the S3 path to the data to which you are granting access.
+    #   @return [Types::AccessGrantsLocationConfiguration]
+    #
+    # @!attribute [rw] grant_scope
+    #   The S3 path of the data to which you are granting access. It is the
+    #   result of appending the `Subprefix` to the location scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Web Services IAM
+    #   Identity Center application associated with your Identity Center
+    #   instance. If the grant includes an application ARN, the grantee can
+    #   only access the S3 data through this application.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantResult AWS API Documentation
+    #
+    class GetAccessGrantResult < Struct.new(
+      :created_at,
+      :access_grant_id,
+      :access_grant_arn,
+      :grantee,
+      :permission,
+      :access_grants_location_id,
+      :access_grants_location_configuration,
+      :grant_scope,
+      :application_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] s3_prefix
+    #   The S3 prefix of the access grants that you would like to retrieve.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceForPrefixRequest AWS API Documentation
+    #
+    class GetAccessGrantsInstanceForPrefixRequest < Struct.new(
+      :account_id,
+      :s3_prefix)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] access_grants_instance_arn
+    #   The Amazon Resource Name (ARN) of the S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_instance_id
+    #   The ID of the S3 Access Grants instance. The ID is `default`. You
+    #   can have one S3 Access Grants instance per Region per account.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceForPrefixResult AWS API Documentation
+    #
+    class GetAccessGrantsInstanceForPrefixResult < Struct.new(
+      :access_grants_instance_arn,
+      :access_grants_instance_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceRequest AWS API Documentation
+    #
+    class GetAccessGrantsInstanceRequest < Struct.new(
+      :account_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceResourcePolicyRequest AWS API Documentation
+    #
+    class GetAccessGrantsInstanceResourcePolicyRequest < Struct.new(
+      :account_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] policy
+    #   The resource policy of the S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] organization
+    #   The Organization of the resource policy of the S3 Access Grants
+    #   instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_at
+    #   The date and time when you created the S3 Access Grants instance
+    #   resource policy.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceResourcePolicyResult AWS API Documentation
+    #
+    class GetAccessGrantsInstanceResourcePolicyResult < Struct.new(
+      :policy,
+      :organization,
+      :created_at)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] access_grants_instance_arn
+    #   The Amazon Resource Name (ARN) of the S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_instance_id
+    #   The ID of the S3 Access Grants instance. The ID is `default`. You
+    #   can have one S3 Access Grants instance per Region per account.
+    #   @return [String]
+    #
+    # @!attribute [rw] identity_center_arn
+    #   If you associated your S3 Access Grants instance with an Amazon Web
+    #   Services IAM Identity Center instance, this field returns the Amazon
+    #   Resource Name (ARN) of the Amazon Web Services IAM Identity Center
+    #   instance application; a subresource of the original Identity Center
+    #   instance. S3 Access Grants creates this Identity Center application
+    #   for the specific S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_at
+    #   The date and time when you created the S3 Access Grants instance.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsInstanceResult AWS API Documentation
+    #
+    class GetAccessGrantsInstanceResult < Struct.new(
+      :access_grants_instance_arn,
+      :access_grants_instance_id,
+      :identity_center_arn,
+      :created_at)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location that you are retrieving. S3 Access
+    #   Grants assigns this ID when you register the location. S3 Access
+    #   Grants assigns the ID `default` to the default location `s3://` and
+    #   assigns an auto-generated ID to other locations that you register.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsLocationRequest AWS API Documentation
+    #
+    class GetAccessGrantsLocationRequest < Struct.new(
+      :account_id,
+      :access_grants_location_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] created_at
+    #   The date and time when you registered the location.
+    #   @return [Time]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_arn
+    #   The Amazon Resource Name (ARN) of the registered location.
+    #   @return [String]
+    #
+    # @!attribute [rw] location_scope
+    #   The S3 URI path to the registered location. The location scope can
+    #   be the default S3 location `s3://`, the S3 path to a bucket, or the
+    #   S3 path to a bucket and prefix. A prefix in S3 is a string of
+    #   characters at the beginning of an object key name used to organize
+    #   the objects that you store in your S3 buckets. For example, object
+    #   key names that start with the `engineering/` prefix or object key
+    #   names that start with the `marketing/campaigns/` prefix.
+    #   @return [String]
+    #
+    # @!attribute [rw] iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role for the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessGrantsLocationResult AWS API Documentation
+    #
+    class GetAccessGrantsLocationResult < Struct.new(
+      :created_at,
+      :access_grants_location_id,
+      :access_grants_location_arn,
+      :location_scope,
+      :iam_role_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The account ID for the account that owns the specified Object Lambda
+    #   Access Point.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the Object Lambda Access Point you want to return the
+    #   configuration for.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessPointConfigurationForObjectLambdaRequest AWS API Documentation
+    #
+    class GetAccessPointConfigurationForObjectLambdaRequest < Struct.new(
+      :account_id,
+      :name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] configuration
+    #   Object Lambda Access Point configuration document.
+    #   @return [Types::ObjectLambdaConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessPointConfigurationForObjectLambdaResult AWS API Documentation
+    #
+    class GetAccessPointConfigurationForObjectLambdaResult < Struct.new(
+      :configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The account ID for the account that owns the specified Object Lambda
+    #   Access Point.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the Object Lambda Access Point.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetAccessPointForObjectLambdaRequest AWS API Documentation
+    #
+    class GetAccessPointForObjectLambdaRequest < Struct.new(
+      :account_id,
+      :name)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2265,6 +3025,88 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] target
+    #   The S3 URI path of the data to which you are requesting temporary
+    #   access credentials. If the requesting account has an access grant
+    #   for this data, S3 Access Grants vends temporary access credentials
+    #   in the response.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission
+    #   The type of permission granted to your S3 data, which can be set to
+    #   one of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
+    #   @return [String]
+    #
+    # @!attribute [rw] duration_seconds
+    #   The session duration, in seconds, of the temporary access credential
+    #   that S3 Access Grants vends to the grantee or client application.
