Class: Aws::S3::Types::ServerSideEncryptionRule

Inherits:

Struct

• Object
• Struct
• Aws::S3::Types::ServerSideEncryptionRule

Includes:

Aws::Structure

Defined in:

lib/aws-sdk-s3/types.rb

Overview

Specifies the default server-side encryption configuration.

<note markdown=“1”> * **General purpose buckets** - If you’re specifying a customer

managed KMS key, we recommend using a fully qualified KMS key ARN.
If you use a KMS key alias instead, then KMS resolves the key within
the requester

• **Directory buckets** - When you specify an [KMS customer managed key] for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn’t supported.

</note>

[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

See Also:

• AWS API Documentation

Constant Summary

SENSITIVE =

[]

Instance Attribute Summary

• #apply_server_side_encryption_by_default ⇒ Types::ServerSideEncryptionByDefault

  Specifies the default server-side encryption to apply to new objects in the bucket.

• #blocked_encryption_types ⇒ Types::BlockedEncryptionTypes

  A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type.

• #bucket_key_enabled ⇒ Boolean

  Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket.

Instance Attribute Details

#apply_server_side_encryption_by_default ⇒ Types::ServerSideEncryptionByDefault

Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn’t specify any server-side encryption, this default encryption will be applied.

Returns:

# File 'lib/aws-sdk-s3/types.rb', line 18857

class ServerSideEncryptionRule < Struct.new(
  :apply_server_side_encryption_by_default,
  :bucket_key_enabled,
  :blocked_encryption_types)
  SENSITIVE = []
  include Aws::Structure
end

#blocked_encryption_types ⇒ Types::BlockedEncryptionTypes

A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block PutObject, CopyObject, PostObject, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see [Blocking or unblocking SSE-C for a general purpose bucket].

<note markdown=“1”> Currently, this parameter only supports blocking or unblocking server-side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see [Using server-side encryption with customer-provided keys (SSE-C)].

</note>

[1]: docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html [2]: docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html

Returns:

# File 'lib/aws-sdk-s3/types.rb', line 18857

class ServerSideEncryptionRule < Struct.new(
  :apply_server_side_encryption_by_default,
  :bucket_key_enabled,
  :blocked_encryption_types)
  SENSITIVE = []
  include Aws::Structure
end

#bucket_key_enabled ⇒ Boolean

Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the BucketKeyEnabled element to true causes Amazon S3 to use an S3 Bucket Key.

<note markdown=“1”> * **General purpose buckets** - By default, S3 Bucket Key is not

enabled. For more information, see [Amazon S3 Bucket Keys][1] in
the *Amazon S3 User Guide*.

• **Directory buckets** - S3 Bucket Keys are always enabled for GET and PUT operations in a directory bucket and can’t be disabled. S3 Bucket Keys aren’t supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, through [CopyObject], [UploadPartCopy], [the Copy operation in Batch Operations], or [the import jobs]. In this case, Amazon S3 makes a call to KMS every time a copy request is made for a KMS-encrypted object.

</note>

[1]: docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html [2]: docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html [3]: docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html [4]: docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops [5]: docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job

Returns:

# File 'lib/aws-sdk-s3/types.rb', line 18857

class ServerSideEncryptionRule < Struct.new(
  :apply_server_side_encryption_by_default,
  :bucket_key_enabled,
  :blocked_encryption_types)
  SENSITIVE = []
  include Aws::Structure
end