diff --git a/CHANGELOG.md b/CHANGELOG.md index cdf4367..c2e55c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ ### Changed - Enable compiler optimization for the `sprintf` function. +- AWS enhancement: Documentation updates. ## 2.3.0 diff --git a/src/Input/CopyObjectRequest.php b/src/Input/CopyObjectRequest.php index 8f5906a..1ee862f 100644 --- a/src/Input/CopyObjectRequest.php +++ b/src/Input/CopyObjectRequest.php @@ -365,31 +365,56 @@ final class CopyObjectRequest extends Input private $taggingDirective; /** - * The server-side encryption algorithm used when storing this object in Amazon S3 (for example, `AES256`, `aws:kms`, - * `aws:kms:dsse`). Unrecognized or unsupported values won’t write a destination object and will receive a `400 Bad - * Request` response. + * The server-side encryption algorithm used when storing this object in Amazon S3. Unrecognized or unsupported values + * won’t write a destination object and will receive a `400 Bad Request` response. * * Amazon S3 automatically encrypts all new objects that are copied to an S3 bucket. When copying an object, if you * don't specify encryption information in your copy request, the encryption setting of the target object is set to the * default encryption configuration of the destination bucket. By default, all buckets have a base level of encryption * configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the destination bucket has a - * default encryption configuration that uses server-side encryption with Key Management Service (KMS) keys (SSE-KMS), - * dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or server-side encryption with - * customer-provided encryption keys (SSE-C), Amazon S3 uses the corresponding KMS key, or a customer-provided key to - * encrypt the target object copy. - * - * When you perform a `CopyObject` operation, if you want to use a different type of encryption setting for the target - * object, you can specify appropriate encryption-related headers to encrypt the target object with an Amazon S3 managed - * key, a KMS key, or a customer-provided key. If the encryption setting in your request is different from the default - * encryption configuration of the destination bucket, the encryption setting in your request takes precedence. + * different default encryption configuration, Amazon S3 uses the corresponding encryption key to encrypt the target + * object copy. * * With server-side encryption, Amazon S3 encrypts your data as it writes your data to disks in its data centers and * decrypts the data when you access it. For more information about server-side encryption, see Using Server-Side * Encryption [^1] in the *Amazon S3 User Guide*. * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. + * **General purpose buckets ** + * + * - For general purpose buckets, there are the following supported options for server-side encryption: server-side + * encryption with Key Management Service (KMS) keys (SSE-KMS), dual-layer server-side encryption with Amazon Web + * Services KMS keys (DSSE-KMS), and server-side encryption with customer-provided encryption keys (SSE-C). Amazon S3 + * uses the corresponding KMS key, or a customer-provided key to encrypt the target object copy. + * - When you perform a `CopyObject` operation, if you want to use a different type of encryption setting for the target + * object, you can specify appropriate encryption-related headers to encrypt the target object with an Amazon S3 + * managed key, a KMS key, or a customer-provided key. If the encryption setting in your request is different from the + * default encryption configuration of the destination bucket, the encryption setting in your request takes + * precedence. + * + * **Directory buckets ** + * + * - For directory buckets, there are only two supported options for server-side encryption: server-side encryption with + * Amazon S3 managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We + * recommend that the bucket's default encryption uses the desired encryption configuration and you don't override the + * bucket default encryption in your `CreateSession` requests or `PUT` object requests. Then, new objects are + * automatically encrypted with the desired encryption settings. For more information, see Protecting data with + * server-side encryption [^2] in the *Amazon S3 User Guide*. For more information about the encryption overriding + * behaviors in directory buckets, see Specifying server-side encryption with KMS for new object uploads [^3]. + * - To encrypt new object copies to a directory bucket with SSE-KMS, we recommend you specify SSE-KMS as the directory + * bucket's default encryption configuration with a KMS key (specifically, a customer managed key [^4]). Amazon Web + * Services managed key [^5] (`aws/s3`) isn't supported. Your SSE-KMS configuration can only support 1 customer + * managed key [^6] per directory bucket for the lifetime of the bucket. After you specify a customer managed key for + * SSE-KMS, you can't override the customer managed key for the bucket's SSE-KMS configuration. Then, when you perform + * a `CopyObject` operation and want to specify server-side encryption settings for new object copies with SSE-KMS in + * the encryption-related request headers, you must ensure the encryption key is the same customer managed key that + * you specified for the directory bucket's default encryption configuration. * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html + * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html + * [^4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + * [^5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk + * [^6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk * * @var ServerSideEncryption::*|null */ @@ -475,25 +500,41 @@ final class CopyObjectRequest extends Input private $sseCustomerKeyMd5; /** - * Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object encryption. All GET and PUT requests for an - * object protected by KMS will fail if they're not made via SSL or using SigV4. For information about configuring any - * of the officially supported Amazon Web Services SDKs and Amazon Web Services CLI, see Specifying the Signature + * Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for object encryption. All GET and PUT requests for + * an object protected by KMS will fail if they're not made via SSL or using SigV4. For information about configuring + * any of the officially supported Amazon Web Services SDKs and Amazon Web Services CLI, see Specifying the Signature * Version in Request Authentication [^1] in the *Amazon S3 User Guide*. * - * > This functionality is not supported when the destination bucket is a directory bucket. + * **Directory buckets** - If you specify `x-amz-server-side-encryption` with `aws:kms`, you must specify the ` + * x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key ID or Key ARN) of the KMS symmetric encryption + * customer managed key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the key ID or key ARN. The + * key alias format of the KMS key isn't supported. Your SSE-KMS configuration can only support 1 customer managed key + * [^2] per directory bucket for the lifetime of the bucket. Amazon Web Services managed key [^3] (`aws/s3`) isn't + * supported. * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version + * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + * [^3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk * * @var string|null */ private $sseKmsKeyId; /** - * Specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this header is a - * base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. This value must be explicitly - * added to specify encryption context for `CopyObject` requests. + * Specifies the Amazon Web Services KMS Encryption Context as an additional encryption context to use for the + * destination object encryption. The value of this header is a base64-encoded UTF-8 string holding JSON with the + * encryption context key-value pairs. * - * > This functionality is not supported when the destination bucket is a directory bucket. + * **General purpose buckets** - This value must be explicitly added to specify encryption context for `CopyObject` + * requests if you want an additional encryption context for your destination object. The additional encryption context + * of the source object won't be copied to the destination