@aws-sdk/client-s3 3.460.0 → 3.461.0

package/dist-types/commands/CreateMultipartUploadCommand.d.ts

@@ -27,268 +27,190 @@ export interface CreateMultipartUploadCommandOutput extends CreateMultipartUploa
  *          used to associate all of the parts in the specific multipart upload. You specify this
  *          upload ID in each of your subsequent upload part requests (see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html">UploadPart</a>). You also include this
  *          upload ID in the final request to either complete or abort the multipart upload
- *          request.</p>
- *          <p>For more information about multipart uploads, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html">Multipart Upload Overview</a>.</p>
- *          <p>If you have configured a lifecycle rule to abort incomplete multipart uploads, the
- *          upload must complete within the number of days specified in the bucket lifecycle
- *          configuration. Otherwise, the incomplete multipart upload becomes eligible for an abort
- *          action and Amazon S3 aborts the multipart upload. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config">Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle
- *          Configuration</a>.</p>
- *          <p>For information about the permissions required to use the multipart upload API, see
- *             <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html">Multipart
- *             Upload and Permissions</a>.</p>
- *          <p>For request signing, multipart upload is just a series of regular requests. You initiate
- *          a multipart upload, send one or more requests to upload parts, and then complete the
- *          multipart upload process. You sign each request individually. There is nothing special
- *          about signing multipart upload requests. For more information about signing, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html">Authenticating Requests (Amazon Web Services Signature Version 4)</a>.</p>
+ *          request. For more information about multipart uploads, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html">Multipart Upload Overview</a> in the <i>Amazon S3 User Guide</i>.</p>
  *          <note>
  *             <p>After you initiate a multipart upload and upload one or more parts, to stop being
  *             charged for storing the uploaded parts, you must either complete or abort the multipart
- *             upload. Amazon S3 frees up the space used to store the parts and stop charging you for
+ *             upload. Amazon S3 frees up the space used to store the parts and stops charging you for
  *             storing them only after you either complete or abort a multipart upload. </p>
  *          </note>
- *          <p>Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it
- *          writes it to disks in its data centers and decrypts it when you access it. Amazon S3
- *          automatically encrypts all new objects that are uploaded to an S3 bucket. When doing a
- *          multipart upload, if you don't specify encryption information in your request, the
- *          encryption setting of the uploaded parts is set to the default encryption configuration of
- *          the destination bucket. By default, all buckets have a base level of encryption
- *          configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the
- *          destination bucket has a default encryption configuration that uses server-side encryption
- *          with an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C),
- *          Amazon S3 uses the corresponding KMS key, or a customer-provided key to encrypt the uploaded
- *          parts. When you perform a CreateMultipartUpload operation, if you want to use a different
- *          type of encryption setting for the uploaded parts, you can request that Amazon S3 encrypts the
- *          object with a KMS key, an Amazon S3 managed key, or a customer-provided key. If the encryption
- *          setting in your request is different from the default encryption configuration of the
- *          destination bucket, the encryption setting in your request takes precedence. If you choose
- *          to provide your own encryption key, the request headers you provide in <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html">UploadPart</a>
- *          and <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html">UploadPartCopy</a> requests must match the headers you used in the request to
- *          initiate the upload by using <code>CreateMultipartUpload</code>. You can request that Amazon S3
- *          save the uploaded parts encrypted with server-side encryption with an Amazon S3 managed key
- *          (SSE-S3), an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key
- *          (SSE-C). </p>
- *          <p>To perform a multipart upload with encryption by using an Amazon Web Services KMS key, the requester
- *          must have permission to the <code>kms:Decrypt</code> and <code>kms:GenerateDataKey*</code>
- *          actions on the key. These permissions are required because Amazon S3 must decrypt and read data
- *          from the encrypted file parts before it completes the multipart upload. For more
- *          information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions">Multipart upload API
- *             and permissions</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html">Protecting data using
- *             server-side encryption with Amazon Web Services KMS</a> in the
- *             <i>Amazon S3 User Guide</i>.</p>
- *          <p>If your Identity and Access Management (IAM) user or role is in the same Amazon Web Services account as the KMS key,
