The AWS::S3::Bucket resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack.
To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute.
You can only delete empty buckets. Deletion fails for buckets that have contents.
The ABAC status of the general purpose bucket. When ABAC is enabled for the general purpose bucket, you can use tags to manage access to the general purpose buckets as well as for cost tracking purposes. When ABAC is disabled for the general purpose buckets, you can only use tags for cost tracking purposes. For more information, see Using tags with S3 general purpose buckets.
Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see Amazon S3 Transfer Acceleration in the Amazon S3 User Guide.
This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see Controlling object ownership in the Amazon S3 User Guide. A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see Canned ACL in the Amazon S3 User Guide. S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the AWS::S3::OwnershipControls property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see AWS::S3::BucketPolicy. For examples of common policy configurations, including S3 Server Access Logs buckets and more, see Bucket policy examples in the Amazon S3 User Guide.
Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see Amazon S3 Default Encryption for S3 Buckets in the Amazon S3 User Guide.
bucket_name
Type: String
Required: No
Create-only: Yes
A name for the bucket. If you don’t specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow Amazon S3 bucket restrictions and limitations. For more information, see Rules for naming Amazon S3 buckets in the Amazon S3 User Guide. If you specify a name, you can’t perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see Enabling Cross-Origin Resource Sharing in the Amazon S3 User Guide.
Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see Object Lifecycle Management in the Amazon S3 User Guide.
Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you’re updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don’t include the elements you want to keep, they are erased. For more information, see PutBucketMetricsConfiguration.
This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see Locking Objects. + The DefaultRetention settings require both a mode and a period. + The DefaultRetention period can be either Days or Years but you must select one. You cannot specify Days and Years at the same time. + You can enable Object Lock for new or existing buckets. For more information, see Configuring Object Lock. You must URL encode any signed header values that contain spaces. For example, if your header value is my file.txt, containing two spaces after my, you must URL encode this value to my%20%20file.txt.
object_lock_enabled
Type: Bool
Required: No
Indicates whether this bucket has an Object Lock configuration enabled. Enable ObjectLockEnabled when you apply ObjectLockConfiguration to a bucket.
Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the VersioningConfiguration property. Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist.
tags
Type: Map(String)
Required: No
An arbitrary set of tags (key-value pairs) for this S3 bucket.
Enables multiple versions of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them. When you enable versioning on a bucket for the first time, it might take a short amount of time for the change to be fully propagated. We recommend that you wait for 15 minutes after enabling versioning before issuing write operations (PUT or DELETE) on objects in the bucket.
Contains data related to access patterns to be collected and made available to analyze the tradeoffs between different storage classes.
tag_filters
List<Map(String)>
No
The tags to use when evaluating an analytics filter. The analytics only includes objects that meet the filter’s criteria. If no filter is specified, all of the contents of the bucket are included in the analysis.
The object encryption type that you want to block or unblock for an Amazon S3 general purpose bucket. Currently, this parameter only supports blocking or unblocking server side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see Using server-side encryption with customer-provided keys (SSE-C).
A set of origins and methods (cross-origin access that you want to allow). You can add up to 100 rules to the configuration.
CorsRule
Field
Type
Required
Description
allowed_headers
List<String>
No
Headers that are specified in the Access-Control-Request-Headers header. These headers are allowed in a preflight OPTIONS request. In response to any preflight OPTIONS request, Amazon S3 returns any requested headers that are allowed.
An HTTP method that you allow the origin to run. Allowed values: GET
allowed_origins
List<String>
Yes
One or more origins you want customers to be able to access the bucket from.
exposed_headers
List<String>
No
One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript XMLHttpRequest object).
id
String(len: ..=255)
No
A unique identifier for this rule. The value must be no more than 255 characters.
max_age
Int(0..)
No
The time in seconds that your browser is to cache the preflight response for the specified resource.
The version of the output schema to use when exporting data. Must be V_1.
DefaultRetention
Field
Type
Required
Description
days
Int
No
The number of days that you want to specify for the default retention period. If Object Lock is turned on, you must specify Mode and specify either Days or Years.
The default Object Lock retention mode you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, you must specify Mode and specify either Days or Years.
years
Int
No
The number of years that you want to specify for the default retention period. If Object Lock is turned on, you must specify Mode and specify either Days or Years.