object. For more information, see Encryption context [^1] in + * the *Amazon S3 User Guide*. + * + * **Directory buckets** - You can optionally provide an explicit encryption context value. The value must match the + * default encryption context - the bucket Amazon Resource Name (ARN). An additional encryption context value is not + * supported. + * + * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context * * @var string|null */ @@ -509,9 +550,13 @@ final class CopyObjectRequest extends Input * * For more information, see Amazon S3 Bucket Keys [^1] in the *Amazon S3 User Guide*. * - * > This functionality is not supported when the destination bucket is a directory bucket. + * > **Directory buckets** - S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general + * > purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory + * > buckets, through CopyObject [^2]. In this case, Amazon S3 makes a call to KMS every time a copy request is made for + * > a KMS-encrypted object. * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html * * @var bool|null */ diff --git a/src/Input/CreateMultipartUploadRequest.php b/src/Input/CreateMultipartUploadRequest.php index 54a6b42..d5e8207 100644 --- a/src/Input/CreateMultipartUploadRequest.php +++ b/src/Input/CreateMultipartUploadRequest.php @@ -316,7 +316,36 @@ final class CreateMultipartUploadRequest extends Input /** * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`). * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. + * - **Directory buckets ** - For directory buckets, there are only two supported options for server-side encryption: + * server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys + * (SSE-KMS) (`aws:kms`). We recommend that the bucket's default encryption uses the desired encryption configuration + * and you don't override the bucket default encryption in your `CreateSession` requests or `PUT` object requests. + * Then, new objects are automatically encrypted with the desired encryption settings. For more information, see + * Protecting data with server-side encryption [^1] in the *Amazon S3 User Guide*. For more information about the + * encryption overriding behaviors in directory buckets, see Specifying server-side encryption with KMS for new object + * uploads [^2]. + * + * In the Zonal endpoint API calls (except CopyObject [^3] and UploadPartCopy [^4]) using the REST API, the encryption + * request headers must match the encryption settings that are specified in the `CreateSession` request. You can't + * override the values of the encryption settings (`x-amz-server-side-encryption`, + * `x-amz-server-side-encryption-aws-kms-key-id`, `x-amz-server-side-encryption-context`, and + * `x-amz-server-side-encryption-bucket-key-enabled`) that are specified in the `CreateSession` request. You don't + * need to explicitly specify these encryption settings values in Zonal endpoint API calls, and Amazon S3 will use the + * encryption settings values from the `CreateSession` request to protect new objects in the directory bucket. + * + * > When you use the CLI or the Amazon Web Services SDKs, for `CreateSession`, the session token refreshes + * > automatically to avoid service interruptions when a session expires. The CLI or the Amazon Web Services SDKs use + * > the bucket's default encryption configuration for the `CreateSession` request. It's not supported to override the + * > encryption settings values in the `CreateSession` request. So in the Zonal endpoint API calls (except CopyObject + * > [^5] and UploadPartCopy [^6]), the encryption request headers must match the default encryption configuration of + * > the directory bucket. + * + * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html + * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html * * @var ServerSideEncryption::*|null */ @@ -378,10 +407,24 @@ final class CreateMultipartUploadRequest extends Input private $sseCustomerKeyMd5; /** - * Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric encryption customer managed key to use for object - * encryption. + * Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for object encryption. If the KMS key doesn't exist + * in the same account that's issuing the command, you must use the full Key ARN not the Key ID. * - * > This functionality is not supported for directory buckets. + * **General purpose buckets** - If you specify `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this + * header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key to use. If you specify + * `x-amz-server-side-encryption:aws:kms` or `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide + * `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the Amazon Web Services managed key (`aws/s3`) to + * protect the data. + * + * **Directory buckets** - If you specify `x-amz-server-side-encryption` with `aws:kms`, you must specify the ` + * x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key ID or Key ARN) of the KMS symmetric encryption + * customer managed key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the key ID or key ARN. The + * key alias format of the KMS key isn't supported. Your SSE-KMS configuration can only support 1 customer managed key + * [^1] per directory bucket for the lifetime of the bucket. Amazon Web Services managed key [^2] (`aws/s3`) isn't + * supported. + * + * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk * * @var string|null */ @@ -389,9 +432,11 @@ final class CreateMultipartUploadRequest extends Input /** * Specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this header is a - * base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. + * Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs. * - * > This functionality is not supported for directory buckets. + * **Directory buckets** - You can optionally provide an explicit encryption context value. The value must match the + * default encryption context - the bucket Amazon Resource Name (ARN). An additional encryption context value is not + * supported. * * @var string|null */ @@ -399,12 +444,22 @@ final class CreateMultipartUploadRequest extends Input /** * Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption with server-side encryption using Key - * Management Service (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key for - * object encryption with SSE-KMS. - * - * Specifying this header with an object action doesn’t affect bucket-level settings for S3 Bucket Key. - * - * > This functionality is not supported for directory buckets. + * Management Service (KMS) keys (SSE-KMS). + * + * **General purpose buckets** - Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key for object + * encryption with SSE-KMS. Also, specifying this header with a PUT action doesn't affect bucket-level settings for S3 + * Bucket Key. + * + * **Directory buckets** - S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a directory bucket and + * can’t be disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose + * buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, + * through CopyObject [^1], UploadPartCopy [^2], the Copy operation in Batch Operations [^3], or the import jobs [^4]. + * In this case, Amazon S3 makes a call to KMS every time a copy request is made for a KMS-encrypted object. + * + * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops + * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job * * @var bool|null */ diff --git a/src/Input/GetBucketEncryptionRequest.php b/src/Input/GetBucketEncryptionRequest.php index fda75e3..3c14d22 100644 --- a/src/Input/GetBucketEncryptionRequest.php +++ b/src/Input/GetBucketEncryptionRequest.php @@ -12,6 +12,14 @@ final class GetBucketEncryptionRequest extends Input /** * The name of the bucket from which the server-side encryption configuration is retrieved. * + * **Directory buckets ** - When you use this operation with a directory bucket, you must use path-style requests in the + * format `https://s3express-control.