+    #   The default value is 1 hour, but the grantee can specify a range
+    #   from 900 seconds (15 minutes) up to 43200 seconds (12 hours). If the
+    #   grantee requests a value higher than this maximum, the operation
+    #   fails.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] privilege
+    #   The scope of the temporary access credential that S3 Access Grants
+    #   vends to the grantee or client application.
+    #
+    #   * `Default` – The scope of the returned temporary access token is
+    #     the scope of the grant that is closest to the target scope.
+    #
+    #   * `Minimal` – The scope of the returned temporary access token is
+    #     the same as the requested target scope as long as the requested
+    #     scope is the same as or a subset of the grant scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_type
+    #   The type of `Target`. The only possible value is `Object`. Pass this
+    #   value if the target data that you would like to access is a path to
+    #   an object. Do not pass this value if the target data is a bucket or
+    #   a bucket and a prefix.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetDataAccessRequest AWS API Documentation
+    #
+    class GetDataAccessRequest < Struct.new(
+      :account_id,
+      :target,
+      :permission,
+      :duration_seconds,
+      :privilege,
+      :target_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] credentials
+    #   The temporary credential token that S3 Access Grants vends.
+    #   @return [Types::Credentials]
+    #
+    # @!attribute [rw] matched_grant_target
+    #   The S3 URI path of the data to which you are being granted temporary
+    #   access credentials.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/GetDataAccessResult AWS API Documentation
+    #
+    class GetDataAccessResult < Struct.new(
+      :credentials,
+      :matched_grant_target)
+      SENSITIVE = [:credentials]
+      include Aws::Structure
+    end
+
     # @!attribute [rw] account_id
     #   The Amazon Web Services account ID associated with the S3 Batch
     #   Operations job.
@@ -2572,6 +3414,47 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # The user, group, or role to which you are granting access. You can
+    # grant access to an IAM user or role. If you have added your corporate
+    # directory to Amazon Web Services IAM Identity Center and associated
+    # your Identity Center instance with your S3 Access Grants instance, the
+    # grantee can also be a corporate directory user or group.
+    #
+    # @!attribute [rw] grantee_type
+    #   The type of the grantee to which access has been granted. It can be
+    #   one of the following values:
+    #
+    #   * `IAM` - An IAM user or role.
+    #
+    #   * `DIRECTORY_USER` - Your corporate directory user. You can use this
+    #     option if you have added your corporate identity directory to IAM
+    #     Identity Center and associated the IAM Identity Center instance
+    #     with your S3 Access Grants instance.
+    #
+    #   * `DIRECTORY_GROUP` - Your corporate directory group. You can use
+    #     this option if you have added your corporate identity directory to
+    #     IAM Identity Center and associated the IAM Identity Center
+    #     instance with your S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] grantee_identifier
+    #   The unique identifier of the `Grantee`. If the grantee type is
+    #   `IAM`, the identifier is the IAM Amazon Resource Name (ARN) of the
+    #   user or role. If the grantee type is a directory user or group, the
+    #   identifier is 128-bit universally unique identifier (UUID) in the
+    #   format `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. You can obtain this
+    #   UUID from your Amazon Web Services IAM Identity Center instance.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/Grantee AWS API Documentation
+    #
+    class Grantee < Struct.new(
+      :grantee_type,
+      :grantee_identifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] message
     #   @return [String]
     #
@@ -2843,7 +3726,12 @@ module Aws::S3Control
     #
     # @!attribute [rw] location
     #   Contains the information required to locate the specified job's
-    #   manifest.
+    #   manifest. Manifests can't be imported from directory buckets. For
+    #   more information, see [Directory buckets][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html
     #   @return [Types::JobManifestLocation]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/JobManifest AWS API Documentation
@@ -2939,6 +3827,12 @@ module Aws::S3Control
     end
 
     # Contains the information required to locate a manifest object.
+    # Manifests can't be imported from directory buckets. For more
+    # information, see [Directory buckets][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html
     #
     # @!attribute [rw] object_arn
     #   The Amazon Resource Name (ARN) for a manifest object.
@@ -3016,21 +3910,37 @@ module Aws::S3Control
     # @!attribute [rw] s3_put_object_acl
     #   Directs the specified job to run a `PutObjectAcl` call on every
     #   object in the manifest.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Types::S3SetObjectAclOperation]
     #
     # @!attribute [rw] s3_put_object_tagging
     #   Directs the specified job to run a PUT Object tagging call on every
     #   object in the manifest.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Types::S3SetObjectTaggingOperation]
     #
     # @!attribute [rw] s3_delete_object_tagging
     #   Directs the specified job to execute a DELETE Object tagging call on
     #   every object in the manifest.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Types::S3DeleteObjectTaggingOperation]
     #
     # @!attribute [rw] s3_initiate_restore_object
     #   Directs the specified job to initiate restore requests for every
     #   archived object in the manifest.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Types::S3InitiateRestoreObjectOperation]