- *          then you must have these permissions on the key policy. If your IAM user or role belongs
- *          to a different account than the key, then you must have the permissions on both the key
- *          policy and your IAM user or role.</p>
- *          <p> For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html">Protecting Data Using Server-Side
- *             Encryption</a>.</p>
+ *          <p>If you have configured a lifecycle rule to abort incomplete multipart uploads, the created multipart
+ *          upload must be completed within the number of days specified in the bucket lifecycle
+ *          configuration. Otherwise, the incomplete multipart upload becomes eligible for an abort
+ *          action and Amazon S3 aborts the multipart upload. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config">Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle
+ *             Configuration</a>.</p>
+ *          <note>
+ *             <ul>
+ *                <li>
+ *                   <p>
+ *                      <b>Directory buckets </b> - S3 Lifecycle is not supported by directory buckets.</p>
+ *                </li>
+ *                <li>
+ *                   <p>
+ *                      <b>Directory buckets </b> - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format <code>https://<i>bucket_name</i>.s3express-<i>az_id</i>.<i>region</i>.amazonaws.com/<i>key-name</i>
+ *                      </code>. Path-style requests are not supported. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html">Regional and Zonal endpoints</a> in the
+ *     <i>Amazon S3 User Guide</i>.</p>
+ *                </li>
+ *             </ul>
+ *          </note>
  *          <dl>
- *             <dt>Access Permissions</dt>
+ *             <dt>Request signing</dt>
  *             <dd>
- *                <p>When copying an object, you can optionally specify the accounts or groups that
- *                   should be granted specific permissions on the new object. There are two ways to
- *                   grant the permissions using the request headers:</p>
- *                <ul>
- *                   <li>
- *                      <p>Specify a canned ACL with the <code>x-amz-acl</code> request header. For
- *                         more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL">Canned
- *                         ACL</a>.</p>
- *                   </li>
- *                   <li>
- *                      <p>Specify access permissions explicitly with the
- *                            <code>x-amz-grant-read</code>, <code>x-amz-grant-read-acp</code>,
- *                            <code>x-amz-grant-write-acp</code>, and
- *                            <code>x-amz-grant-full-control</code> headers. These parameters map to
- *                         the set of permissions that Amazon S3 supports in an ACL. For more information,
- *                         see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html">Access Control List (ACL) Overview</a>.</p>
- *                   </li>
- *                </ul>
- *                <p>You can use either a canned ACL or specify access permissions explicitly. You
- *                   cannot do both.</p>
+ *                <p>For request signing, multipart upload is just a series of regular requests. You initiate
+ *                a multipart upload, send one or more requests to upload parts, and then complete the
+ *                multipart upload process. You sign each request individually. There is nothing special
+ *                about signing multipart upload requests. For more information about signing, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html">Authenticating Requests (Amazon Web Services Signature Version 4)</a> in the <i>Amazon S3 User Guide</i>.</p>
  *             </dd>
- *             <dt>Server-Side- Encryption-Specific Request Headers</dt>
+ *             <dt>Permissions</dt>
  *             <dd>
- *                <p>Amazon S3 encrypts data by using server-side encryption with an Amazon S3 managed key
- *                   (SSE-S3) by default. Server-side encryption is for data encryption at rest. Amazon S3
- *                   encrypts your data as it writes it to disks in its data centers and decrypts it
- *                   when you access it. You can request that Amazon S3 encrypts data at rest by using
- *                   server-side encryption with other key options. The option you use depends on
- *                   whether you want to use KMS keys (SSE-KMS) or provide your own encryption keys
- *                   (SSE-C).</p>
  *                <ul>
  *                   <li>
- *                      <p>Use KMS keys (SSE-KMS) that include the Amazon Web Services managed key
- *                            (<code>aws/s3</code>) and KMS customer managed keys stored in Key Management Service (KMS) –
- *                         If you want Amazon Web Services to manage the keys used to encrypt data, specify the
- *                         following headers in the request.</p>
- *                      <ul>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-server-side-encryption</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-server-side-encryption-aws-kms-key-id</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-server-side-encryption-context</code>
- *                            </p>
- *                         </li>
- *                      </ul>
- *                      <note>
- *                         <p>If you specify <code>x-amz-server-side-encryption:aws:kms</code>, but
- *                            don't provide <code>x-amz-server-side-encryption-aws-kms-key-id</code>,