*region_code*.amazonaws.com/*bucket-name*`. Virtual-hosted-style requests aren't + * supported. Directory bucket names must be unique in the chosen Availability Zone. Bucket names must also follow the + * format `*bucket_base_name*--*az_id*--x-s3` (for example, `*DOC-EXAMPLE-BUCKET*--*usw2-az1*--x-s3`). For information + * about bucket naming restrictions, see Directory bucket naming rules [^1] in the *Amazon S3 User Guide* + * + * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html + * * @required * * @var string|null @@ -22,6 +30,9 @@ final class GetBucketEncryptionRequest extends Input * The account ID of the expected bucket owner. If the account ID that you provide does not match the actual owner of * the bucket, the request fails with the HTTP status code `403 Forbidden` (access denied). * + * > For directory buckets, this header is not supported in this API operation. If you specify this header, the request + * > fails with the HTTP status code `501 Not Implemented`. + * * @var string|null */ private $expectedBucketOwner; diff --git a/src/Input/GetObjectRequest.php b/src/Input/GetObjectRequest.php index 08b9425..c30ffea 100644 --- a/src/Input/GetObjectRequest.php +++ b/src/Input/GetObjectRequest.php @@ -290,8 +290,9 @@ final class GetObjectRequest extends Input /** * To retrieve the checksum, this mode must be enabled. * - * In addition, if you enable checksum mode and the object is uploaded with a checksum [^1] and encrypted with an Key - * Management Service (KMS) key, you must have permission to use the `kms:Decrypt` action to retrieve the checksum. + * **General purpose buckets** - In addition, if you enable checksum mode and the object is uploaded with a checksum + * [^1] and encrypted with an Key Management Service (KMS) key, you must have permission to use the `kms:Decrypt` action + * to retrieve the checksum. * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html * diff --git a/src/Input/HeadObjectRequest.php b/src/Input/HeadObjectRequest.php index a1ae1d5..7f33302 100644 --- a/src/Input/HeadObjectRequest.php +++ b/src/Input/HeadObjectRequest.php @@ -244,8 +244,14 @@ final class HeadObjectRequest extends Input /** * To retrieve the checksum, this parameter must be enabled. * - * In addition, if you enable checksum mode and the object is uploaded with a checksum [^1] and encrypted with an Key - * Management Service (KMS) key, you must have permission to use the `kms:Decrypt` action to retrieve the checksum. + * **General purpose buckets** - If you enable checksum mode and the object is uploaded with a checksum [^1] and + * encrypted with an Key Management Service (KMS) key, you must have permission to use the `kms:Decrypt` action to + * retrieve the checksum. + * + * **Directory buckets** - If you enable `ChecksumMode` and the object is encrypted with Amazon Web Services Key + * Management Service (Amazon Web Services KMS), you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key to retrieve the checksum of the + * object. * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html * diff --git a/src/Input/PutObjectRequest.php b/src/Input/PutObjectRequest.php index 4fe6f7a..0e2bfd8 100644 --- a/src/Input/PutObjectRequest.php +++ b/src/Input/PutObjectRequest.php @@ -329,17 +329,43 @@ final class PutObjectRequest extends Input * The server-side encryption algorithm that was used when you store this object in Amazon S3 (for example, `AES256`, * `aws:kms`, `aws:kms:dsse`). * - * **General purpose buckets ** - You have four mutually exclusive options to protect data using server-side encryption - * in Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the encryption key options are - * Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and customer-provided keys - * (SSE-C). Amazon S3 encrypts data with server-side encryption by using Amazon S3 managed keys (SSE-S3) by default. You - * can optionally tell Amazon S3 to encrypt data at rest by using server-side encryption with other key options. For - * more information, see Using Server-Side Encryption [^1] in the *Amazon S3 User Guide*. - * - * **Directory buckets ** - For directory buckets, only the server-side encryption with Amazon S3 managed keys (SSE-S3) - * (`AES256`) value is supported. + * - **General purpose buckets ** - You have four mutually exclusive options to protect data using server-side + * encryption in Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the encryption + * key options are Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and + * customer-provided keys (SSE-C). Amazon S3 encrypts data with server-side encryption by using Amazon S3 managed keys + * (SSE-S3) by default. You can optionally tell Amazon S3 to encrypt data at rest by using server-side encryption with + * other key options. For more information, see Using Server-Side Encryption [^1] in the *Amazon S3 User Guide*. + * - **Directory buckets ** - For directory buckets, there are only two supported options for server-side encryption: + * server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys + * (SSE-KMS) (`aws:kms`). We recommend that the bucket's default encryption uses the desired encryption configuration + * and you don't override the bucket default encryption in your `CreateSession` requests or `PUT` object requests. + * Then, new objects are automatically encrypted with the desired encryption settings. For more information, see + * Protecting data with server-side encryption [^2] in the *Amazon S3 User Guide*. For more information about the + * encryption overriding behaviors in directory buckets, see Specifying server-side encryption with KMS for new object + * uploads [^3]. + * + * In the Zonal endpoint API calls (except CopyObject [^4] and UploadPartCopy [^5]) using the REST API, the encryption + * request headers must match the encryption settings that are specified in the `CreateSession` request. You can't + * override the values of the encryption settings (`x-amz-server-side-encryption`, + * `x-amz-server-side-encryption-aws-kms-key-id`, `x-amz-server-side-encryption-context`, and + * `x-amz-server-side-encryption-bucket-key-enabled`) that are specified in the `CreateSession` request. You don't + * need to explicitly specify these encryption settings values in Zonal endpoint API calls, and Amazon S3 will use the + * encryption settings values from the `CreateSession` request to protect new objects in the directory bucket. + * + * > When you use the CLI or the Amazon Web Services SDKs, for `CreateSession`, the session token refreshes + * > automatically to avoid service interruptions when a session expires. The CLI or the Amazon Web Services SDKs use + * > the bucket's default encryption configuration for the `CreateSession` request. It's not supported to override the + * > encryption settings values in the `CreateSession` request. So in the Zonal endpoint API calls (except CopyObject + * > [^6] and UploadPartCopy [^7]), the encryption request headers must match the default encryption configuration of + * > the directory bucket. * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html + * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html + * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html * * @var ServerSideEncryption::*|null */ @@ -417,26 +443,44 @@ final class PutObjectRequest extends Input private $sseCustomerKeyMd5; /** - * If `x-amz-server-side-encryption` has a valid value of `aws:kms` or `aws:kms:dsse`, this header specifies the ID (Key - * ID, Key ARN, or Key Alias) of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. If you specify `x-amz-server-side-encryption:aws:kms` or - * `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide` x-amz-server-side-encryption-aws-kms-key-id`, Amazon - * S3 uses the Amazon Web Services managed key (`aws/s3`) to protect the data. If the KMS key does not exist in the same - * account that's issuing the command, you must use the full ARN and not just the ID. + * Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for object encryption. If the KMS key doesn't exist + * in the same account that's issuing the command, you must use the full Key ARN not the Key ID. * - * > This functionality is not supported for directory buckets. + * **General purpose buckets** - If you specify `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this + * header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key to use. If you specify + * `x-amz-server-side-encryption:aws:kms` or `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide + * `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the Amazon Web Services managed key (`aws/s3`) to + * protect the data. + * + * **Directory buckets** - If you specify `x-amz-server-side-encryption` with `aws:kms`, you must specify the ` + * x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key ID or Key