feat(client-s3): Adds support for blocking SSE-C writes to general purpose buckets.

Author: awstools

clients/client-s3/src/commands/DeleteBucketTaggingCommand.ts

@@ -30,7 +30,7 @@ export interface DeleteBucketTaggingCommandOutput extends __MetadataBearer {}
  * <note>
  *             <p>This operation is not supported for directory buckets.</p>
  *          </note>
- *          <p>Deletes the tags from the bucket.</p>
+ *          <p>Deletes tags from the bucket.</p>
  *          <p>To use this operation, you must have permission to perform the <code>s3:PutBucketTagging</code>
  *       action. By default, the bucket owner has this permission and can grant this permission to others. </p>
  *          <p>The following operations are related to <code>DeleteBucketTagging</code>:</p>

clients/client-s3/src/commands/DeleteObjectCommand.ts

@@ -103,16 +103,21 @@ export interface DeleteObjectCommandOutput extends DeleteObjectOutput, __Metadat
  *                            <p>
  *                               <b>
  *                                  <code>s3:DeleteObject</code>
- *                               </b> - To delete an
- *                     object from a bucket, you must always have the <code>s3:DeleteObject</code>
- *                     permission.</p>
+ *                               </b> - To
+ *                     delete an object from a bucket, you must always have the
+ *                       <code>s3:DeleteObject</code> permission.</p>
  *                         </li>
  *                         <li>
  *                            <p>
  *                               <b>
  *                                  <code>s3:DeleteObjectVersion</code>
  *                               </b> - To delete a specific version of an object from a versioning-enabled
  *                     bucket, you must have the <code>s3:DeleteObjectVersion</code> permission.</p>
+ *                            <note>
+ *                               <p>If the <code>s3:DeleteObject</code> or <code>s3:DeleteObjectVersion</code> permissions are explicitly
+ *                       denied in your bucket policy, attempts to delete any unversioned objects
+ *                       result in a <code>403 Access Denied</code> error.</p>
+ *                            </note>
  *                         </li>
  *                      </ul>
  *                   </li>

clients/client-s3/src/commands/DeleteObjectsCommand.ts

@@ -92,6 +92,11 @@ export interface DeleteObjectsCommandOutput extends DeleteObjectsOutput, __Metad
  *                                  <code>s3:DeleteObjectVersion</code>
  *                               </b> - To delete a specific version of an object from a versioning-enabled
  *                     bucket, you must specify the <code>s3:DeleteObjectVersion</code> permission.</p>
+ *                            <note>
+ *                               <p>If the <code>s3:DeleteObject</code> or <code>s3:DeleteObjectVersion</code> permissions are explicitly
+ *                       denied in your bucket policy, attempts to delete any unversioned objects
+ *                       result in a <code>403 Access Denied</code> error.</p>
+ *                            </note>
  *                         </li>
  *                      </ul>
  *                   </li>

clients/client-s3/src/commands/GetBucketEncryptionCommand.ts

@@ -29,13 +29,13 @@ export interface GetBucketEncryptionCommandOutput extends GetBucketEncryptionOut
 
 /**
  * <p>Returns the default encryption configuration for an Amazon S3 bucket. By default, all buckets have a
- *       default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). </p>
+ *       default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). This operation also returns the <code>BucketKeyEnabled</code> and <code>BlockedEncryptionTypes</code> statuses. </p>
  *          <note>
  *             <ul>
  *                <li>
  *                   <p>
  *                      <b>General purpose buckets</b> - For information about the bucket
- *             default encryption feature, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html">Amazon S3 Bucket Default Encryption</a> in the
+ *             default encryption feature, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html">Amazon S3 Bucket Default Encryption</a> in the
  *               <i>Amazon S3 User Guide</i>.</p>
  *                </li>
  *                <li>
@@ -113,6 +113,11 @@ export interface GetBucketEncryptionCommandOutput extends GetBucketEncryptionOut
  * //           KMSMasterKeyID: "STRING_VALUE",
  * //         },
  * //         BucketKeyEnabled: true || false,
+ * //         BlockedEncryptionTypes: { // BlockedEncryptionTypes
+ * //           EncryptionType: [ // EncryptionTypeList
+ * //             "NONE" || "SSE-C",
+ * //           ],
+ * //         },
  * //       },
  * //     ],
  * //   },