     #
     # @!attribute [rw] s3_put_object_legal_hold
@@ -3040,6 +3950,10 @@ module Aws::S3Control
     #   information, see [Using S3 Object Lock legal hold with S3 Batch
     #   Operations][1] in the *Amazon S3 User Guide*.
     #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/batch-ops-legal-hold.html
@@ -3052,6 +3966,10 @@ module Aws::S3Control
     #   more information, see [Using S3 Object Lock retention with S3 Batch
     #   Operations][1] in the *Amazon S3 User Guide*.
     #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/batch-ops-retention-date.html
@@ -3060,6 +3978,10 @@ module Aws::S3Control
     # @!attribute [rw] s3_replicate_object
     #   Directs the specified job to invoke `ReplicateObject` on every
     #   object in the job's manifest.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Types::S3ReplicateObjectOperation]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/JobOperation AWS API Documentation
@@ -3111,6 +4033,11 @@ module Aws::S3Control
     # @!attribute [rw] bucket
     #   The Amazon Resource Name (ARN) for the bucket where specified
     #   job-completion report will be stored.
+    #
+    #   <note markdown="1"> **Directory buckets** - Directory buckets aren't supported as a
+    #   location for Batch Operations to store job completion reports.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] format
@@ -3207,10 +4134,51 @@ module Aws::S3Control
     #   specified job will invoke on every object in the manifest.
     #   @return [String]
     #
+    # @!attribute [rw] invocation_schema_version
+    #   Specifies the schema version for the payload that Batch Operations
+    #   sends when invoking an Lambda function. Version `1.0` is the
+    #   default. Version `2.0` is required when you use Batch Operations to
+    #   invoke Lambda functions that act on directory buckets, or if you
+    #   need to specify `UserArguments`. For more information, see [Using
+    #   Lambda with Amazon S3 Batch Operations and Amazon S3 Express One
+    #   Zone][1] in the *Amazon Web Services Storage Blog*.
+    #
+    #   Ensure that your Lambda function code expects
+    #   `InvocationSchemaVersion` **2.0** and uses bucket name rather than
+    #   bucket ARN. If the `InvocationSchemaVersion` does not match what
+    #   your Lambda function expects, your function might not work as
+    #   expected.
+    #
+    #   <note markdown="1"> **Directory buckets** - To initiate Amazon Web Services Lambda
+    #   function to perform custom actions on objects in directory buckets,
+    #   you must specify `2.0`.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://aws.amazon.com/blogs/storage/using-lambda-with-s3-batch-operations-and-s3-express-one-zone/
+    #   @return [String]
+    #
+    # @!attribute [rw] user_arguments
+    #   Key-value pairs that are passed in the payload that Batch Operations
+    #   sends when invoking an Lambda function. You must specify
+    #   `InvocationSchemaVersion` **2.0** for `LambdaInvoke` operations that
+    #   include `UserArguments`. For more information, see [Using Lambda
+    #   with Amazon S3 Batch Operations and Amazon S3 Express One Zone][1]
+    #   in the *Amazon Web Services Storage Blog*.
+    #
+    #
+    #
+    #   [1]: https://aws.amazon.com/blogs/storage/using-lambda-with-s3-batch-operations-and-s3-express-one-zone/
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/LambdaInvokeOperation AWS API Documentation
     #
     class LambdaInvokeOperation < Struct.new(
-      :function_arn)
+      :function_arn,
+      :invocation_schema_version,
+      :user_arguments)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3274,133 +4242,499 @@ module Aws::S3Control
     #   The container for the filter of lifecycle rule.
     #   @return [Types::LifecycleRuleFilter]
     #
-    # @!attribute [rw] status
-    #   If 'Enabled', the rule is currently being applied. If
-    #   'Disabled', the rule is not currently being applied.
+    # @!attribute [rw] status
+    #   If 'Enabled', the rule is currently being applied. If
+    #   'Disabled', the rule is not currently being applied.
+    #   @return [String]
+    #
+    # @!attribute [rw] transitions
+    #   Specifies when an Amazon S3 object transitions to a specified
+    #   storage class.
+    #
+    #   <note markdown="1"> This is not supported by Amazon S3 on Outposts buckets.
+    #
+    #    </note>
+    #   @return [Array<Types::Transition>]
+    #
+    # @!attribute [rw] noncurrent_version_transitions
+    #   Specifies the transition rule for the lifecycle rule that describes
+    #   when noncurrent objects transition to a specific storage class. If
+    #   your bucket is versioning-enabled (or versioning is suspended), you
+    #   can set this action to request that Amazon S3 transition noncurrent
+    #   object versions to a specific storage class at a set period in the
+    #   object's lifetime.
+    #
+    #   <note markdown="1"> This is not supported by Amazon S3 on Outposts buckets.
+    #
+    #    </note>
+    #   @return [Array<Types::NoncurrentVersionTransition>]
+    #
+    # @!attribute [rw] noncurrent_version_expiration
+    #   The noncurrent version expiration of the lifecycle rule.
+    #   @return [Types::NoncurrentVersionExpiration]
+    #
+    # @!attribute [rw] abort_incomplete_multipart_upload
+    #   Specifies the days since the initiation of an incomplete multipart
+    #   upload that Amazon S3 waits before permanently removing all parts of
+    #   the upload. For more information, see [ Aborting Incomplete
+    #   Multipart Uploads Using a Bucket Lifecycle Configuration][1] in the
+    #   *Amazon S3 User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config
+    #   @return [Types::AbortIncompleteMultipartUpload]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/LifecycleRule AWS API Documentation
+    #
+    class LifecycleRule < Struct.new(
+      :expiration,
+      :id,
+      :filter,
+      :status,
+      :transitions,
+      :noncurrent_version_transitions,
+      :noncurrent_version_expiration,
+      :abort_incomplete_multipart_upload)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The container for the Outposts bucket lifecycle rule and operator.
+    #
+    # @!attribute [rw] prefix
+    #   Prefix identifying one or more objects to which the rule applies.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   All of these tags must exist in the object's tag set in order for
+    #   the rule to apply.
+    #   @return [Array<Types::S3Tag>]
+    #
+    # @!attribute [rw] object_size_greater_than
+    #   Minimum object size to which the rule applies.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] object_size_less_than
+    #   Maximum object size to which the rule applies.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/LifecycleRuleAndOperator AWS API Documentation
+    #
+    class LifecycleRuleAndOperator < Struct.new(
+      :prefix,
+      :tags,
+      :object_size_greater_than,
+      :object_size_less_than)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The container for the filter of the lifecycle rule.