ARN) of the KMS symmetric encryption + * customer managed key to use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the key ID or key ARN. The + * key alias format of the KMS key isn't supported. Your SSE-KMS configuration can only support 1 customer managed key + * [^1] per directory bucket for the lifetime of the bucket. Amazon Web Services managed key [^2] (`aws/s3`) isn't + * supported. + * + * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk * * @var string|null */ private $sseKmsKeyId; /** - * Specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this header is a - * base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. This value is stored as object - * metadata and automatically gets passed on to Amazon Web Services KMS for future `GetObject` or `CopyObject` - * operations on this object. This value must be explicitly added during `CopyObject` operations. + * Specifies the Amazon Web Services KMS Encryption Context as an additional encryption context to use for object + * encryption. The value of this header is a Base64-encoded string of a UTF-8 encoded JSON, which contains the + * encryption context as key-value pairs. This value is stored as object metadata and automatically gets passed on to + * Amazon Web Services KMS for future `GetObject` operations on this object. * - * > This functionality is not supported for directory buckets. + * **General purpose buckets** - This value must be explicitly added during `CopyObject` operations if you want an + * additional encryption context for your object. For more information, see Encryption context [^1] in the *Amazon S3 + * User Guide*. + * + * **Directory buckets** - You can optionally provide an explicit encryption context value. The value must match the + * default encryption context - the bucket Amazon Resource Name (ARN). An additional encryption context value is not + * supported. + * + * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context * * @var string|null */ @@ -444,12 +488,22 @@ final class PutObjectRequest extends Input /** * Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption with server-side encryption using Key - * Management Service (KMS) keys (SSE-KMS). Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key for - * object encryption with SSE-KMS. - * - * Specifying this header with a PUT action doesn’t affect bucket-level settings for S3 Bucket Key. - * - * > This functionality is not supported for directory buckets. + * Management Service (KMS) keys (SSE-KMS). + * + * **General purpose buckets** - Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key for object + * encryption with SSE-KMS. Also, specifying this header with a PUT action doesn't affect bucket-level settings for S3 + * Bucket Key. + * + * **Directory buckets** - S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a directory bucket and + * can’t be disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose + * buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, + * through CopyObject [^1], UploadPartCopy [^2], the Copy operation in Batch Operations [^3], or the import jobs [^4]. + * In this case, Amazon S3 makes a call to KMS every time a copy request is made for a KMS-encrypted object. + * + * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops + * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job * * @var bool|null */ diff --git a/src/Result/CompleteMultipartUploadOutput.php b/src/Result/CompleteMultipartUploadOutput.php index ded9ea7..0888619 100644 --- a/src/Result/CompleteMultipartUploadOutput.php +++ b/src/Result/CompleteMultipartUploadOutput.php @@ -111,8 +111,6 @@ class CompleteMultipartUploadOutput extends Result /** * The server-side encryption algorithm used when storing this object in Amazon S3 (for example, `AES256`, `aws:kms`). * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. - * * @var ServerSideEncryption::*|null */ private $serverSideEncryption; @@ -127,10 +125,7 @@ class CompleteMultipartUploadOutput extends Result private $versionId; /** - * If present, indicates the ID of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -140,8 +135,6 @@ class CompleteMultipartUploadOutput extends Result * Indicates whether the multipart upload uses an S3 Bucket Key for server-side encryption with Key Management Service * (KMS) keys (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/Result/CopyObjectOutput.php b/src/Result/CopyObjectOutput.php index be6b572..d8ddc4e 100644 --- a/src/Result/CopyObjectOutput.php +++ b/src/Result/CopyObjectOutput.php @@ -48,8 +48,6 @@ class CopyObjectOutput extends Result * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`, * `aws:kms:dsse`). * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. - * * @var ServerSideEncryption::*|null */ private $serverSideEncryption; @@ -75,10 +73,7 @@ class CopyObjectOutput extends Result private $sseCustomerKeyMd5; /** - * If present, indicates the ID of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -88,8 +83,6 @@ class CopyObjectOutput extends Result * If present, indicates the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this * header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. * - * > This functionality is not supported for directory buckets. - * * @var string|null */ private $sseKmsEncryptionContext; @@ -98,8 +91,6 @@ class CopyObjectOutput extends Result * Indicates whether the copied object uses an S3 Bucket Key for server-side encryption with Key Management Service * (KMS) keys (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/Result/CreateMultipartUploadOutput.php b/src/Result/CreateMultipartUploadOutput.php index 452996a..c4aaa7d 100644 --- a/src/Result/CreateMultipartUploadOutput.php +++ b/src/Result/CreateMultipartUploadOutput.php @@ -64,8 +64,6 @@ class CreateMultipartUploadOutput extends Result /** * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`). * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. - * * @var ServerSideEncryption::*|null */ private $serverSideEncryption; @@ -91,10 +89,7 @@ class CreateMultipartUploadOutput extends Result private $sseCustomerKeyMd5; /** - * If present, indicates the ID of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -102,9 +97,7 @@ class CreateMultipartUploadOutput extends Result /** * If present, indicates the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this - * header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. - * - * > This functionality is not supported for directory buckets. + * header is a Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs. * * @var string|null */ @@ -114,8 +107,6 @@ class CreateMultipartUploadOutput extends Result * Indicates whether the multipart upload uses an S3 Bucket Key for server-side encryption with Key Management Service * (KMS) keys (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/Result/GetObjectOutput.php b/src/Result/GetObjectOutput.php index 1ccb4f0..7294504 100644 --- a/src/Result/GetObjectOutput.php +++ b/src/Result/GetObjectOutput.php @@ -212,10 +212,7 @@ class GetObjectOutput extends Result private $websiteRedirectLocation; /** - * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`, - * `aws:kms:dsse`). - * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. + * The server-side encryption algorithm used when you store this object in Amazon S3. * * @var ServerSideEncryption::*|null */ @@ -249,10 +246,7 @@ class GetObjectOutput extends Result private $sseCustomerKeyMd5; /** - * If present, indicates the ID of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -262,8 +256,6 @@ class GetObjectOutput extends Result * Indicates whether the object uses an S3 Bucket Key for server-side encryption with Key Management Service (KMS) keys * (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/Result/HeadObjectOutput.php b/src/Result/HeadObjectOutput.php index 482a519..e7c9f3c 100644 --- a/src/Result/HeadObjectOutput.php +++ b/src/Result/HeadObjectOutput.php @@ -227,8 +227,6 @@ class HeadObjectOutput extends Result * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`, * `aws:kms:dsse`). * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. - * * @var ServerSideEncryption::*|null */ private $serverSideEncryption; @@ -261,10 +259,7 @@ class HeadObjectOutput extends Result private $sseCustomerKeyMd5; /** - * If present, indicates the ID of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -274,8 +269,6 @@ class HeadObjectOutput