feat(client-s3): Added SSE-KMS support for directory buckets.

clients/client-s3/src/commands/CompleteMultipartUploadCommand.ts

@@ -85,6 +85,11 @@ export interface CompleteMultipartUploadCommandOutput extends CompleteMultipartU
  *                         information about permissions required to use the multipart upload API, see
  *                            <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html">Multipart Upload and
  *                            Permissions</a> in the <i>Amazon S3 User Guide</i>.</p>
+ *                      <p>If you provide an <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html">additional checksum
+ *                         value</a> in your <code>MultipartUpload</code> requests and the
+ *                         object is encrypted with Key Management Service, you must have permission to use the
+ *                         <code>kms:Decrypt</code> action for the
+ *                         <code>CompleteMultipartUpload</code> request to succeed.</p>
  *                   </li>
  *                   <li>
  *                      <p>
@@ -94,13 +99,9 @@ export interface CompleteMultipartUploadCommandOutput extends CompleteMultipartU
  * Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html">
  *                            <code>CreateSession</code>
  *                         </a>.</p>
- *                   </li>
- *                   <li>
- *                      <p> If you provide an <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html">additional checksum
- *                            value</a> in your <code>MultipartUpload</code> requests and the
- *                         object is encrypted with Key Management Service, you must have permission to use the
- *                            <code>kms:Decrypt</code> action for the
- *                            <code>CompleteMultipartUpload</code> request to succeed.</p>
+ *                      <p>If the object is encrypted with
+ *                         SSE-KMS, you must also have the
+ *                         <code>kms:GenerateDataKey</code> and <code>kms:Decrypt</code> permissions in IAM identity-based policies and KMS key policies for the KMS key.</p>
  *                   </li>
  *                </ul>
  *             </dd>

clients/client-s3/src/commands/CopyObjectCommand.ts

@@ -132,6 +132,9 @@ export interface CopyObjectCommandOutput extends CopyObjectOutput, __MetadataBea
  *                               key can't be set to <code>ReadOnly</code> on the copy destination bucket. </p>
  *                         </li>
  *                      </ul>
+ *                      <p>If the object is encrypted with
+ *                         SSE-KMS, you must also have the
+ *                         <code>kms:GenerateDataKey</code> and <code>kms:Decrypt</code> permissions in IAM identity-based policies and KMS key policies for the KMS key.</p>
  *                      <p>For example policies, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html">Example bucket policies for S3 Express One Zone</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html">Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone</a> in the
  *                            <i>Amazon S3 User Guide</i>.</p>
  *                   </li>

clients/client-s3/src/commands/CreateMultipartUploadCommand.ts

@@ -216,7 +216,27 @@ export interface CreateMultipartUploadCommandOutput extends CreateMultipartUploa
  *                   </li>
  *                   <li>
  *                      <p>
- *                         <b>Directory buckets</b> -For directory buckets, only server-side encryption with Amazon S3 managed keys (SSE-S3) (<code>AES256</code>) is supported.</p>
+ *                         <b>Directory buckets</b> - For directory buckets, there are only two supported options for server-side encryption: server-side encryption with Amazon S3 managed keys (SSE-S3) (<code>AES256</code>) and server-side encryption with KMS keys (SSE-KMS) (<code>aws:kms</code>). We recommend that the bucket's default encryption uses the desired encryption configuration and you don't override the bucket default encryption in your
+ *             <code>CreateSession</code> requests or <code>PUT</code> object requests. Then, new objects
+ *  are automatically encrypted with the desired encryption settings. For more
+ *          information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html">Protecting data with server-side encryption</a> in the <i>Amazon S3 User Guide</i>. For more information about the encryption overriding behaviors in directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html">Specifying server-side encryption with KMS for new object uploads</a>.</p>
+ *                      <p>In the Zonal endpoint API calls (except <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html">UploadPartCopy</a>) using the REST API, the encryption request headers must match the encryption settings that are specified in the <code>CreateSession</code> request.
+ *                             You can't override the values of the encryption settings (<code>x-amz-server-side-encryption</code>, <code>x-amz-server-side-encryption-aws-kms-key-id</code>, <code>x-amz-server-side-encryption-context</code>, and <code>x-amz-server-side-encryption-bucket-key-enabled</code>) that are specified in the <code>CreateSession</code> request.
+ *                             You don't need to explicitly specify these encryption settings values in Zonal endpoint API calls, and
+ *                             Amazon S3 will use the encryption settings values from the <code>CreateSession</code> request to protect new objects in the directory bucket.
+ *                            </p>
+ *                      <note>
+ *                         <p>When you use the CLI or the Amazon Web Services SDKs, for <code>CreateSession</code>, the session token refreshes automatically to avoid service interruptions when a session expires. The CLI or the Amazon Web Services SDKs use the bucket's default encryption configuration for the
+ *                             <code>CreateSession</code> request. It's not supported to override the encryption settings values in the <code>CreateSession</code> request.
+ *                             So in the Zonal endpoint API calls (except <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html">UploadPartCopy</a>),
+ *           the encryption request headers must match the default encryption configuration of the directory bucket.
+ *
+ * </p>
+ *                      </note>
+ *                      <note>
+ *                         <p>For directory buckets, when you perform a <code>CreateMultipartUpload</code> operation and an <code>UploadPartCopy</code> operation,
+ *                         the request headers you provide in the <code>CreateMultipartUpload</code> request must match the default encryption configuration of the destination bucket. </p>
+ *                      </note>
  *                   </li>
  *                </ul>
  *             </dd>

