/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include namespace Aws { namespace Utils { namespace Xml { class XmlNode; } // namespace Xml } // namespace Utils namespace S3 { namespace Model { /** *

Describes the default server-side encryption to apply to new objects in the * bucket. If a PUT Object request doesn't specify any server-side encryption, this * default encryption will be applied. For more information, see PutBucketEncryption.

*

  • General purpose buckets - If you don't specify a * customer managed key at configuration, Amazon S3 automatically creates an Amazon * Web Services KMS key (aws/s3) in your Amazon Web Services account * the first time that you add an object encrypted with SSE-KMS to a bucket. By * default, Amazon S3 uses this KMS key for SSE-KMS.

  • * Directory buckets - Your SSE-KMS configuration can only support 1 customer * managed key per directory bucket's lifetime. The Amazon * Web Services managed key (aws/s3) isn't supported.

    • *

  • Directory buckets - For directory buckets, there are only two * supported options for server-side encryption: SSE-S3 and SSE-KMS.

    • *

See Also:

AWS * API Reference

*/ class ServerSideEncryptionByDefault { public: AWS_S3_API ServerSideEncryptionByDefault() = default; AWS_S3_API ServerSideEncryptionByDefault(const Aws::Utils::Xml::XmlNode& xmlNode); AWS_S3_API ServerSideEncryptionByDefault& operator=(const Aws::Utils::Xml::XmlNode& xmlNode); AWS_S3_API void AddToNode(Aws::Utils::Xml::XmlNode& parentNode) const; ///@{ /** *

Server-side encryption algorithm to use for the default encryption.

*

For directory buckets, there are only two supported values for * server-side encryption: AES256 and aws:kms.

* */ inline ServerSideEncryption GetSSEAlgorithm() const { return m_sSEAlgorithm; } inline bool SSEAlgorithmHasBeenSet() const { return m_sSEAlgorithmHasBeenSet; } inline void SetSSEAlgorithm(ServerSideEncryption value) { m_sSEAlgorithmHasBeenSet = true; m_sSEAlgorithm = value; } inline ServerSideEncryptionByDefault& WithSSEAlgorithm(ServerSideEncryption value) { SetSSEAlgorithm(value); return *this; } ///@} ///@{ /** *

Amazon Web Services Key Management Service (KMS) customer managed key ID to * use for the default encryption.

  • General purpose * buckets - This parameter is allowed if and only if SSEAlgorithm * is set to aws:kms or aws:kms:dsse.

  • * Directory buckets - This parameter is allowed if and only if * SSEAlgorithm is set to aws:kms.

*

You can specify the key ID, key alias, or the Amazon Resource Name * (ARN) of the KMS key.

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

  • Key Alias: alias/alias-name

*

If you are using encryption with cross-account or Amazon Web Services service * operations, you must use a fully qualified KMS key ARN. For more information, * see Using * encryption for cross-account operations.

  • General * purpose buckets - If you're specifying a customer managed KMS key, we * recommend using a fully qualified KMS key ARN. If you use a KMS key alias * instead, then KMS resolves the key within the requester’s account. This behavior * can result in data that's encrypted with a KMS key that belongs to the * requester, and not the bucket owner. Also, if you use a key ID, you can run into * a LogDestination undeliverable error when creating a VPC flow log.

    • *

  • Directory buckets - When you specify an KMS * customer managed key for encryption in your directory bucket, only use the * key ID or key ARN. The key alias format of the KMS key isn't supported.

    *

Amazon S3 only supports symmetric encryption * KMS keys. For more information, see Asymmetric * keys in Amazon Web Services KMS in the Amazon Web Services Key Management * Service Developer Guide.

*/ inline const Aws::String& GetKMSMasterKeyID() const { return m_kMSMasterKeyID; } inline bool KMSMasterKeyIDHasBeenSet() const { return m_kMSMasterKeyIDHasBeenSet; } template void SetKMSMasterKeyID(KMSMasterKeyIDT&& value) { m_kMSMasterKeyIDHasBeenSet = true; m_kMSMasterKeyID = std::forward(value); } template ServerSideEncryptionByDefault& WithKMSMasterKeyID(KMSMasterKeyIDT&& value) { SetKMSMasterKeyID(std::forward(value)); return *this; } ///@} private: ServerSideEncryption m_sSEAlgorithm{ServerSideEncryption::NOT_SET}; Aws::String m_kMSMasterKeyID; bool m_sSEAlgorithmHasBeenSet = false; bool m_kMSMasterKeyIDHasBeenSet = false; }; } // namespace Model } // namespace S3 } // namespace Aws