- *                            Amazon S3 uses the Amazon Web Services managed key (<code>aws/s3</code> key) in KMS to
- *                            protect the data.</p>
- *                      </note>
- *                      <important>
- *                         <p>All <code>GET</code> and <code>PUT</code> requests for an object
- *                            protected by KMS fail if you don't make them by using Secure Sockets
- *                            Layer (SSL), Transport Layer Security (TLS), or Signature Version
- *                            4.</p>
- *                      </important>
- *                      <p>For more information about server-side encryption with KMS keys
- *                         (SSE-KMS), see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html">Protecting Data
- *                            Using Server-Side Encryption with KMS keys</a>.</p>
+ *                      <p>
+ *                         <b>General purpose bucket permissions</b> - For information about the permissions required to use the multipart upload API, see
+ *                         <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html">Multipart
+ *                            upload and permissions</a> in the <i>Amazon S3 User Guide</i>. </p>
+ *                      <p>To perform a multipart upload with encryption by using an Amazon Web Services KMS key, the requester
+ *                         must have permission to the <code>kms:Decrypt</code> and <code>kms:GenerateDataKey*</code>
+ *                         actions on the key. These permissions are required because Amazon S3 must decrypt and read data
+ *                         from the encrypted file parts before it completes the multipart upload. For more
+ *                         information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions">Multipart upload API
+ *                            and permissions</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html">Protecting data using
+ *                               server-side encryption with Amazon Web Services KMS</a> in the
+ *                         <i>Amazon S3 User Guide</i>.</p>
  *                   </li>
  *                   <li>
- *                      <p>Use customer-provided encryption keys (SSE-C) – If you want to manage
- *                         your own encryption keys, provide all the following headers in the
- *                         request.</p>
- *                      <ul>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-server-side-encryption-customer-algorithm</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-server-side-encryption-customer-key</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-server-side-encryption-customer-key-MD5</code>
- *                            </p>
- *                         </li>
- *                      </ul>
- *                      <p>For more information about server-side encryption with customer-provided
- *                         encryption keys (SSE-C), see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html">
- *                            Protecting data using server-side encryption with customer-provided
- *                            encryption keys (SSE-C)</a>.</p>
+ *                      <p>
+ *                         <b>Directory bucket permissions</b> - To grant access to this API operation on a directory bucket, we recommend that you use the <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html">
+ *                            <code>CreateSession</code>
+ *                         </a> API operation for session-based authorization. Specifically, you grant the <code>s3express:CreateSession</code> permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the <code>CreateSession</code> API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another <code>CreateSession</code> API call to generate a new session token for use.
+ * Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html">
+ *                            <code>CreateSession</code>
+ *                         </a>.</p>
  *                   </li>
  *                </ul>
  *             </dd>
- *             <dt>Access-Control-List (ACL)-Specific Request Headers</dt>
+ *             <dt>Encryption</dt>
  *             <dd>
- *                <p>You also can use the following access control–related headers with this
- *                   operation. By default, all objects are private. Only the owner has full access
- *                   control. When adding a new object, you can grant permissions to individual
- *                   Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then
- *                   added to the access control list (ACL) on the object. For more information, see
- *                      <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/S3_ACLs_UsingACLs.html">Using ACLs</a>. With this operation, you can grant access permissions
- *                   using one of the following two methods:</p>
  *                <ul>
  *                   <li>
- *                      <p>Specify a canned ACL (<code>x-amz-acl</code>) — Amazon S3 supports a set of
- *                         predefined ACLs, known as <i>canned ACLs</i>. Each canned ACL
- *                         has a predefined set of grantees and permissions. For more information, see
- *                            <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL">Canned
- *                         ACL</a>.</p>
- *                   </li>
- *                   <li>
- *                      <p>Specify access permissions explicitly — To explicitly grant access
- *                         permissions to specific Amazon Web Services accounts or groups, use the following headers.