clients/client-s3/src/commands/CreateSessionCommand.ts

@@ -6,7 +6,12 @@ import { Command as $Command } from "@smithy/smithy-client";
 import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
-import { CreateSessionOutput, CreateSessionOutputFilterSensitiveLog, CreateSessionRequest } from "../models/models_0";
+import {
+  CreateSessionOutput,
+  CreateSessionOutputFilterSensitiveLog,
+  CreateSessionRequest,
+  CreateSessionRequestFilterSensitiveLog,
+} from "../models/models_0";
 import { de_CreateSessionCommand, se_CreateSessionCommand } from "../protocols/Aws_restXml";
 import { S3ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../S3Client";
 
@@ -29,16 +34,16 @@ export interface CreateSessionCommandInput extends CreateSessionRequest {}
 export interface CreateSessionCommandOutput extends CreateSessionOutput, __MetadataBearer {}
 
 /**
- * <p>Creates a session that establishes temporary security credentials to support fast authentication and authorization for the Zonal endpoint APIs on directory buckets.
- *          For more information about Zonal endpoint APIs that include the Availability Zone in the request endpoint, see
+ * <p>Creates a session that establishes temporary security credentials to support fast authentication and authorization for the Zonal endpoint API operations on directory buckets.
+ *          For more information about Zonal endpoint API operations that include the Availability Zone in the request endpoint, see
  *          <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-APIs.html">S3 Express One Zone  APIs</a> in the <i>Amazon S3 User Guide</i>.
  *       </p>
  *          <p>To make Zonal endpoint API requests on a directory bucket, use the <code>CreateSession</code>
  *          API operation. Specifically, you grant <code>s3express:CreateSession</code> permission to a
  *          bucket in a bucket policy or an IAM identity-based policy. Then, you use IAM credentials to make the
  *             <code>CreateSession</code> API request on the bucket, which returns temporary security
  *          credentials that include the access key ID, secret access key, session token, and
- *          expiration. These credentials have associated permissions to access the Zonal endpoint APIs. After
+ *          expiration. These credentials have associated permissions to access the Zonal endpoint API operations. After
  *          the session is created, you don’t need to use other policies to grant permissions to each
  *          Zonal endpoint API individually. Instead, in your Zonal endpoint API requests, you sign your requests by
  *          applying the temporary security credentials of the session to the request headers and
@@ -62,12 +67,12 @@ export interface CreateSessionCommandOutput extends CreateSessionOutput, __Metad
  *                <li>
  *                   <p>
  *                      <b>
- *                         <code>CopyObject</code> API operation</b> - Unlike other Zonal endpoint APIs, the <code>CopyObject</code> API operation doesn't use the temporary security credentials returned from the <code>CreateSession</code> API operation for authentication and authorization. For information about authentication and authorization of the <code>CopyObject</code> API operation on directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a>.</p>
+ *                         <code>CopyObject</code> API operation</b> - Unlike other Zonal endpoint API operations, the <code>CopyObject</code> API operation doesn't use the temporary security credentials returned from the <code>CreateSession</code> API operation for authentication and authorization. For information about authentication and authorization of the <code>CopyObject</code> API operation on directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a>.</p>
  *                </li>
  *                <li>
  *                   <p>
  *                      <b>
- *                         <code>HeadBucket</code> API operation</b> - Unlike other Zonal endpoint APIs, the <code>HeadBucket</code> API operation doesn't use the temporary security credentials returned from the <code>CreateSession</code> API operation for authentication and authorization. For information about authentication and authorization of the <code>HeadBucket</code> API operation on directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html">HeadBucket</a>.</p>
+ *                         <code>HeadBucket</code> API operation</b> - Unlike other Zonal endpoint API operations, the <code>HeadBucket</code> API operation doesn't use the temporary security credentials returned from the <code>CreateSession</code> API operation for authentication and authorization. For information about authentication and authorization of the <code>HeadBucket</code> API operation on directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html">HeadBucket</a>.</p>
  *                </li>
  *             </ul>
  *          </note>
@@ -84,7 +89,37 @@ export interface CreateSessionCommandOutput extends CreateSessionOutput, __Metad
  *                   </a>. For example policies, see
  *                      <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html">Example bucket policies for S3 Express One Zone</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html">Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone</a> in the
  *                      <i>Amazon S3 User Guide</i>. </p>
- *                <p>To grant cross-account access to Zonal endpoint APIs, the bucket policy should also grant both accounts the <code>s3express:CreateSession</code> permission.</p>
+ *                <p>To grant cross-account access to Zonal endpoint API operations, the bucket policy should also grant both accounts the <code>s3express:CreateSession</code> permission.</p>