clients/client-s3/src/commands/GetBucketPolicyCommand.ts

@@ -138,7 +138,7 @@ export interface GetBucketPolicyCommandOutput extends GetBucketPolicyOutput, __M
  * const response = await client.send(command);
  * /* response is
  * {
- *   Policy: `{"Version":"2008-10-17","Id":"LogPolicy","Statement":[{"Sid":"Enables the log delivery group to publish logs to your bucket ","Effect":"Allow","Principal":{"AWS":"111122223333"},"Action":["s3:GetBucketAcl","s3:GetObjectAcl","s3:PutObject"],"Resource":["arn:aws:s3:::policytest1/*","arn:aws:s3:::policytest1"]}]}`
+ *   Policy: `{"Version":"2008-10-17",&TCX5-2025-waiver;"Id":"LogPolicy","Statement":[{"Sid":"Enables the log delivery group to publish logs to your bucket ","Effect":"Allow","Principal":{"AWS":"111122223333"},"Action":["s3:GetBucketAcl","s3:GetObjectAcl","s3:PutObject"],"Resource":["arn:aws:s3:::policytest1/*","arn:aws:s3:::policytest1"]}]}`
  * }
  * *\/
  * ```

clients/client-s3/src/commands/GetBucketTaggingCommand.ts

@@ -31,7 +31,7 @@ export interface GetBucketTaggingCommandOutput extends GetBucketTaggingOutput, _
  * <note>
  *             <p>This operation is not supported for directory buckets.</p>
  *          </note>
- *          <p>Returns the tag set associated with the bucket.</p>
+ *          <p>Returns the tag set associated with the general purpose bucket.</p>
  *          <p>To use this operation, you must have permission to perform the <code>s3:GetBucketTagging</code>
  *       action. By default, the bucket owner has this permission and can grant this permission to others.</p>
  *          <p>

clients/client-s3/src/commands/PutBucketEncryptionCommand.ts

@@ -28,7 +28,7 @@ export interface PutBucketEncryptionCommandInput extends PutBucketEncryptionRequ
 export interface PutBucketEncryptionCommandOutput extends __MetadataBearer {}
 
 /**
- * <p>This operation configures default encryption and Amazon S3 Bucket Keys for an existing bucket.</p>
+ * <p>This operation configures default encryption and Amazon S3 Bucket Keys for an existing bucket. You can also block encryption types using this operation.</p>
  *          <note>
  *             <p>
  *                <b>Directory buckets </b> - For directory buckets, you must make requests for this API operation to the Regional endpoint. These endpoints support path-style requests in the format <code>https://s3express-control.<i>region-code</i>.amazonaws.com/<i>bucket-name</i>
@@ -170,6 +170,11 @@ export interface PutBucketEncryptionCommandOutput extends __MetadataBearer {}
  *           KMSMasterKeyID: "STRING_VALUE",
  *         },
  *         BucketKeyEnabled: true || false,
+ *         BlockedEncryptionTypes: { // BlockedEncryptionTypes
+ *           EncryptionType: [ // EncryptionTypeList
+ *             "NONE" || "SSE-C",
+ *           ],
+ *         },
  *       },
  *     ],
  *   },

clients/client-s3/src/commands/PutBucketTaggingCommand.ts

@@ -31,7 +31,7 @@ export interface PutBucketTaggingCommandOutput extends __MetadataBearer {}
  * <note>
  *             <p>This operation is not supported for directory buckets.</p>
  *          </note>
- *          <p>Sets the tags for a bucket.</p>
+ *          <p>Sets the tags for a general purpose bucket.  </p>
  *          <p>Use tags to organize your Amazon Web Services bill to reflect your own cost structure. To do this, sign up to get
  *       your Amazon Web Services account bill with tag key values included. Then, to see the cost of combined resources,
  *       organize your billing information according to resources with the same tag key values. For example, you

clients/client-s3/src/models/enums.ts

@@ -405,6 +405,19 @@ export const StorageClassAnalysisSchemaVersion = {
 export type StorageClassAnalysisSchemaVersion =
   (typeof StorageClassAnalysisSchemaVersion)[keyof typeof StorageClassAnalysisSchemaVersion];
 
+/**
+ * @public
+ * @enum
+ */
+export const EncryptionType = {
+  NONE: "NONE",
+  SSE_C: "SSE-C",
+} as const;
+/**
+ * @public
+ */
+export type EncryptionType = (typeof EncryptionType)[keyof typeof EncryptionType];
+
 /**
  * @public
  * @enum

clients/client-s3/src/models/models_0.ts

@@ -17,11 +17,11 @@ import {
   DataRedundancy,
   DeleteMarkerReplicationStatus,
   EncodingType,
+  EncryptionType,
   Event,
   ExistingObjectReplicationStatus,
   ExpirationState,
   ExpirationStatus,
-  ExpressionType,
   FileHeaderInfo,
   FilterRuleName,
   IntelligentTieringAccessTier,
@@ -1875,18 +1875,11 @@ export interface CreateBucketConfiguration {
   Bucket?: BucketInfo | undefined;
 
   /**
-   * <p>An array of tags that you can apply to the bucket that you're creating. Tags are key-value pairs of
-   *       metadata used to categorize and organize your buckets, track costs, and control access. </p>
+   * <p>An array of tags that you can apply to the bucket that you're creating. Tags are key-value pairs of metadata used to categorize and organize your buckets, track costs, and control access. </p>
    *          <note>
-   *             <ul>
-   *                <li>
-   *                   <p>This parameter is only supported for S3 directory buckets. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html">Using tags with
-   *           directory buckets</a>.</p>