- *                         Each header maps to specific permissions that Amazon S3 supports in an ACL. For
- *                         more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html">Access Control List (ACL)
- *                            Overview</a>. In the header, you specify a list of grantees who get
- *                         the specific permission. To grant permissions explicitly, use:</p>
- *                      <ul>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-grant-read</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-grant-write</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-grant-read-acp</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-grant-write-acp</code>
- *                            </p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>x-amz-grant-full-control</code>
- *                            </p>
- *                         </li>
- *                      </ul>
- *                      <p>You specify each grantee as a type=value pair, where the type is one of
- *                         the following:</p>
+ *                      <p>
+ *                         <b>General purpose buckets</b> - Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it
+ *                         writes it to disks in its data centers and decrypts it when you access it. Amazon S3
+ *                         automatically encrypts all new objects that are uploaded to an S3 bucket. When doing a
+ *                         multipart upload, if you don't specify encryption information in your request, the
+ *                         encryption setting of the uploaded parts is set to the default encryption configuration of
+ *                         the destination bucket. By default, all buckets have a base level of encryption
+ *                         configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the
+ *                         destination bucket has a default encryption configuration that uses server-side encryption
+ *                         with an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C),
+ *                         Amazon S3 uses the corresponding KMS key, or a customer-provided key to encrypt the uploaded
+ *                         parts. When you perform a CreateMultipartUpload operation, if you want to use a different
+ *                         type of encryption setting for the uploaded parts, you can request that Amazon S3 encrypts the
+ *                         object with a different encryption key (such as an Amazon S3 managed key, a KMS key, or a customer-provided key). When the encryption
+ *                         setting in your request is different from the default encryption configuration of the
+ *                         destination bucket, the encryption setting in your request takes precedence. If you choose
+ *                         to provide your own encryption key, the request headers you provide in <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html">UploadPart</a>
+ *                         and <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html">UploadPartCopy</a> requests must match the headers you used in the <code>CreateMultipartUpload</code> request.</p>
  *                      <ul>
  *                         <li>
- *                            <p>
- *                               <code>id</code> – if the value specified is the canonical user ID
- *                               of an Amazon Web Services account</p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>uri</code> – if you are granting permissions to a predefined
- *                               group</p>
- *                         </li>
- *                         <li>
- *                            <p>
- *                               <code>emailAddress</code> – if the value specified is the email
- *                               address of an Amazon Web Services account</p>
+ *                            <p>Use KMS keys (SSE-KMS) that include the Amazon Web Services managed key
+ *                               (<code>aws/s3</code>) and KMS customer managed keys stored in Key Management Service (KMS) –
+ *                               If you want Amazon Web Services to manage the keys used to encrypt data, specify the
+ *                               following headers in the request.</p>
+ *                            <ul>
+ *                               <li>
+ *                                  <p>
+ *                                     <code>x-amz-server-side-encryption</code>
+ *                                  </p>
+ *                               </li>
+ *                               <li>
+ *                                  <p>
+ *                                     <code>x-amz-server-side-encryption-aws-kms-key-id</code>
+ *                                  </p>
+ *                               </li>
+ *                               <li>
+ *                                  <p>
+ *                                     <code>x-amz-server-side-encryption-context</code>
+ *                                  </p>
+ *                               </li>
+ *                            </ul>
  *                            <note>
- *                               <p>Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions: </p>
  *                               <ul>
  *                                  <li>
- *                                     <p>US East (N. Virginia)</p>
- *                                  </li>
- *                                  <li>
- *                                     <p>US West (N. California)</p>
- *                                  </li>
- *                                  <li>
- *                                     <p> US West (Oregon)</p>
- *                                  </li>
- *                                  <li>
- *                                     <p> Asia Pacific (Singapore)</p>
- *                                  </li>
- *                                  <li>
- *                                     <p>Asia Pacific (Sydney)</p>
+ *                                     <p>If you specify <code>x-amz-server-side-encryption:aws:kms</code>, but
+ *                                     don't provide <code>x-amz-server-side-encryption-aws-kms-key-id</code>,
+ *                                     Amazon S3 uses the Amazon Web Services managed key (<code>aws/s3</code> key) in KMS to
+ *                                     protect the data.</p>
  *                                  </li>
  *                                  <li>
- *                                     <p>Asia Pacific (Tokyo)</p>
+ *                                     <p>To perform a multipart upload with encryption by using an Amazon Web Services KMS key, the requester
+ *                                     must have permission to the <code>kms:Decrypt</code> and <code>kms:GenerateDataKey*</code>