+ *                <p>If you want to encrypt objects with SSE-KMS, you must also have the <code>kms:GenerateDataKey</code> and the <code>kms:Decrypt</code> permissions in IAM identity-based policies and KMS key policies for the target KMS key.</p>
+ *             </dd>
+ *             <dt>Encryption</dt>
+ *             <dd>
+ *                <p>For directory buckets, there are only two supported options for server-side encryption: server-side encryption with Amazon S3 managed keys (SSE-S3) (<code>AES256</code>) and server-side encryption with KMS keys (SSE-KMS) (<code>aws:kms</code>). We recommend that the bucket's default encryption uses the desired encryption configuration and you don't override the bucket default encryption in your
+ *             <code>CreateSession</code> requests or <code>PUT</code> object requests. Then, new objects
+ *  are automatically encrypted with the desired encryption settings. For more
+ *          information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html">Protecting data with server-side encryption</a> in the <i>Amazon S3 User Guide</i>. For more information about the encryption overriding behaviors in directory buckets, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html">Specifying server-side encryption with KMS for new object uploads</a>.</p>
+ *                <p>For <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations">Zonal endpoint (object-level) API operations</a> except <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html">UploadPartCopy</a>,
+ * you authenticate and authorize requests through <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html">CreateSession</a> for low latency.
+ *                             To encrypt new objects in a directory bucket with SSE-KMS, you must specify SSE-KMS as the directory bucket's default encryption configuration with a KMS key (specifically, a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>). Then, when a session is created for Zonal endpoint API operations, new objects are automatically encrypted and decrypted with SSE-KMS and S3 Bucket Keys during the session.</p>
+ *                <note>
+ *                   <p>
+ *                             Only 1 <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a> is supported per directory bucket for the lifetime of the bucket. <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed key</a> (<code>aws/s3</code>) isn't supported.
+ *                             After you specify SSE-KMS as your bucket's default encryption configuration with a customer managed key, you can't change the customer managed key for the bucket's SSE-KMS configuration.
+ *                             </p>
+ *                </note>
+ *                <p>In the Zonal endpoint API calls (except <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html">UploadPartCopy</a>) using the REST API,
+ *                             you can't override the values of the encryption settings (<code>x-amz-server-side-encryption</code>, <code>x-amz-server-side-encryption-aws-kms-key-id</code>, <code>x-amz-server-side-encryption-context</code>, and <code>x-amz-server-side-encryption-bucket-key-enabled</code>) from the <code>CreateSession</code> request.
+ *                             You don't need to explicitly specify these encryption settings values in Zonal endpoint API calls, and
+ *                             Amazon S3 will use the encryption settings values from the <code>CreateSession</code> request to protect new objects in the directory bucket.
+ *                            </p>
+ *                <note>
+ *                   <p>When you use the CLI or the Amazon Web Services SDKs, for <code>CreateSession</code>, the session token refreshes automatically to avoid service interruptions when a session expires. The CLI or the Amazon Web Services SDKs use the bucket's default encryption configuration for the
+ *                             <code>CreateSession</code> request. It's not supported to override the encryption settings values in the <code>CreateSession</code> request.
+ *                             Also, in the Zonal endpoint API calls (except <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html">CopyObject</a> and <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html">UploadPartCopy</a>),
+ *           it's not supported to override the values of the encryption settings from the <code>CreateSession</code> request.
+ *
+ * </p>
+ *                </note>
  *             </dd>
  *             <dt>HTTP Host header syntax</dt>
  *             <dd>
@@ -102,10 +137,18 @@ export interface CreateSessionCommandOutput extends CreateSessionOutput, __Metad
  * const input = { // CreateSessionRequest
  *   SessionMode: "ReadOnly" || "ReadWrite",
  *   Bucket: "STRING_VALUE", // required
+ *   ServerSideEncryption: "AES256" || "aws:kms" || "aws:kms:dsse",
+ *   SSEKMSKeyId: "STRING_VALUE",
+ *   SSEKMSEncryptionContext: "STRING_VALUE",
+ *   BucketKeyEnabled: true || false,
  * };
  * const command = new CreateSessionCommand(input);
  * const response = await client.send(command);
  * // { // CreateSessionOutput
+ * //   ServerSideEncryption: "AES256" || "aws:kms" || "aws:kms:dsse",
+ * //   SSEKMSKeyId: "STRING_VALUE",
+ * //   SSEKMSEncryptionContext: "STRING_VALUE",
+ * //   BucketKeyEnabled: true || false,
  * //   Credentials: { // SessionCredentials
  * //     AccessKeyId: "STRING_VALUE", // required
  * //     SecretAccessKey: "STRING_VALUE", // required
@@ -152,7 +195,7 @@ export class CreateSessionCommand extends $Command
   })
   .s("AmazonS3", "CreateSession", {})
   .n("S3Client", "CreateSessionCommand")
-  .f(void 0, CreateSessionOutputFilterSensitiveLog)
+  .f(CreateSessionRequestFilterSensitiveLog, CreateSessionOutputFilterSensitiveLog)
   .ser(se_CreateSessionCommand)
   .de(de_CreateSessionCommand)
   .build() {