+    #
+    # @!attribute [rw] prefix
+    #   Prefix identifying one or more objects to which the rule applies.
+    #
+    #   When you're using XML requests, you must replace special characters
+    #   (such as carriage returns) in object keys with their equivalent XML
+    #   entity codes. For more information, see [ XML-related object key
+    #   constraints][1] in the *Amazon S3 User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints
+    #   @return [String]
+    #
+    # @!attribute [rw] tag
+    #   A container for a key-value name pair.
+    #   @return [Types::S3Tag]
+    #
+    # @!attribute [rw] and
+    #   The container for the `AND` condition for the lifecycle rule.
+    #   @return [Types::LifecycleRuleAndOperator]
+    #
+    # @!attribute [rw] object_size_greater_than
+    #   Minimum object size to which the rule applies.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] object_size_less_than
+    #   Maximum object size to which the rule applies.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/LifecycleRuleFilter AWS API Documentation
+    #
+    class LifecycleRuleFilter < Struct.new(
+      :prefix,
+      :tag,
+      :and,
+      :object_size_greater_than,
+      :object_size_less_than)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Information about the access grant.
+    #
+    # @!attribute [rw] created_at
+    #   The date and time when you created the S3 Access Grants instance.
+    #   @return [Time]
+    #
+    # @!attribute [rw] access_grant_id
+    #   The ID of the access grant. S3 Access Grants auto-generates this ID
+    #   when you create the access grant.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grant_arn
+    #   The Amazon Resource Name (ARN) of the access grant.
+    #   @return [String]
+    #
+    # @!attribute [rw] grantee
+    #   The user, group, or role to which you are granting access. You can
+    #   grant access to an IAM user or role. If you have added your
+    #   corporate directory to Amazon Web Services IAM Identity Center and
+    #   associated your Identity Center instance with your S3 Access Grants
+    #   instance, the grantee can also be a corporate directory user or
+    #   group.
+    #   @return [Types::Grantee]
+    #
+    # @!attribute [rw] permission
+    #   The type of access granted to your S3 data, which can be set to one
+    #   of the following values:
+    #
+    #   * `READ` – Grant read-only access to the S3 data.
+    #
+    #   * `WRITE` – Grant write-only access to the S3 data.
+    #
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_configuration
+    #   The configuration options of the grant location. The grant location
+    #   is the S3 path to the data to which you are granting access.
+    #   @return [Types::AccessGrantsLocationConfiguration]
+    #
+    # @!attribute [rw] grant_scope
+    #   The S3 path of the data to which you are granting access. It is the
+    #   result of appending the `Subprefix` to the location scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Web Services IAM
+    #   Identity Center application associated with your Identity Center
+    #   instance. If the grant includes an application ARN, the grantee can
+    #   only access the S3 data through this application.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantEntry AWS API Documentation
+    #
+    class ListAccessGrantEntry < Struct.new(
+      :created_at,
+      :access_grant_id,
+      :access_grant_arn,
+      :grantee,
+      :permission,
+      :access_grants_location_id,
+      :access_grants_location_configuration,
+      :grant_scope,
+      :application_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Information about the S3 Access Grants instance.
+    #
+    # @!attribute [rw] access_grants_instance_id
+    #   The ID of the S3 Access Grants instance. The ID is `default`. You
+    #   can have one S3 Access Grants instance per Region per account.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_instance_arn
+    #   The Amazon Resource Name (ARN) of the S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_at
+    #   The date and time when you created the S3 Access Grants instance.
+    #   @return [Time]
+    #
+    # @!attribute [rw] identity_center_arn
+    #   If you associated your S3 Access Grants instance with an Amazon Web
+    #   Services IAM Identity Center instance, this field returns the Amazon
+    #   Resource Name (ARN) of the IAM Identity Center instance application;
+    #   a subresource of the original Identity Center instance. S3 Access
+    #   Grants creates this Identity Center application for the specific S3
+    #   Access Grants instance.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsInstanceEntry AWS API Documentation
+    #
+    class ListAccessGrantsInstanceEntry < Struct.new(
+      :access_grants_instance_id,
+      :access_grants_instance_arn,
+      :created_at,
+      :identity_center_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants Instances` request in
+    #   order to retrieve the next page of results.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of access grants that you would like returned in
+    #   the `List Access Grants` response. If the results include the
+    #   pagination token `NextToken`, make another call using the
+    #   `NextToken` to determine if there are more results.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsInstancesRequest AWS API Documentation
+    #
+    class ListAccessGrantsInstancesRequest < Struct.new(
+      :account_id,
+      :next_token,
+      :max_results)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants Instances` request in
+    #   order to retrieve the next page of results.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_instances_list
+    #   A container for a list of S3 Access Grants instances.
+    #   @return [Array<Types::ListAccessGrantsInstanceEntry>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsInstancesResult AWS API Documentation
+    #
+    class ListAccessGrantsInstancesResult < Struct.new(
+      :next_token,
+      :access_grants_instances_list)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A container for information about the registered location.
+    #
+    # @!attribute [rw] created_at
+    #   The date and time when you registered the location.
+    #   @return [Time]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigns this ID when you register the location. S3
+    #   Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
     #   @return [String]
     #
-    # @!attribute [rw] transitions
-    #   Specifies when an Amazon S3 object transitions to a specified
-    #   storage class.
+    # @!attribute [rw] access_grants_location_arn
+    #   The Amazon Resource Name (ARN) of the registered location.
+    #   @return [String]
     #
-    #   <note markdown="1"> This is not supported by Amazon S3 on Outposts buckets.