extends Result * Indicates whether the object uses an S3 Bucket Key for server-side encryption with Key Management Service (KMS) keys * (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/Result/PutObjectOutput.php b/src/Result/PutObjectOutput.php index f64773c..a53f3a8 100644 --- a/src/Result/PutObjectOutput.php +++ b/src/Result/PutObjectOutput.php @@ -88,10 +88,7 @@ class PutObjectOutput extends Result private $checksumSha256; /** - * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`, - * `aws:kms:dsse`). - * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. + * The server-side encryption algorithm used when you store this object in Amazon S3. * * @var ServerSideEncryption::*|null */ @@ -136,10 +133,7 @@ class PutObjectOutput extends Result private $sseCustomerKeyMd5; /** - * If `x-amz-server-side-encryption` has a valid value of `aws:kms` or `aws:kms:dsse`, this header indicates the ID of - * the Key Management Service (KMS) symmetric encryption customer managed key that was used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -147,11 +141,9 @@ class PutObjectOutput extends Result /** * If present, indicates the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this - * header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. This value is - * stored as object metadata and automatically gets passed on to Amazon Web Services KMS for future `GetObject` or - * `CopyObject` operations on this object. - * - * > This functionality is not supported for directory buckets. + * header is a Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs. + * This value is stored as object metadata and automatically gets passed on to Amazon Web Services KMS for future + * `GetObject` operations on this object. * * @var string|null */ @@ -161,8 +153,6 @@ class PutObjectOutput extends Result * Indicates whether the uploaded object uses an S3 Bucket Key for server-side encryption with Key Management Service * (KMS) keys (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/Result/UploadPartCopyOutput.php b/src/Result/UploadPartCopyOutput.php index d23f7fe..355c945 100644 --- a/src/Result/UploadPartCopyOutput.php +++ b/src/Result/UploadPartCopyOutput.php @@ -29,8 +29,6 @@ class UploadPartCopyOutput extends Result /** * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`). * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. - * * @var ServerSideEncryption::*|null */ private $serverSideEncryption; @@ -56,10 +54,7 @@ class UploadPartCopyOutput extends Result private $sseCustomerKeyMd5; /** - * If present, indicates the ID of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -69,8 +64,6 @@ class UploadPartCopyOutput extends Result * Indicates whether the multipart upload uses an S3 Bucket Key for server-side encryption with Key Management Service * (KMS) keys (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/Result/UploadPartOutput.php b/src/Result/UploadPartOutput.php index 821c7a5..fd3fa47 100644 --- a/src/Result/UploadPartOutput.php +++ b/src/Result/UploadPartOutput.php @@ -12,8 +12,6 @@ class UploadPartOutput extends Result /** * The server-side encryption algorithm used when you store this object in Amazon S3 (for example, `AES256`, `aws:kms`). * - * > For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) is supported. - * * @var ServerSideEncryption::*|null */ private $serverSideEncryption; @@ -98,10 +96,7 @@ class UploadPartOutput extends Result private $sseCustomerKeyMd5; /** - * If present, indicates the ID of the Key Management Service (KMS) symmetric encryption customer managed key that was - * used for the object. - * - * > This functionality is not supported for directory buckets. + * If present, indicates the ID of the KMS key that was used for object encryption. * * @var string|null */ @@ -111,8 +106,6 @@ class UploadPartOutput extends Result * Indicates whether the multipart upload uses an S3 Bucket Key for server-side encryption with Key Management Service * (KMS) keys (SSE-KMS). * - * > This functionality is not supported for directory buckets. - * * @var bool|null */ private $bucketKeyEnabled; diff --git a/src/S3Client.php b/src/S3Client.php index 97d9d0a..61cc235 100644 --- a/src/S3Client.php +++ b/src/S3Client.php @@ -257,17 +257,21 @@ public function bucketNotExists($input): BucketNotExistsWaiter * * - **General purpose bucket permissions** - For information about permissions required to use the multipart upload * API, see Multipart Upload and Permissions [^6] in the *Amazon S3 User Guide*. + * + * If you provide an additional checksum value [^7] in your `MultipartUpload` requests and the object is encrypted + * with Key Management Service, you must have permission to use the `kms:Decrypt` action for the + * `CompleteMultipartUpload` request to succeed. * - **Directory bucket permissions** - To grant access to this API operation on a directory bucket, we recommend that - * you use the `CreateSession` [^7] API operation for session-based authorization. Specifically, you grant the + * you use the `CreateSession` [^8] API operation for session-based authorization. Specifically, you grant the * `s3express:CreateSession` permission to the directory bucket in a bucket policy or an IAM identity-based policy. * Then, you make the `CreateSession` API call on the bucket to obtain a session token. With the session token in * your request header, you can make API requests to this operation. After the session token expires, you make * another `CreateSession` API call to generate a new session token for use. Amazon Web Services CLI or SDKs create * session and refresh the session token automatically to avoid service interruptions when a session expires. For - * more information about authorization, see `CreateSession` [^8]. - * - If you provide an additional checksum value [^9] in your `MultipartUpload` requests and the object is encrypted - * with Key Management Service, you must have permission to use the `kms:Decrypt` action for the - * `CompleteMultipartUpload` request to succeed. + * more information about authorization, see `CreateSession` [^9]. + * + * If the object is encrypted with SSE-KMS, you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key. * * - `Special errors`: * @@ -314,9 +318,9 @@ public function bucketNotExists($input): BucketNotExistsWaiter * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html * [^6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html - * [^7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html + * [^7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html * [^8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html - * [^9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html + * [^9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html * [^10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html * [^11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html * [^12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html @@ -416,6 +420,9 @@ public function completeMultipartUpload($input): CompleteMultipartUploadOutput * the `Action` element of a policy to write the object to the destination. The `s3express:SessionMode` condition * key can't be set to `ReadOnly` on the copy destination bucket. * + * If the object is encrypted with SSE-KMS, you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key. + * * For example policies, see Example bucket policies for S3 Express One Zone [^6] and Amazon Web Services Identity * and Access Management (IAM) identity-based policies for S3 Express One Zone [^7] in the *Amazon S3 User Guide*. * @@ -761,8 +768,34 @@ public function createBucket($input): CreateBucketOutput * Protecting data using server-side encryption with customer-provided encryption keys (SSE-C) [^16] in the * *Amazon S3 User Guide*. * - * - **Directory buckets** -For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) - * (`AES256`) is supported. + * - **Directory buckets** - For directory buckets, there are only two supported options for server-side encryption: + * server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys + * (SSE-KMS) (`aws:kms`). We recommend that the bucket's default encryption uses the desired encryption + * configuration and you don't override the bucket default encryption in your `CreateSession` requests or `PUT` + * object requests. Then, new objects are automatically encrypted with the desired encryption settings. For more + * information, see