The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data. Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes.
bucket_arn
Arn
Yes
The Amazon Resource Name (ARN) of the bucket to which data is exported.
Specifies the file format used when exporting data to Amazon S3. Allowed values: CSV
prefix
String
No
The prefix to use when exporting data. The prefix is prepended to all results.
EncryptionConfiguration
Field
Type
Required
Description
replica_kms_key_id
KmsKeyId
Yes
Specifies the ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in KMS in the Key Management Service Developer Guide.
EventBridgeConfiguration
Field
Type
Required
Description
event_bridge_enabled
Bool
Yes
Enables delivery of events to Amazon EventBridge.
FilterRule
Field
Type
Required
Description
name
String(len: ..=1024)
Yes
The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see Configuring Event Notifications in the Amazon S3 User Guide.
value
String
Yes
The value that the filter searches for in object key names.
IntelligentTieringConfiguration
Field
Type
Required
Description
id
String
Yes
The ID used to identify the S3 Intelligent-Tiering configuration.
prefix
String
No
An object key name prefix that identifies the subset of objects to which the rule applies.
Specifies a list of S3 Intelligent-Tiering storage class tiers in the configuration. At least one tier must be defined in the list. At most, you can specify two tiers in the list, one for each available AccessTier: ARCHIVE_ACCESS and DEEP_ARCHIVE_ACCESS. You only need Intelligent Tiering Configuration enabled on a bucket if you want to automatically move objects stored in the Intelligent-Tiering storage class to Archive Access or Deep Archive Access tiers.
Contains information about where to publish the inventory results.
enabled
Bool
Yes
Specifies whether the inventory is enabled or disabled. If set to True, an inventory list is generated. If set to False, no inventory list is generated.
id
String
Yes
The ID used to identify the inventory configuration.
Object versions to include in the inventory list. If set to All, the list includes all the object versions, which adds the version-related fields VersionId, IsLatest, and DeleteMarker to the list. If set to Current, the list does not contain these version-related fields.
The filtering rules that determine which objects invoke the AWS Lambda function. For example, you can create a filter so that only image files with a .jpg extension invoke the function when they are added to the Amazon S3 bucket.
function
Arn
Yes
The Amazon Resource Name (ARN) of the LAMlong function that Amazon S3 invokes when the specified event type occurs.
Indicates which default minimum object size behavior is applied to the lifecycle configuration. This parameter applies to general purpose buckets only. It isn’t supported for directory bucket lifecycle configurations. + all_storage_classes_128K - Objects smaller than 128 KB will not transition to any storage class by default. + varies_by_storage_class - Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier Deep Archive storage classes. By default, all other storage classes will prevent transitions smaller than 128 KB. To customize the minimum object size for any transition you can add a filter that specifies a custom ObjectSizeGreaterThan or ObjectSizeLessThan in the body of your transition rule. Custom filters always take precedence over the default transition behavior.
LoggingConfiguration
Field
Type
Required
Description
destination_bucket_name
String
No
The name of the bucket where Amazon S3 should store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the LoggingConfiguration property is defined.
log_file_prefix
String
No
A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket.
The type of the table bucket where the metadata configuration is stored. The aws value indicates an AWS managed table bucket, and the customer value indicates a customer-managed table bucket. V2 metadata configurations are stored in AWS managed table buckets, and V1 metadata configurations are stored in customer-managed table buckets.
table_namespace
String
No
The namespace in the table bucket where the metadata tables for a metadata configuration are stored.
The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS-account as the general purpose bucket. The specified metadata table name must be unique within the aws_s3_metadata namespace in the destination table bucket.
MetadataTableEncryptionConfiguration
Field
Type
Required
Description
kms_key_arn
KmsKeyArn
No
If server-side encryption with KMSlong (KMS) keys (SSE-KMS) is specified, you must also specify the KMS key Amazon Resource Name (ARN). You must specify a customer-managed KMS key that’s located in the same Region as the general purpose bucket that corresponds to the metadata table configuration.
The encryption type specified for a metadata table. To specify server-side encryption with KMSlong (KMS) keys (SSE-KMS), use the aws:kms value. To specify server-side encryption with Amazon S3 managed keys (SSE-S3), use the AES256 value.
Specifies whether the replication metrics are enabled.