+    # @!attribute [rw] location_scope
+    #   The S3 path to the location that you are registering. The location
+    #   scope can be the default S3 location `s3://`, the S3 path to a
+    #   bucket `s3://<bucket>`, or the S3 path to a bucket and prefix
+    #   `s3://<bucket>/<prefix>`. A prefix in S3 is a string of characters
+    #   at the beginning of an object key name used to organize the objects
+    #   that you store in your S3 buckets. For example, object key names
+    #   that start with the `engineering/` prefix or object key names that
+    #   start with the `marketing/campaigns/` prefix.
+    #   @return [String]
     #
-    #    </note>
-    #   @return [Array<Types::Transition>]
+    # @!attribute [rw] iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role for the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #   @return [String]
     #
-    # @!attribute [rw] noncurrent_version_transitions
-    #   Specifies the transition rule for the lifecycle rule that describes
-    #   when noncurrent objects transition to a specific storage class. If
-    #   your bucket is versioning-enabled (or versioning is suspended), you
-    #   can set this action to request that Amazon S3 transition noncurrent
-    #   object versions to a specific storage class at a set period in the
-    #   object's lifetime.
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsLocationsEntry AWS API Documentation
     #
-    #   <note markdown="1"> This is not supported by Amazon S3 on Outposts buckets.
+    class ListAccessGrantsLocationsEntry < Struct.new(
+      :created_at,
+      :access_grants_location_id,
+      :access_grants_location_arn,
+      :location_scope,
+      :iam_role_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
     #
-    #    </note>
-    #   @return [Array<Types::NoncurrentVersionTransition>]
+    # @!attribute [rw] next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants Locations` request in
+    #   order to retrieve the next page of results.
+    #   @return [String]
     #
-    # @!attribute [rw] noncurrent_version_expiration
-    #   The noncurrent version expiration of the lifecycle rule.
-    #   @return [Types::NoncurrentVersionExpiration]
+    # @!attribute [rw] max_results
+    #   The maximum number of access grants that you would like returned in
+    #   the `List Access Grants` response. If the results include the
+    #   pagination token `NextToken`, make another call using the
+    #   `NextToken` to determine if there are more results.
+    #   @return [Integer]
     #
-    # @!attribute [rw] abort_incomplete_multipart_upload
-    #   Specifies the days since the initiation of an incomplete multipart
-    #   upload that Amazon S3 waits before permanently removing all parts of
-    #   the upload. For more information, see [ Aborting Incomplete
-    #   Multipart Uploads Using a Bucket Lifecycle Configuration][1] in the
-    #   *Amazon S3 User Guide*.
+    # @!attribute [rw] location_scope
+    #   The S3 path to the location that you are registering. The location
+    #   scope can be the default S3 location `s3://`, the S3 path to a
+    #   bucket `s3://<bucket>`, or the S3 path to a bucket and prefix
+    #   `s3://<bucket>/<prefix>`. A prefix in S3 is a string of characters
+    #   at the beginning of an object key name used to organize the objects
+    #   that you store in your S3 buckets. For example, object key names
+    #   that start with the `engineering/` prefix or object key names that
+    #   start with the `marketing/campaigns/` prefix.
+    #   @return [String]
     #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsLocationsRequest AWS API Documentation
     #
+    class ListAccessGrantsLocationsRequest < Struct.new(
+      :account_id,
+      :next_token,
+      :max_results,
+      :location_scope)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants Locations` request in
+    #   order to retrieve the next page of results.
+    #   @return [String]
     #
-    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config
-    #   @return [Types::AbortIncompleteMultipartUpload]
+    # @!attribute [rw] access_grants_locations_list
+    #   A container for a list of registered locations in an S3 Access
+    #   Grants instance.
+    #   @return [Array<Types::ListAccessGrantsLocationsEntry>]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/LifecycleRule AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsLocationsResult AWS API Documentation
     #
-    class LifecycleRule < Struct.new(
-      :expiration,
-      :id,
-      :filter,
-      :status,
-      :transitions,
-      :noncurrent_version_transitions,
-      :noncurrent_version_expiration,
-      :abort_incomplete_multipart_upload)
+    class ListAccessGrantsLocationsResult < Struct.new(
+      :next_token,
+      :access_grants_locations_list)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The container for the Outposts bucket lifecycle rule and operator.
-    #
-    # @!attribute [rw] prefix
-    #   Prefix identifying one or more objects to which the rule applies.
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
     #   @return [String]
     #
-    # @!attribute [rw] tags
-    #   All of these tags must exist in the object's tag set in order for
-    #   the rule to apply.
-    #   @return [Array<Types::S3Tag>]
+    # @!attribute [rw] next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants` request in order to
+    #   retrieve the next page of results.
+    #   @return [String]
     #
-    # @!attribute [rw] object_size_greater_than
-    #   Minimum object size to which the rule applies.
+    # @!attribute [rw] max_results
+    #   The maximum number of access grants that you would like returned in
+    #   the `List Access Grants` response. If the results include the
+    #   pagination token `NextToken`, make another call using the
+    #   `NextToken` to determine if there are more results.
     #   @return [Integer]
     #
-    # @!attribute [rw] object_size_less_than
-    #   Maximum object size to which the rule applies.
-    #   @return [Integer]
+    # @!attribute [rw] grantee_type
+    #   The type of the grantee to which access has been granted. It can be
+    #   one of the following values:
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/LifecycleRuleAndOperator AWS API Documentation
+    #   * `IAM` - An IAM user or role.
     #
-    class LifecycleRuleAndOperator < Struct.new(
-      :prefix,
-      :tags,
-      :object_size_greater_than,
-      :object_size_less_than)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # The container for the filter of the lifecycle rule.