+ *                                     actions on the key. These permissions are required because Amazon S3 must decrypt and read data
+ *                                     from the encrypted file parts before it completes the multipart upload. For more
+ *                                     information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions">Multipart upload API
+ *                                        and permissions</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html">Protecting data using
+ *                                           server-side encryption with Amazon Web Services KMS</a> in the
+ *                                     <i>Amazon S3 User Guide</i>.</p>
  *                                  </li>
  *                                  <li>
- *                                     <p>Europe (Ireland)</p>
+ *                                     <p>If your Identity and Access Management (IAM) user or role is in the same Amazon Web Services account as the KMS key,
+ *                                     then you must have these permissions on the key policy. If your IAM user or role is in a different account from the key, then you must have the permissions on both the key
+ *                                     policy and your IAM user or role.</p>
  *                                  </li>
  *                                  <li>
- *                                     <p>South America (São Paulo)</p>
+ *                                     <p>All <code>GET</code> and <code>PUT</code> requests for an object
+ *                                        protected by KMS fail if you don't make them by using Secure Sockets
+ *                                        Layer (SSL), Transport Layer Security (TLS), or Signature Version
+ *                                        4. For information about configuring any of the officially supported Amazon Web Services
+ *                                        SDKs and Amazon Web Services CLI, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version">Specifying the Signature Version in Request Authentication</a>
+ *                                        in the <i>Amazon S3 User Guide</i>.</p>
  *                                  </li>
  *                               </ul>
- *                               <p>For a list of all the Amazon S3 supported Regions and endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region">Regions and Endpoints</a> in the Amazon Web Services General Reference.</p>
  *                            </note>
+ *                            <p>For more information about server-side encryption with KMS keys
+ *                               (SSE-KMS), see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html">Protecting Data
+ *                                  Using Server-Side Encryption with KMS keys</a> in the <i>Amazon S3 User Guide</i>.</p>
+ *                         </li>
+ *                         <li>
+ *                            <p>Use customer-provided encryption keys (SSE-C) – If you want to manage
+ *                               your own encryption keys, provide all the following headers in the
+ *                               request.</p>
+ *                            <ul>
+ *                               <li>
+ *                                  <p>
+ *                                     <code>x-amz-server-side-encryption-customer-algorithm</code>
+ *                                  </p>
+ *                               </li>
+ *                               <li>
+ *                                  <p>
+ *                                     <code>x-amz-server-side-encryption-customer-key</code>
+ *                                  </p>
+ *                               </li>
+ *                               <li>
+ *                                  <p>
+ *                                     <code>x-amz-server-side-encryption-customer-key-MD5</code>
+ *                                  </p>
+ *                               </li>
+ *                            </ul>
+ *                            <p>For more information about server-side encryption with customer-provided
+ *                               encryption keys (SSE-C), see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html">
+ *                                  Protecting data using server-side encryption with customer-provided
+ *                                  encryption keys (SSE-C)</a> in the <i>Amazon S3 User Guide</i>.</p>
  *                         </li>
  *                      </ul>
- *                      <p>For example, the following <code>x-amz-grant-read</code> header grants the Amazon Web Services accounts identified by account IDs permissions to read object data and its metadata:</p>
+ *                   </li>
+ *                   <li>
  *                      <p>
- *                         <code>x-amz-grant-read: id="11112222333", id="444455556666" </code>
- *                      </p>
+ *                         <b>Directory buckets</b> -For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (<code>AES256</code>) is supported.</p>
  *                   </li>
  *                </ul>
  *             </dd>
+ *             <dt>HTTP Host header syntax</dt>
+ *             <dd>
+ *                <p>
+ *                   <b>Directory buckets </b> - The HTTP Host header syntax is <code>
+ *                      <i>Bucket_name</i>.s3express-<i>az_id</i>.<i>region</i>.amazonaws.com</code>.</p>
+ *             </dd>
  *          </dl>
  *          <p>The following operations are related to <code>CreateMultipartUpload</code>:</p>
  *          <ul>
@@ -342,7 +264,7 @@ export interface CreateMultipartUploadCommandOutput extends CreateMultipartUploa
  *     "<keys>": "STRING_VALUE",
  *   },
  *   ServerSideEncryption: "AES256" || "aws:kms" || "aws:kms:dsse",
- *   StorageClass: "STANDARD" || "REDUCED_REDUNDANCY" || "STANDARD_IA" || "ONEZONE_IA" || "INTELLIGENT_TIERING" || "GLACIER" || "DEEP_ARCHIVE" || "OUTPOSTS" || "GLACIER_IR" || "SNOW",
+ *   StorageClass: "STANDARD" || "REDUCED_REDUNDANCY" || "STANDARD_IA" || "ONEZONE_IA" || "INTELLIGENT_TIERING" || "GLACIER" || "DEEP_ARCHIVE" || "OUTPOSTS" || "GLACIER_IR" || "SNOW" || "EXPRESS_ONEZONE",
  *   WebsiteRedirectLocation: "STRING_VALUE",
  *   SSECustomerAlgorithm: "STRING_VALUE",
  *   SSECustomerKey: "STRING_VALUE",

package/dist-types/commands/CreateSessionCommand.d.ts

@@ -0,0 +1,145 @@
+import { EndpointParameterInstructions } from "@smithy/middleware-endpoint";
+import { Command as $Command } from "@smithy/smithy-client";
+import { Handler, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, MiddlewareStack } from "@smithy/types";
+import { CreateSessionOutput, CreateSessionRequest } from "../models/models_0";
+import { S3ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../S3Client";
+/**
+ * @public
+ */
+export { __MetadataBearer, $Command };
+/**
+ * @public
+ *
+ * The input for {@link CreateSessionCommand}.