-   *                </li>
-   *                <li>
-   *                   <p>You must have the <code>s3express:TagResource</code> permission to create a directory bucket with tags.</p>
-   *                </li>
-   *             </ul>
+   *             <p>This parameter is only supported for S3 directory buckets. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html">Using tags with
+   *         directory buckets</a>.</p>
+   *             <p>You must have the <code>s3express:TagResource</code> permission to create a directory bucket with tags.</p>
    *          </note>
    * @public
    */
@@ -6424,6 +6417,46 @@ export interface ServerSideEncryptionByDefault {
   KMSMasterKeyID?: string | undefined;
 }
 
+/**
+ * <p>A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block <code>PutObject</code>, <code>CopyObject</code>, <code>PostObject</code>, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/userguide/block-encryption-type.html">Blocking an encryption type for a general purpose bucket</a>. </p>
+ *          <p>This data type is used with the following actions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html">PutBucketEncryption</a>
+ *                </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html">GetBucketEncryption</a>
+ *                </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html">DeleteBucketEncryption</a>
+ *                </p>
+ *             </li>
+ *          </ul>
+ *          <dl>
+ *             <dt>Permissions</dt>
+ *             <dd>
+ *                <p>You must have the <code>s3:PutEncryptionConfiguration</code> permission to block or unblock an encryption type for a bucket. </p>
+ *                <p>You must have the <code>s3:GetEncryptionConfiguration</code> permission to view a bucket's encryption type. </p>
+ *             </dd>
+ *          </dl>
+ * @public
+ */
+export interface BlockedEncryptionTypes {
+  /**
+   * <p>The object encryption type that you want to block or unblock for an Amazon S3 general purpose bucket.</p>
+   *          <note>
+   *             <p>Currently, this parameter only supports blocking or unblocking server side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html">Using server-side encryption with customer-provided keys (SSE-C)</a>.</p>
+   *          </note>
+   * @public
+   */
+  EncryptionType?: EncryptionType[] | undefined;
+}
+
 /**
  * <p>Specifies the default server-side encryption configuration.</p>
  *          <note>
@@ -6477,6 +6510,15 @@ export interface ServerSideEncryptionRule {
    * @public
    */
   BucketKeyEnabled?: boolean | undefined;
+
+  /**
+   * <p>A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block <code>PutObject</code>, <code>CopyObject</code>, <code>PostObject</code>, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/userguide/block-encryption-type.html">Blocking an encryption type for a general purpose bucket</a>. </p>
+   *          <note>
+   *             <p>Currently, this parameter only supports blocking or unblocking Server Side Encryption with Customer Provided Keys (SSE-C). For more information about SSE-C, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html">Using server-side encryption with customer-provided keys (SSE-C)</a>.</p>
+   *          </note>
+   * @public
+   */
+  BlockedEncryptionTypes?: BlockedEncryptionTypes | undefined;
 }
 
 /**
@@ -16624,46 +16666,3 @@ export interface OutputSerialization {
    */
   JSON?: JSONOutput | undefined;
 }
-
-/**
- * <important>
- *             <p>Amazon S3 Select is no longer available to new customers. Existing customers of Amazon S3 Select can
- *         continue to use the feature as usual. <a href="http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/">Learn more</a>
- *             </p>
- *          </important>
- *          <p>Describes the parameters for Select job types.</p>
- *          <p>Learn <a href="http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/">How to
- *         optimize querying your data in Amazon S3</a> using <a href="https://docs.aws.amazon.com/athena/latest/ug/what-is.html">Amazon Athena</a>, <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/transforming-objects.html">S3 Object Lambda</a>, or client-side
- *       filtering.</p>
- * @public
- */
-export interface SelectParameters {
-  /**
-   * <p>Describes the serialization format of the object.</p>
-   * @public
-   */
-  InputSerialization: InputSerialization | undefined;
-
-  /**
-   * <p>The type of the provided expression (for example, SQL).</p>
-   * @public
-   */
-  ExpressionType: ExpressionType | undefined;
-
-  /**
-   * <important>
-   *             <p>Amazon S3 Select is no longer available to new customers. Existing customers of Amazon S3 Select can
-   *         continue to use the feature as usual. <a href="http://aws.amazon.com/blogs/storage/how-to-optimize-querying-your-data-in-amazon-s3/">Learn more</a>
-   *             </p>
-   *          </important>
-   *          <p>The expression that is used to query the object.</p>
-   * @public
-   */
-  Expression: string | undefined;
-
-  /**
-   * <p>Describes how the results of the Select job are serialized.</p>
-   * @public
-   */
-  OutputSerialization: OutputSerialization | undefined;
-}