Protecting data with server-side encryption [^17] in the *Amazon S3 User Guide*. For more + * information about the encryption overriding behaviors in directory buckets, see Specifying server-side encryption + * with KMS for new object uploads [^18]. + * + * In the Zonal endpoint API calls (except CopyObject [^19] and UploadPartCopy [^20]) using the REST API, the + * encryption request headers must match the encryption settings that are specified in the `CreateSession` request. + * You can't override the values of the encryption settings (`x-amz-server-side-encryption`, + * `x-amz-server-side-encryption-aws-kms-key-id`, `x-amz-server-side-encryption-context`, and + * `x-amz-server-side-encryption-bucket-key-enabled`) that are specified in the `CreateSession` request. You don't + * need to explicitly specify these encryption settings values in Zonal endpoint API calls, and Amazon S3 will use + * the encryption settings values from the `CreateSession` request to protect new objects in the directory bucket. + * + * > When you use the CLI or the Amazon Web Services SDKs, for `CreateSession`, the session token refreshes + * > automatically to avoid service interruptions when a session expires. The CLI or the Amazon Web Services SDKs + * > use the bucket's default encryption configuration for the `CreateSession` request. It's not supported to + * > override the encryption settings values in the `CreateSession` request. So in the Zonal endpoint API calls + * > (except CopyObject [^21] and UploadPartCopy [^22]), the encryption request headers must match the default + * > encryption configuration of the directory bucket. + * + * > For directory buckets, when you perform a `CreateMultipartUpload` operation and an `UploadPartCopy` operation, + * > the request headers you provide in the `CreateMultipartUpload` request must match the default encryption + * > configuration of the destination bucket. + * * * - `HTTP Host header syntax`: * @@ -770,11 +803,11 @@ public function createBucket($input): CreateBucketOutput * * The following operations are related to `CreateMultipartUpload`: * - * - UploadPart [^17] - * - CompleteMultipartUpload [^18] - * - AbortMultipartUpload [^19] - * - ListParts [^20] - * - ListMultipartUploads [^21] + * - UploadPart [^23] + * - CompleteMultipartUpload [^24] + * - AbortMultipartUpload [^25] + * - ListParts [^26] + * - ListMultipartUploads [^27] * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html @@ -792,11 +825,17 @@ public function createBucket($input): CreateBucketOutput * [^14]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version * [^15]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html * [^16]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html - * [^17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html - * [^18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html - * [^19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html - * [^20]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html - * [^21]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html + * [^17]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html + * [^18]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html + * [^19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^20]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^21]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^22]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^23]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html + * [^24]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html + * [^25]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html + * [^26]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html + * [^27]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html * * @see http://docs.amazonwebservices.com/AmazonS3/latest/API/mpUploadInitiate.html * @see https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html @@ -1225,27 +1264,45 @@ public function getBucketCors($input): GetBucketCorsOutput } /** - * > This operation is not supported by directory buckets. - * * Returns the default encryption configuration for an Amazon S3 bucket. By default, all buckets have a default - * encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). For information about - * the bucket default encryption feature, see Amazon S3 Bucket Default Encryption [^1] in the *Amazon S3 User Guide*. + * encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). + * + * > - **General purpose buckets** - For information about the bucket default encryption feature, see Amazon S3 Bucket + * > Default Encryption [^1] in the *Amazon S3 User Guide*. + * > - **Directory buckets** - For directory buckets, there are only two supported options for server-side encryption: + * > SSE-S3 and SSE-KMS. For information about the default encryption configuration in directory buckets, see Setting + * > default server-side encryption behavior for directory buckets [^2]. + * > * - * To use this operation, you must have permission to perform the `s3:GetEncryptionConfiguration` action. The bucket - * owner has this permission by default. The bucket owner can grant this permission to others. For more information - * about permissions, see Permissions Related to Bucket Subresource Operations [^2] and Managing Access Permissions to - * Your Amazon S3 Resources [^3]. + * - `Permissions`: + * + * - **General purpose bucket permissions** - The `s3:GetEncryptionConfiguration` permission is required in a policy. + * The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more + * information about permissions, see Permissions Related to Bucket Operations [^3] and Managing Access Permissions + * to Your Amazon S3 Resources [^4]. + * - **Directory bucket permissions** - To grant access to this API operation, you must have the + * `s3express:GetEncryptionConfiguration` permission in an IAM identity-based policy instead of a bucket policy. + * Cross-account access to this API operation isn't supported. This operation can only be performed by the Amazon + * Web Services account that owns the resource. For more information about directory bucket policies and + * permissions, see Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone [^5] in the + * *Amazon S3 User Guide*. + * + * - `HTTP Host header syntax`: + * + * **Directory buckets ** - The HTTP Host header syntax is `s3express-control.*region*.amazonaws.com`. * * The following operations are related to `GetBucketEncryption`: * - * - PutBucketEncryption [^4] - * - DeleteBucketEncryption [^5] + * - PutBucketEncryption [^6] + * - DeleteBucketEncryption [^7] * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html - * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources - * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html - * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html - * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html + * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources + * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html + * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html + * [^6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html + * [^7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html * * @see https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-s3-2006-03-01.html#getbucketencryption @@ -1313,6 +1370,9 @@ public function getBucketEncryption($input): GetBucketEncryptionOutput * session and refresh the session token automatically to avoid service interruptions when a session expires. For * more information about authorization, see `CreateSession` [^5]. * + * If the object is encrypted using SSE-KMS, you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key. + * * - `Storage classes`: * * If the object you are retrieving is stored in the S3 Glacier Flexible Retrieval storage class, the S3 Glacier Deep @@ -1331,6 +1391,10 @@ public function getBucketEncryption($input): GetBucketEncryptionOutput * with Key Management Service (KMS) keys (SSE-KMS), or dual-layer server-side encryption with Amazon Web Services KMS * keys (DSSE-KMS). If you include the header in your `GetObject` requests for the object that uses these types of * keys, you’ll get an HTTP `400 Bad Request` error. + * + * **Directory buckets** - For directory buckets, there are only two supported options for server-side encryption: + * SSE-S3 and SSE-KMS. SSE-C isn't supported. For more