+ */
+export interface CreateSessionCommandInput extends CreateSessionRequest {
+}
+/**
+ * @public
+ *
+ * The output of {@link CreateSessionCommand}.
+ */
+export interface CreateSessionCommandOutput extends CreateSessionOutput, __MetadataBearer {
+}
+/**
+ * @public
+ * <p>Creates a session that establishes temporary security credentials to support fast authentication and authorization for the Zonal endpoint APIs on directory buckets.
+ *          For more information about Zonal endpoint APIs that include the Availability Zone in the request endpoint, see
+ *          <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-APIs.html">S3 Express One Zone  APIs</a> in the <i>Amazon S3 User Guide</i>.
+ *       </p>
+ *          <p>To make Zonal endpoint API requests on a directory bucket, use the <code>CreateSession</code>
+ *          API operation. Specifically, you grant <code>s3express:CreateSession</code> permission to a
+ *          bucket in a bucket policy or an IAM identity-based policy. Then, you use IAM credentials to make the
+ *             <code>CreateSession</code> API request on the bucket, which returns temporary security
+ *          credentials that include the access key ID, secret access key, session token, and
+ *          expiration. These credentials have associated permissions to access the Zonal endpoint APIs. After
+ *          the session is created, you don’t need to use other policies to grant permissions to each
+ *          Zonal endpoint API individually. Instead, in your Zonal endpoint API requests, you sign your requests by
+ *          applying the temporary security credentials of the session to the request headers and
+ *          following the SigV4 protocol for authentication. You also apply the session token to the
+ *             <code>x-amz-s3session-token</code> request header for authorization. Temporary security
+ *          credentials are scoped to the bucket and expire after 5 minutes. After the expiration time,
+ *          any calls that you make with those credentials will fail. You must use IAM credentials
+ *          again to make a <code>CreateSession</code> API request that generates a new set of
+ *          temporary credentials for use. Temporary credentials cannot be extended or refreshed beyond
+ *          the original specified interval.</p>
+ *          <p>If you use Amazon Web Services SDKs, SDKs handle the session token refreshes automatically to avoid
+ *          service interruptions when a session expires. We recommend that you use the Amazon Web Services SDKs to
+ *          initiate and manage requests to the CreateSession API. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-optimizing-performance-guidelines-design-patterns.html#s3-express-optimizing-performance-session-authentication">Performance guidelines and design patterns</a> in the
+ *             <i>Amazon S3 User Guide</i>.</p>
+ *          <note>
+ *             <ul>
+ *                <li>
+ *                   <p>You must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format <code>https://<i>bucket_name</i>.s3express-<i>az_id</i>.<i>region</i>.amazonaws.com</code>. Path-style requests are not supported. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html">Regional and Zonal endpoints</a> in the
+ *     <i>Amazon S3 User Guide</i>.</p>
+ *                </li>
+ *                <li>
+ *                   <p>
+ *                      <b>
+ *                         <code>CopyObject</code> API operation</b> - Unlike other Zonal endpoint APIs, the <code>CopyObject</code> API operation doesn't use the temporary security credentials returned from the <code>CreateSession</code> API operation for authentication and authorization. For information about authentication and authorization of the <code>CopyObject</code> API operation on directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a>.</p>
+ *                </li>
+ *                <li>
+ *                   <p>
+ *                      <b>
+ *                         <code>HeadBucket</code> API operation</b> - Unlike other Zonal endpoint APIs, the <code>HeadBucket</code> API operation doesn't use the temporary security credentials returned from the <code>CreateSession</code> API operation for authentication and authorization. For information about authentication and authorization of the <code>HeadBucket</code> API operation on directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html">HeadBucket</a>.</p>
+ *                </li>
+ *             </ul>
+ *          </note>
+ *          <dl>
+ *             <dt>Permissions</dt>
+ *             <dd>
+ *                <p>To obtain temporary security credentials, you must create a bucket policy or an IAM identity-based policy that
+ *                   grants <code>s3express:CreateSession</code> permission to the bucket. In a
+ *                   policy, you can have the <code>s3express:SessionMode</code> condition key to
+ *                   control who can create a <code>ReadWrite</code> or <code>ReadOnly</code> session.
