Class: Aws::S3::Types::ServerSideEncryptionRule
- Inherits:
-
Struct
- Object
- Struct
- Aws::S3::Types::ServerSideEncryptionRule
- Includes:
- Aws::Structure
- Defined in:
- lib/aws-sdk-s3/types.rb
Overview
Specifies the default server-side encryption configuration.
<note markdown=“1”> * **General purpose buckets** - If you’re specifying a customer
managed KMS key, we recommend using a fully qualified KMS key ARN.
If you use a KMS key alias instead, then KMS resolves the key within
the requester’s account. This behavior can result in data that's
encrypted with a KMS key that belongs to the requester, and not the
bucket owner.
-
**Directory buckets** - When you specify an [KMS customer managed key] for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn’t supported.
</note>
[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
Constant Summary collapse
- SENSITIVE =
[]
Instance Attribute Summary collapse
-
#apply_server_side_encryption_by_default ⇒ Types::ServerSideEncryptionByDefault
Specifies the default server-side encryption to apply to new objects in the bucket.
-
#bucket_key_enabled ⇒ Boolean
Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket.
Instance Attribute Details
#apply_server_side_encryption_by_default ⇒ Types::ServerSideEncryptionByDefault
Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn’t specify any server-side encryption, this default encryption will be applied.
17179 17180 17181 17182 17183 17184 |
# File 'lib/aws-sdk-s3/types.rb', line 17179 class ServerSideEncryptionRule < Struct.new( :apply_server_side_encryption_by_default, :bucket_key_enabled) SENSITIVE = [] include Aws::Structure end |
#bucket_key_enabled ⇒ Boolean
Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the ‘BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3 Bucket Key.
<note markdown=“1”> * **General purpose buckets** - By default, S3 Bucket Key is not
enabled. For more information, see [Amazon S3 Bucket Keys][1] in
the *Amazon S3 User Guide*.
-
**Directory buckets** - S3 Bucket Keys are always enabled for ‘GET` and `PUT` operations in a directory bucket and can’t be disabled. S3 Bucket Keys aren’t supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, through [CopyObject], [UploadPartCopy], [the Copy operation in Batch Operations], or [the import jobs]. In this case, Amazon S3 makes a call to KMS every time a copy request is made for a KMS-encrypted object.
</note>
[1]: docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html [2]: docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html [3]: docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html [4]: docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops [5]: docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
17179 17180 17181 17182 17183 17184 |
# File 'lib/aws-sdk-s3/types.rb', line 17179 class ServerSideEncryptionRule < Struct.new( :apply_server_side_encryption_by_default, :bucket_key_enabled) SENSITIVE = [] include Aws::Structure end |