information, see Protecting data with server-side encryption + * [^8] in the *Amazon S3 User Guide*. * - `Overriding response header values through the request`: * * There are times when you want to override certain response header values of a `GetObject` response. For example, @@ -1363,8 +1427,8 @@ public function getBucketEncryption($input): GetBucketEncryptionOutput * * The following operations are related to `GetObject`: * - * - ListBuckets [^8] - * - GetObjectAcl [^9] + * - ListBuckets [^9] + * - GetObjectAcl [^10] * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html#VirtualHostingSpecifyBucket * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html @@ -1373,8 +1437,9 @@ public function getBucketEncryption($input): GetBucketEncryptionOutput * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html * [^6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html * [^7]: https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html - * [^8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html - * [^9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html + * [^8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html + * [^9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html + * [^10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html * * @see http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectGET.html * @see https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html @@ -1555,6 +1620,11 @@ public function getObjectTagging($input): GetObjectTaggingOutput * session and refresh the session token automatically to avoid service interruptions when a session expires. For * more information about authorization, see `CreateSession` [^4]. * + * If you enable `x-amz-checksum-mode` in the request and the object is encrypted with Amazon Web Services Key + * Management Service (Amazon Web Services KMS), you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key to retrieve the checksum of the + * object. + * * - `Encryption`: * * > Encryption request headers, like `x-amz-server-side-encryption`, should not be sent for `HEAD` requests if your @@ -1576,8 +1646,9 @@ public function getObjectTagging($input): GetObjectTaggingOutput * For more information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys) [^5] in the * *Amazon S3 User Guide*. * - * > **Directory bucket permissions** - For directory buckets, only server-side encryption with Amazon S3 managed keys - * > (SSE-S3) (`AES256`) is supported. + * > **Directory bucket ** - For directory buckets, there are only two supported options for server-side encryption: + * > SSE-S3 and SSE-KMS. SSE-C isn't supported. For more information, see Protecting data with server-side encryption + * > [^6] in the *Amazon S3 User Guide*. * * - `Versioning`: * @@ -1599,22 +1670,23 @@ public function getObjectTagging($input): GetObjectTaggingOutput * > For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints * > support virtual-hosted-style requests in the format * > `https://*bucket_name*.s3express-*az_id*.*region*.amazonaws.com/*key-name*`. Path-style requests are not - * > supported. For more information, see Regional and Zonal endpoints [^6] in the *Amazon S3 User Guide*. + * > supported. For more information, see Regional and Zonal endpoints [^7] in the *Amazon S3 User Guide*. * * * The following actions are related to `HeadObject`: * - * - GetObject [^7] - * - GetObjectAttributes [^8] + * - GetObject [^8] + * - GetObjectAttributes [^9] * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders.html * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html - * [^6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html - * [^7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html - * [^8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html + * [^6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html + * [^7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html + * [^8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html + * [^9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html * * @see http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectHEAD.html * @see https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html @@ -2351,6 +2423,9 @@ public function putBucketTagging($input): Result * session and refresh the session token automatically to avoid service interruptions when a session expires. For * more information about authorization, see `CreateSession` [^6]. * + * If the object is encrypted with SSE-KMS, you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key. + * * - `Data integrity with Content-MD5`: * * - **General purpose bucket** - To ensure that data is not corrupted traversing the network, use the `Content-MD5` @@ -2699,6 +2774,9 @@ public function putObjectTagging($input): PutObjectTaggingOutput * session and refresh the session token automatically to avoid service interruptions when a session expires. For * more information about authorization, see `CreateSession` [^10]. * + * If the object is encrypted with SSE-KMS, you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key. + * * - `Data integrity`: * * **General purpose bucket** - To ensure that data is not corrupted traversing the network, specify the `Content-MD5` @@ -2734,10 +2812,11 @@ public function putObjectTagging($input): PutObjectTaggingOutput * - x-amz-server-side-encryption-customer-key * - x-amz-server-side-encryption-customer-key-MD5 * - * - **Directory bucket** - For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) - * (`AES256`) is supported. + * For more information, see Using Server-Side Encryption [^13] in the *Amazon S3 User Guide*. + * - **Directory buckets ** - For directory buckets, there are only two supported options for server-side encryption: + * server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys + * (SSE-KMS) (`aws:kms`). * - * For more information, see Using Server-Side Encryption [^13] in the *Amazon S3 User Guide*. * - `Special errors`: * * - Error Code: `NoSuchUpload` @@ -2878,6 +2957,9 @@ public function uploadPart($input): UploadPartOutput * the `Action` element of a policy to write the object to the destination. The `s3express:SessionMode` condition * key cannot be set to `ReadOnly` on the copy destination. * + * If the object is encrypted with SSE-KMS, you must also have the `kms:GenerateDataKey` and `kms:Decrypt` + * permissions in IAM identity-based policies and KMS key policies for the KMS key. + * * For example policies, see Example bucket policies for S3 Express One Zone [^10] and Amazon Web Services Identity * and Access Management (IAM) identity-based policies for S3 Express One Zone [^11] in the *Amazon S3 User Guide*. * @@ -2885,8 +2967,19 @@ public function uploadPart($input): UploadPartOutput * * - **General purpose buckets ** - For information about using server-side encryption with customer-provided * encryption keys with the `UploadPartCopy` operation, see CopyObject [^12] and UploadPart [^13]. - * - **Directory buckets ** - For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) - * (`AES256`) is supported. + * - **Directory buckets ** - For directory buckets, there are only two supported options for server-side encryption: + * server-side encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys + * (SSE-KMS) (`aws:kms`). For more information, see Protecting data with server-side encryption [^14] in the *Amazon + * S3 User Guide*. + * + * > For directory buckets, when you perform a `CreateMultipartUpload` operation and an `UploadPartCopy` operation, + * > the request headers you provide in the `CreateMultipartUpload` request must match the default encryption + * > configuration of the destination bucket. + * + * S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose buckets to + * directory buckets, from directory buckets to general purpose buckets, or between directory buckets, through + * UploadPartCopy [^15]. In this case, Amazon S3 makes a call to KMS every time a copy request is made for a + * KMS-encrypted object. * * - `Special errors`: * @@ -2908,12 +3001,12 @@ public function uploadPart($input): UploadPartOutput * * The following operations are related to `UploadPartCopy`: * - * - CreateMultipartUpload [^14] - * - UploadPart [^15] - * - CompleteMultipartUpload [^16] - * - AbortMultipartUpload [^17] - * - ListParts [^18] - * - ListMultipartUploads [^19] + * - CreateMultipartUpload [^16] + * - UploadPart [^17] + * - CompleteMultipartUpload [^18] + * - AbortMultipartUpload [^19] + * - ListParts [^20] + * - ListMultipartUploads [^21] * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/qfacts.html * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html @@ -2928,12 +3021,14 @@ public function uploadPart($input): UploadPartOutput * [^11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html * [^12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html * [^13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html - * [^14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html - * [^15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html - * [^16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html - * [^17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html - * [^18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html - * [^19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html + * [^14]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html + * [^15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html + * [^17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html + * [^18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html + * [^19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html + * [^20]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html + * [^21]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html * * @see http://docs.amazonwebservices.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html * @see https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html diff --git a/src/ValueObject/ServerSideEncryptionByDefault.php b/src/ValueObject/ServerSideEncryptionByDefault.php index 9e21351..c1cf9db 100644 --- a/src/ValueObject/ServerSideEncryptionByDefault.php +++ b/src/ValueObject/ServerSideEncryptionByDefault.php @@ -7,29 +7,41 @@ /** * Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't - * specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed - * key at configuration, Amazon S3 automatically creates an Amazon Web Services KMS key in your Amazon Web Services - * account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS - * key for SSE-KMS. For more information, see PUT Bucket encryption [^1] in the *Amazon S3 API Reference*. + * specify any server-side encryption, this default encryption will be applied. For more information, see + * PutBucketEncryption [^1]. * - * > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS - * > key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data - * > that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. + * > - **General purpose buckets** - If you don't specify a customer managed key at configuration, Amazon S3 + * > automatically creates an Amazon Web Services KMS key (`aws/s3`) in your Amazon Web Services account the first + * > time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for + * > SSE-KMS. + * > - **Directory buckets** - Your SSE-KMS configuration can only support 1 customer managed key [^2] per directory + * > bucket for the lifetime of the bucket. Amazon Web Services managed key [^3] (`aws/s3`) isn't supported. + * > - **Directory buckets** - For directory buckets, there are only two supported options for server-side encryption: + * > SSE-S3 and SSE-KMS. + * > * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html + * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + * [^3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk */ final class ServerSideEncryptionByDefault { /** * Server-side encryption algorithm to use for the default encryption. * + * > For directory buckets, there are only two supported values for server-side encryption: `AES256` and `aws:kms`. + * * @var ServerSideEncryption::* */ private $sseAlgorithm; /** - * Amazon Web Services Key Management Service (KMS) customer Amazon Web Services KMS key ID to use for the default - * encryption. This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`. + * Amazon Web Services Key Management Service (KMS) customer managed key ID to use for the default encryption. + * + * > - **General purpose buckets** - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or + * > `aws:kms:dsse`. + * > - **Directory buckets** - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms`. + * > * * You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. * @@ -37,16 +49,24 @@ final class ServerSideEncryptionByDefault * - Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` * - Key Alias: `alias/alias-name` * - * If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. - * - * If you are using encryption with cross-account or Amazon Web Services service operations you must use a fully + * If you are using encryption with cross-account or Amazon Web Services service operations, you must use a fully * qualified KMS key ARN. For more information, see Using encryption for cross-account operations [^1]. * + * > - **General purpose buckets** - If you're specifying a customer managed KMS key, we recommend using a fully + * > qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s + * > account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not + * > the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating + * > a VPC flow log. + * > - **Directory buckets** - When you specify an KMS customer managed key [^2] for encryption in your directory + * > bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. + * > + * * ! Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon Web - * ! Services KMS [^2] in the *Amazon Web Services Key Management Service Developer Guide*. + * ! Services KMS [^3] in the *Amazon Web Services Key Management Service Developer Guide*. * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy - * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html + * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + * [^3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html * * @var string|null */ diff --git a/src/ValueObject/ServerSideEncryptionRule.php b/src/ValueObject/ServerSideEncryptionRule.php index ff09ed3..1e38c37 100644 --- a/src/ValueObject/ServerSideEncryptionRule.php +++ b/src/ValueObject/ServerSideEncryptionRule.php @@ -5,9 +5,15 @@ /** * Specifies the default server-side encryption configuration. * - * > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS - * > key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data - * > that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. + * > - **General purpose buckets** - If you're specifying a customer managed KMS key, we recommend using a fully + * > qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s + * > account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not + * > the bucket owner. + * > - **Directory buckets** - When you specify an KMS customer managed key [^1] for encryption in your directory + * > bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. + * > + * + * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk */ final class ServerSideEncryptionRule { @@ -22,11 +28,23 @@ final class ServerSideEncryptionRule /** * Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new * objects in the bucket. Existing objects are not affected. Setting the `BucketKeyEnabled` element to `true` causes - * Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. + * Amazon S3 to use an S3 Bucket Key. * - * For more information, see Amazon S3 Bucket Keys [^1] in the *Amazon S3 User Guide*. + * > - **General purpose buckets** - By default, S3 Bucket Key is not enabled. For more information, see Amazon S3 + * > Bucket Keys [^1] in the *Amazon S3 User Guide*. + * > - **Directory buckets** - S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a directory bucket + * > and can’t be disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general + * > purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory + * > buckets, through CopyObject [^2], UploadPartCopy [^3], the Copy operation in Batch Operations [^4], or the import + * > jobs [^5]. In this case, Amazon S3 makes a call to KMS every time a copy request is made for a KMS-encrypted + * > object. + * > * * [^1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html + * [^2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html + * [^3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html + * [^4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops + * [^5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job * * @var bool|null */