+ *                   For more information about <code>ReadWrite</code> or <code>ReadOnly</code>
+ *                   sessions, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters">
+ *                      <code>x-amz-create-session-mode</code>
+ *                   </a>. For example policies, see
+ *                      <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html">Example bucket policies for S3 Express One Zone</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html">Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone</a> in the
+ *                      <i>Amazon S3 User Guide</i>. </p>
+ *                <p>To grant cross-account access to Zonal endpoint APIs, the bucket policy should also grant both accounts the <code>s3express:CreateSession</code> permission.</p>
+ *             </dd>
+ *             <dt>HTTP Host header syntax</dt>
+ *             <dd>
+ *                <p>
+ *                   <b>Directory buckets </b> - The HTTP Host header syntax is <code>
+ *                      <i>Bucket_name</i>.s3express-<i>az_id</i>.<i>region</i>.amazonaws.com</code>.</p>
+ *             </dd>
+ *          </dl>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { S3Client, CreateSessionCommand } from "@aws-sdk/client-s3"; // ES Modules import
+ * // const { S3Client, CreateSessionCommand } = require("@aws-sdk/client-s3"); // CommonJS import
+ * const client = new S3Client(config);
+ * const input = { // CreateSessionRequest
+ *   SessionMode: "ReadOnly" || "ReadWrite",
+ *   Bucket: "STRING_VALUE", // required
+ * };
+ * const command = new CreateSessionCommand(input);
+ * const response = await client.send(command);
+ * // { // CreateSessionOutput
+ * //   Credentials: { // SessionCredentials
+ * //     AccessKeyId: "STRING_VALUE", // required
+ * //     SecretAccessKey: "STRING_VALUE", // required
+ * //     SessionToken: "STRING_VALUE", // required
+ * //     Expiration: new Date("TIMESTAMP"), // required
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param CreateSessionCommandInput - {@link CreateSessionCommandInput}
+ * @returns {@link CreateSessionCommandOutput}
+ * @see {@link CreateSessionCommandInput} for command's `input` shape.
+ * @see {@link CreateSessionCommandOutput} for command's `response` shape.
+ * @see {@link S3ClientResolvedConfig | config} for S3Client's `config` shape.
+ *
+ * @throws {@link NoSuchBucket} (client fault)
+ *  <p>The specified bucket does not exist.</p>
+ *
+ * @throws {@link S3ServiceException}
+ * <p>Base exception class for all service exceptions from S3 service.</p>
+ *
+ */
+export declare class CreateSessionCommand extends $Command<CreateSessionCommandInput, CreateSessionCommandOutput, S3ClientResolvedConfig> {
+    readonly input: CreateSessionCommandInput;
+    static getEndpointParameterInstructions(): EndpointParameterInstructions;
+    /**
+     * @public
+     */
+    constructor(input: CreateSessionCommandInput);
+    /**
+     * @internal
+     */
+    resolveMiddleware(clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>, configuration: S3ClientResolvedConfig, options?: __HttpHandlerOptions): Handler<CreateSessionCommandInput, CreateSessionCommandOutput>;
+    /**
+     * @internal
+     */
+    private serialize;
+    /**
+     * @internal
+     */
+    private deserialize;
+}

package/dist-types/commands/DeleteBucketAnalyticsConfigurationCommand.d.ts

@@ -23,7 +23,10 @@ export interface DeleteBucketAnalyticsConfigurationCommandOutput extends __Metad
 }
 /**
  * @public
- * <p>Deletes an analytics configuration for the bucket (specified by the analytics
+ * <note>
+ *             <p>This operation is not supported by directory buckets.</p>
+ *          </note>
+ *          <p>Deletes an analytics configuration for the bucket (specified by the analytics
  *          configuration ID).</p>
  *          <p>To use this operation, you must have permissions to perform the
  *             <code>s3:PutAnalyticsConfiguration</code> action. The bucket owner has this permission