+    #   * `DIRECTORY_USER` - Your corporate directory user. You can use this
+    #     option if you have added your corporate identity directory to IAM
+    #     Identity Center and associated the IAM Identity Center instance
+    #     with your S3 Access Grants instance.
     #
-    # @!attribute [rw] prefix
-    #   Prefix identifying one or more objects to which the rule applies.
+    #   * `DIRECTORY_GROUP` - Your corporate directory group. You can use
+    #     this option if you have added your corporate identity directory to
+    #     IAM Identity Center and associated the IAM Identity Center
+    #     instance with your S3 Access Grants instance.
+    #   @return [String]
     #
-    #   When you're using XML requests, you must replace special characters
-    #   (such as carriage returns) in object keys with their equivalent XML
-    #   entity codes. For more information, see [ XML-related object key
-    #   constraints][1] in the *Amazon S3 User Guide*.
+    # @!attribute [rw] grantee_identifier
+    #   The unique identifer of the `Grantee`. If the grantee type is `IAM`,
+    #   the identifier is the IAM Amazon Resource Name (ARN) of the user or
+    #   role. If the grantee type is a directory user or group, the
+    #   identifier is 128-bit universally unique identifier (UUID) in the
+    #   format `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. You can obtain this
+    #   UUID from your Amazon Web Services IAM Identity Center instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission
+    #   The type of permission granted to your S3 data, which can be set to
+    #   one of the following values:
     #
+    #   * `READ` – Grant read-only access to the S3 data.
     #
+    #   * `WRITE` – Grant write-only access to the S3 data.
     #
-    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints
+    #   * `READWRITE` – Grant both read and write access to the S3 data.
     #   @return [String]
     #
-    # @!attribute [rw] tag
-    #   A container for a key-value name pair.
-    #   @return [Types::S3Tag]
+    # @!attribute [rw] grant_scope
+    #   The S3 path of the data to which you are granting access. It is the
+    #   result of appending the `Subprefix` to the location scope.
+    #   @return [String]
     #
-    # @!attribute [rw] and
-    #   The container for the `AND` condition for the lifecycle rule.
-    #   @return [Types::LifecycleRuleAndOperator]
+    # @!attribute [rw] application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Web Services IAM
+    #   Identity Center application associated with your Identity Center
+    #   instance. If the grant includes an application ARN, the grantee can
+    #   only access the S3 data through this application.
+    #   @return [String]
     #
-    # @!attribute [rw] object_size_greater_than
-    #   Minimum object size to which the rule applies.
-    #   @return [Integer]
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsRequest AWS API Documentation
     #
-    # @!attribute [rw] object_size_less_than
-    #   Maximum object size to which the rule applies.
-    #   @return [Integer]
+    class ListAccessGrantsRequest < Struct.new(
+      :account_id,
+      :next_token,
+      :max_results,
+      :grantee_type,
+      :grantee_identifier,
+      :permission,
+      :grant_scope,
+      :application_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   A pagination token to request the next page of results. Pass this
+    #   value into a subsequent `List Access Grants` request in order to
+    #   retrieve the next page of results.
+    #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/LifecycleRuleFilter AWS API Documentation
+    # @!attribute [rw] access_grants_list
+    #   A container for a list of grants in an S3 Access Grants instance.
+    #   @return [Array<Types::ListAccessGrantEntry>]
     #
-    class LifecycleRuleFilter < Struct.new(
-      :prefix,
-      :tag,
-      :and,
-      :object_size_greater_than,
-      :object_size_less_than)
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListAccessGrantsResult AWS API Documentation
+    #
+    class ListAccessGrantsResult < Struct.new(
+      :next_token,
+      :access_grants_list)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3817,7 +5151,8 @@ module Aws::S3Control
     #
     # @!attribute [rw] resource_arn
     #   The Amazon Resource Name (ARN) of the S3 resource that you want to
-    #   list the tags for.
+    #   list the tags for. The tagged resource can be an S3 Storage Lens
+    #   group or S3 Access Grants instance, registered location, or grant.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/ListTagsForResourceRequest AWS API Documentation
@@ -4465,6 +5800,55 @@ module Aws::S3Control
       include Aws::Structure
     end
 
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy
+    #   The resource policy of the S3 Access Grants instance that you are
+    #   updating.
+    #   @return [String]
+    #
+    # @!attribute [rw] organization
+    #   The Organization of the resource policy of the S3 Access Grants
+    #   instance.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/PutAccessGrantsInstanceResourcePolicyRequest AWS API Documentation
+    #
+    class PutAccessGrantsInstanceResourcePolicyRequest < Struct.new(
+      :account_id,
+      :policy,
+      :organization)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] policy
+    #   The updated resource policy of the S3 Access Grants instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] organization
+    #   The Organization of the resource policy of the S3 Access Grants
+    #   instance.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_at
+    #   The date and time when you created the S3 Access Grants instance
+    #   resource policy.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/PutAccessGrantsInstanceResourcePolicyResult AWS API Documentation
+    #
+    class PutAccessGrantsInstanceResourcePolicyResult < Struct.new(
+      :policy,
+      :organization,
+      :created_at)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] account_id
     #   The account ID for the account that owns the specified Object Lambda
     #   Access Point.
@@ -5358,15 +6742,29 @@ module Aws::S3Control
     #
     # @!attribute [rw] target_resource
     #   Specifies the destination bucket Amazon Resource Name (ARN) for the
-    #   batch copy operation. For example, to copy objects to a bucket named
-    #   `destinationBucket`, set the `TargetResource` property to
-    #   `arn:aws:s3:::destinationBucket`.
+    #   batch copy operation.
+    #
+    #   * **General purpose buckets** - For example, to copy objects to a
+    #     general purpose bucket named `destinationBucket`, set the
+    #     `TargetResource` property to `arn:aws:s3:::destinationBucket`.
