class Aws::S3::Types::ServerSideEncryptionByDefault


@see docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/ServerSideEncryptionByDefault AWS API Documentation
@return [String]<br>: docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html<br>[2]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk<br>[1]: docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy<br><br><br><br>the *Amazon Web Services Key Management Service Developer Guide*.
information, see [Asymmetric keys in Amazon Web Services KMS] in
Amazon S3 only supports symmetric encryption KMS keys. For more
</note>
supported.
ID or key ARN. The key alias format of the KMS key isn’t<br>key] for encryption in your directory bucket, only use the key
* **Directory buckets** - When you specify an [KMS customer managed
log.
into a LogDestination undeliverable error when creating a VPC flow
and not the bucket owner. Also, if you use a key ID, you can run
that’s encrypted with a KMS key that belongs to the requester,
within the requester’s account. This behavior can result in data
If you use a KMS key alias instead, then KMS resolves the key
managed KMS key, we recommend using a fully qualified KMS key ARN.
<note markdown=“1”> * **General purpose buckets** - If you’re specifying a customer<br><br>operations].
ARN. For more information, see [Using encryption for cross-account
Services service operations, you must use a fully qualified KMS key
If you are using encryption with cross-account or Amazon Web
* Key Alias: ‘alias/alias-name`
`arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
* Key ARN:
* Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
(ARN) of the KMS key.
You can specify the key ID, key alias, or the Amazon Resource Name
</note>
`SSEAlgorithm` is set to `aws:kms`.
* **Directory buckets** - This parameter is allowed if and only if
only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`.
<note markdown=“1”> * **General purpose buckets** - This parameter is allowed if and
key ID to use for the default encryption.
Amazon Web Services Key Management Service (KMS) customer managed
@!attribute [rw] kms_master_key_id
@return [String]
</note>
server-side encryption: `AES256` and `aws:kms`.
<note markdown=“1”> For directory buckets, there are only two supported values for
Server-side encryption algorithm to use for the default encryption.
@!attribute [rw] sse_algorithm<br><br>: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk<br>[2]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk<br>[1]: docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html<br><br><br><br></note>
supported options for server-side encryption: SSE-S3 and SSE-KMS.
* **Directory buckets** - For directory buckets, there are only two
[Amazon Web Services managed key] (`aws/s3`) isn’t supported.
1 [customer managed key] per directory bucket’s lifetime. The
* **Directory buckets** - Your SSE-KMS configuration can only support
to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
account the first time that you add an object encrypted with SSE-KMS
Amazon Web Services KMS key (‘aws/s3`) in your Amazon Web Services
managed key at configuration, Amazon S3 automatically creates an
<note markdown=“1”> * **General purpose buckets** - If you don’t specify a customer
more information, see [PutBucketEncryption].
server-side encryption, this default encryption will be applied. For
in the bucket. If a PUT Object request doesn’t specify any
Describes the default server-side encryption to apply to new objects