+    #
+    #   * **Directory buckets** - For example, to copy objects to a
+    #     directory bucket named `destinationBucket` in the Availability
+    #     Zone; identified by the AZ ID `usw2-az2`, set the `TargetResource`
+    #     property to
+    #     `arn:aws:s3express:region:account_id:/bucket/destination_bucket_base_name--usw2-az2--x-s3`.
     #   @return [String]
     #
     # @!attribute [rw] canned_access_control_list
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] access_control_grants
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Array<Types::S3Grant>]
     #
     # @!attribute [rw] metadata_directive
@@ -5383,24 +6781,53 @@ module Aws::S3Control
     #   @return [Types::S3ObjectMetadata]
     #
     # @!attribute [rw] new_object_tagging
+    #   Specifies a list of tags to add to the destination objects after
+    #   they are copied. If `NewObjectTagging` is not specified, the tags of
+    #   the source objects are copied to destination objects by default.
+    #
+    #   <note markdown="1"> **Directory buckets** - Tags aren't supported by directory buckets.
+    #   If your source objects have tags and your destination bucket is a
+    #   directory bucket, specify an empty tag set in the `NewObjectTagging`
+    #   field to prevent copying the source object tags to the directory
+    #   bucket.
+    #
+    #    </note>
     #   @return [Array<Types::S3Tag>]
     #
     # @!attribute [rw] redirect_location
-    #   Specifies an optional metadata property for website redirects,
+    #   If the destination bucket is configured as a website, specifies an
+    #   optional metadata property for website redirects,
     #   `x-amz-website-redirect-location`. Allows webpage redirects if the
-    #   object is accessed through a website endpoint.
+    #   object copy is accessed through a website endpoint.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] requester_pays
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Boolean]
     #
     # @!attribute [rw] storage_class
+    #   Specify the storage class for the destination objects in a `Copy`
+    #   operation.
+    #
+    #   <note markdown="1"> <b>Directory buckets </b> - This functionality is not supported by
+    #   directory buckets.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] un_modified_since_constraint
     #   @return [Time]
     #
     # @!attribute [rw] sse_aws_kms_key_id
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] target_key_prefix
@@ -5413,16 +6840,28 @@ module Aws::S3Control
     # @!attribute [rw] object_lock_legal_hold_status
     #   The legal hold status to be applied to all objects in the Batch
     #   Operations job.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] object_lock_mode
     #   The retention mode to be applied to all objects in the Batch
     #   Operations job.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] object_lock_retain_until_date
     #   The date when the applied object retention configuration expires on
     #   all objects in the Batch Operations job.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Time]
     #
     # @!attribute [rw] bucket_key_enabled
@@ -5433,6 +6872,10 @@ module Aws::S3Control
     #
     #   Specifying this header with an *object* action doesn’t affect
     #   *bucket-level* settings for S3 Bucket Key.
+    #
+    #   <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #    </note>
     #   @return [Boolean]
     #
     # @!attribute [rw] checksum_algorithm
@@ -5490,6 +6933,12 @@ module Aws::S3Control
     #
     # @!attribute [rw] location
     #   Contains the information required to locate a manifest object.
+    #   Manifests can't be imported from directory buckets. For more
+    #   information, see [Directory buckets][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html
     #   @return [Types::JobManifestLocation]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/S3GeneratedManifestDescriptor AWS API Documentation
@@ -5590,16 +7039,28 @@ module Aws::S3Control
     #
     # @!attribute [rw] source_bucket
     #   The source bucket used by the ManifestGenerator.
+    #
+    #   <note markdown="1"> **Directory buckets** - Directory buckets aren't supported as the
+    #   source buckets used by `S3JobManifestGenerator` to generate the job
+    #   manifest.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] manifest_output_location
     #   Specifies the location the generated manifest will be written to.
+    #   Manifests can't be written to directory buckets. For more
+    #   information, see [Directory buckets][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html
     #   @return [Types::S3ManifestOutputLocation]
     #
     # @!attribute [rw] filter
-    #   Specifies rules the S3JobManifestGenerator should use to use to
-    #   decide whether an object in the source bucket should or should not
-    #   be included in the generated job manifest.
+    #   Specifies rules the S3JobManifestGenerator should use to decide
+    #   whether an object in the source bucket should or should not be
+    #   included in the generated job manifest.
     #   @return [Types::JobManifestGeneratorFilter]
     #
     # @!attribute [rw] enable_manifest_output
@@ -5628,6 +7089,11 @@ module Aws::S3Control
     #
     # @!attribute [rw] bucket
     #   The bucket ARN the generated manifest should be written to.
+    #
+    #   <note markdown="1"> **Directory buckets** - Directory buckets aren't supported as the
+    #   buckets to store the generated manifest.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] manifest_prefix
@@ -5688,9 +7154,11 @@ module Aws::S3Control
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] content_length
+    #   *This member has been deprecated.*
     #   @return [Integer]
     #
     # @!attribute [rw] content_md5
+    #   *This member has been deprecated.*
     #   @return [String]
     #
     # @!attribute [rw] content_type
@@ -5700,9 +7168,14 @@ module Aws::S3Control
     #   @return [Time]
     #
     # @!attribute [rw] requester_charged
+    #   *This member has been deprecated.*
     #   @return [Boolean]
     #
     # @!attribute [rw] sse_algorithm
+    #   <note markdown="1"> For directory buckets, only the server-side encryption with Amazon
+    #   S3 managed keys (SSE-S3) (`AES256`) is supported.
+    #
+    #    </note>
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/S3ObjectMetadata AWS API Documentation
@@ -5803,6 +7276,10 @@ module Aws::S3Control
     # see [Using S3 Object Lock legal hold with S3 Batch Operations][1] in
     # the *Amazon S3 User Guide*.
     #
+    # <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/batch-ops-legal-hold.html
@@ -5826,6 +7303,10 @@ module Aws::S3Control
     # information, see [Using S3 Object Lock retention with S3 Batch
     # Operations][1] in the *Amazon S3 User Guide*.
     #
+    # <note markdown="1"> This functionality is not supported by directory buckets.
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/batch-ops-retention-date.html
@@ -6414,23 +7895,29 @@ module Aws::S3Control
     # resource. You can add tags to new objects when you upload them, or you
     # can add object tags to existing objects.
     #
-    # <note markdown="1"> This data type is only supported for [S3 Storage Lens groups][1].
+    # <note markdown="1"> This operation is only supported for [S3 Storage Lens groups][1] and
+    # for [S3 Access Grants][2]. The tagged resource can be an S3 Storage
+    # Lens group or S3 Access Grants instance, registered location, or
+    # grant.
     #
     #  </note>
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-tagging.html
     #
     # @!attribute [rw] key
-    #   The tag key for your Amazon Web Services resource. A tag key can be
-    #   up to 128 Unicode characters in length and is case-sensitive. System
-    #   created tags that begin with `aws:` aren’t supported.
+    #   The key of the key-value pair of a tag added to your Amazon Web
+    #   Services resource. A tag key can be up to 128 Unicode characters in
+    #   length and is case-sensitive. System created tags that begin with
+    #   `aws:` aren’t supported.
     #   @return [String]
     #
     # @!attribute [rw] value
-    #   The tag value for your Amazon Web Services resource. A tag value can
-    #   be up to 256 Unicode characters in length and is case-sensitive.
+    #   The value of the key-value pair of a tag added to your Amazon Web
+    #   Services resource. A tag value can be up to 256 Unicode characters
+    #   in length and is case-sensitive.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/Tag AWS API Documentation
@@ -6444,12 +7931,13 @@ module Aws::S3Control
 
     # @!attribute [rw] account_id
     #   The Amazon Web Services account ID that created the S3 resource that
-    #   you're trying to add tags to.
+    #   you're trying to add tags to or the requester's account ID.
     #   @return [String]
     #
     # @!attribute [rw] resource_arn
     #   The Amazon Resource Name (ARN) of the S3 resource that you're
-    #   trying to add tags to.
+    #   trying to add tags to. The tagged resource can be an S3 Storage Lens
+    #   group or S3 Access Grants instance, registered location, or grant.
     #   @return [String]
     #
     # @!attribute [rw] tags
@@ -6549,13 +8037,13 @@ module Aws::S3Control
     #   @return [String]
     #
     # @!attribute [rw] resource_arn
-    #   The Amazon Resource Name (ARN) of the S3 resource that you want to
-    #   remove the resource tags from.
+    #   The Amazon Resource Name (ARN) of the S3 resource that you're
+    #   trying to remove the tags from.
     #   @return [String]
     #
     # @!attribute [rw] tag_keys
-    #   The tag key pair of the S3 resource tag that you're trying to
-    #   remove.
+    #   The array of tag key-value pairs that you're trying to remove from
+    #   of the S3 resource.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/UntagResourceRequest AWS API Documentation
@@ -6572,6 +8060,87 @@ module Aws::S3Control
     #
     class UntagResourceResult < Aws::EmptyStructure; end
 
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that is making this
+    #   request.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location that you are updating. S3 Access
+    #   Grants assigns this ID when you register the location. S3 Access
+    #   Grants assigns the ID `default` to the default location `s3://` and
+    #   assigns an auto-generated ID to other locations that you register.
+    #
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigned this ID when you registered the location.
+    #   S3 Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #
+    #   If you are passing the `default` location, you cannot create an
+    #   access grant for the entire default location. You must also specify
+    #   a bucket or a bucket and prefix in the `Subprefix` field.
+    #   @return [String]
+    #
+    # @!attribute [rw] iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role for the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/UpdateAccessGrantsLocationRequest AWS API Documentation
+    #
+    class UpdateAccessGrantsLocationRequest < Struct.new(
+      :account_id,
+      :access_grants_location_id,
+      :iam_role_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] created_at
+    #   The date and time when you registered the location.
+    #   @return [Time]
+    #
+    # @!attribute [rw] access_grants_location_id
+    #   The ID of the registered location to which you are granting access.
+    #   S3 Access Grants assigned this ID when you registered the location.
+    #   S3 Access Grants assigns the ID `default` to the default location
+    #   `s3://` and assigns an auto-generated ID to other locations that you
+    #   register.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_grants_location_arn
+    #   The Amazon Resource Name (ARN) of the registered location that you
+    #   are updating.
+    #   @return [String]
+    #
+    # @!attribute [rw] location_scope
+    #   The S3 URI path of the location that you are updating. You cannot
+    #   update the scope of the registered location. The location scope can
+    #   be the default S3 location `s3://`, the S3 path to a bucket
+    #   `s3://<bucket>`, or the S3 path to a bucket and prefix
+    #   `s3://<bucket>/<prefix>`.
+    #   @return [String]
+    #
+    # @!attribute [rw] iam_role_arn
+    #   The Amazon Resource Name (ARN) of the IAM role of the registered
+    #   location. S3 Access Grants assumes this role to manage access to the
+    #   registered location.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/s3control-2018-08-20/UpdateAccessGrantsLocationResult AWS API Documentation
+    #
+    class UpdateAccessGrantsLocationResult < Struct.new(
+      :created_at,
+      :access_grants_location_id,
+      :access_grants_location_arn,
+      :location_scope,
+      :iam_role_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] account_id
     #   The Amazon Web Services account ID associated with the S3 Batch
     #   Operations job.