MetricsConfiguration
Field
Type
Required
Description
access_point_arn
Arn
No
The access point that was used while performing operations on the object. The metrics configuration only includes objects that meet the filter’s criteria.
id
String
Yes
The ID used to identify the metrics configuration. This can be any value you choose that helps you identify your metrics configuration.
prefix
String
No
The prefix that an object must have to be included in the metrics results.
tag_filters
List<Map(String)>
No
Specifies a list of tag filters to use as a metrics configuration filter. The metrics configuration includes only objects that meet the filter’s criteria.
NoncurrentVersionExpiration
Field
Type
Required
Description
newer_noncurrent_versions
Int
No
Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see Lifecycle configuration elements in the Amazon S3 User Guide.
noncurrent_days
Int
Yes
Specifies the number of days an object is noncurrent before S3 can perform the associated action. For information about the noncurrent days calculations, see How Amazon S3 Calculates When an Object Became Noncurrent in the Amazon S3 User Guide.
NoncurrentVersionTransition
Field
Type
Required
Description
newer_noncurrent_versions
Int
No
Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see Lifecycle configuration elements in the Amazon S3 User Guide.
Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see How Amazon S3 Calculates How Long an Object Has Been Noncurrent in the Amazon S3 User Guide.
Specifies the Object Lock rule for the specified object. Enable this rule when you apply ObjectLockConfiguration to a bucket. If Object Lock is turned on, bucket settings require both Mode and a period of either Days or Years. You cannot specify Days and Years at the same time. For more information, see ObjectLockRule and DefaultRetention.
The default Object Lock retention mode and period that you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, bucket settings require both Mode and a period of either Days or Years. You cannot specify Days and Years at the same time. For more information about allowable values for mode and period, see DefaultRetention.
Specifies the partition date source for the partitioned prefix. PartitionDateSource can be EventTime or DeliveryTime. For DeliveryTime, the time in the log file names corresponds to the delivery time for the log files. For EventTime, The logs delivered are for a specific day only. The year, month, and day correspond to the day on which the event occurred, and the hour, minutes and seconds are set to 00 in the key.
PublicAccessBlockConfiguration
Field
Type
Required
Description
block_public_acls
Bool
No
Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior: + PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. + PUT Object calls fail if the request includes a public ACL. + PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn’t affect existing policies or ACLs.
block_public_policy
Bool
No
Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn’t affect existing bucket policies.
ignore_public_acls
Bool
No
Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. Enabling this setting doesn’t affect the persistence of any existing ACLs and doesn’t prevent new public ACLs from being set.
restrict_public_buckets
Bool
No
Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn’t affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
QueueConfiguration
Field
Type
Required
Description
event
String
Yes
The Amazon S3 bucket event about which you want to publish messages to Amazon SQS. For more information, see Supported Event Types in the Amazon S3 User Guide.
The filtering rules that determine which objects trigger notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a .jpg extension are added to the bucket. For more information, see Configuring event notifications using object key name filtering in the Amazon S3 User Guide.
queue
Arn
Yes
The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3 publishes a message when it detects events of the specified type. FIFO queues are not allowed when enabling an SQS queue as the event notification destination.
RecordExpiration
Field
Type
Required
Description
days
Int
No
If you enable journal table record expiration, you can set the number of days to retain your journal table records. Journal table records must be retained for a minimum of 7 days. To set this value, specify any whole number from 7 to 2147483647. For example, to retain your journal table records for one year, set this value to 365.
Protocol to use when redirecting requests. The default is the protocol that is used in the original request.
replace_key_prefix_with
String
No
The object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix docs/ (objects in the docs/ folder) to documents/, you can set a condition block with KeyPrefixEquals set to docs/ and in the Redirect set ReplaceKeyPrefixWith to /documents. Not required if one of the siblings is present. Can be present only if ReplaceKeyWith is not provided. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see XML related object key constraints.
replace_key_with
String
No
The specific object key to use in the redirect request. For example, redirect request to error.html. Not required if one of the siblings is present. Can be present only if ReplaceKeyPrefixWith is not provided. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see XML related object key constraints.
The Amazon Resource Name (ARN) of the IAMlong (IAM) role that Amazon S3 assumes when replicating objects. For more information, see How to Set Up Replication in the Amazon S3 User Guide.
Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS-account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS-account that owns the source object.
account
AwsAccountId
No
Destination bucket owner account ID. In a cross-account scenario, if you direct Amazon S3 to change replica ownership to the AWS-account that owns the destination bucket by specifying the AccessControlTranslation property, this is the account ID of the destination bucket owner. For more information, see Cross-Region Replication Additional Configuration: Change Replica Owner in the Amazon S3 User Guide. If you specify the AccessControlTranslation property, the Account property is required.
bucket
String
Yes
The Amazon Resource Name (ARN) of the bucket where you want Amazon S3 to store the results.
A container specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a Metrics block.
The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. For valid values, see the StorageClass element of the PUT Bucket replication action in the Amazon S3 API Reference. FSX_OPENZFS is not an accepted value when replicating objects.
Specifies whether Amazon S3 replicates delete markers. If you specify a Filter in your replication configuration, you must also include a DeleteMarkerReplication element. If your Filter includes a Tag element, the DeleteMarkerReplication````Status must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see Basic Rule Configuration. For more information about delete marker replication, see Basic Rule Configuration. If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see Backward Compatibility.
A filter that identifies the subset of objects to which the replication rule applies. A Filter must specify exactly one Prefix, TagFilter, or an And child element. The use of the filter field indicates that this is a V2 replication configuration. This field isn’t supported in a V1 replication configuration. V1 replication configuration only supports filtering by key prefix. To filter using a V1 replication configuration, add the Prefix directly as a child element of the Rule element.
id
String(len: ..=255)
No
A unique identifier for the rule. The maximum value is 255 characters. If you don’t specify a value, AWS CloudFormation generates a random ID. When using a V2 replication configuration this property is capitalized as “ID”.
prefix
String(len: ..=1024)
No
An object key name prefix that identifies the object or objects to which the rule applies. The maximum prefix length is 1,024 characters. To include all objects in a bucket, specify an empty string. To filter using a V1 replication configuration, add the Prefix directly as a child element of the Rule element. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see XML related object key constraints.
priority
Int
No
The priority indicates which rule has precedence whenever two or more replication rules conflict. Amazon S3 will attempt to replicate objects according to all replication rules. However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority. For more information, see Replication in the Amazon S3 User Guide.
A container that describes additional filters for identifying the source objects that you want to replicate. You can choose to enable or disable the replication of these objects.
A container for specifying rule filters. The filters determine the subset of objects to which the rule applies. This element is required only if you specify more than one filter. For example: + If you specify both a Prefix and a TagFilter, wrap these filters in an And tag. + If you specify a filter based on multiple tags, wrap the TagFilter elements in an And tag.
prefix
String
No
An object key name prefix that identifies the subset of objects to which the rule applies. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see XML related object key constraints.
tag_filter
Map(String)
No
A container for specifying a tag key and value. The rule applies only to objects that have the tag in their tag set.
Container for redirect information. You can redirect requests to another host, to another page, or with another protocol. In the event of an error, you can specify a different error code to return.
A container for describing a condition that must be met for the specified redirect to apply. For example, 1. If request is for pages in the /docs folder, redirect to the /documents folder. 2. If request results in HTTP error 4xx, redirect request to another host where you might process the error.
RoutingRuleCondition
Field
Type
Required
Description
http_error_code_returned_equals
String
No
The HTTP error code when the redirect is applied. In the event of an error, if the error code equals this value, then the specified redirect is applied. Required when parent element Condition is specified and sibling KeyPrefixEquals is not specified. If both are specified, then both must be true for the redirect to be applied.
key_prefix_equals
String
No
The object key name prefix when the redirect is applied. For example, to redirect requests for ExamplePage.html, the key prefix will be ExamplePage.html. To redirect request for all pages with the prefix docs/, the key prefix will be docs/, which identifies all objects in the docs/ folder. Required when the parent element Condition is specified and sibling HttpErrorCodeReturnedEquals is not specified. If both conditions are specified, both must be true for the redirect to be applied.
Specifies a lifecycle rule that stops incomplete multipart uploads to an Amazon S3 bucket.
expiration_date
String
No
Indicates when objects are deleted from Amazon S3 and Amazon S3 Glacier. The date value must be in ISO 8601 format. The time is always midnight UTC. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time.
expiration_in_days
Int
No
Indicates the number of days after creation when objects are deleted from Amazon S3 and Amazon S3 Glacier. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time.
expired_object_delete_marker
Bool
No
Indicates whether Amazon S3 will remove a delete marker without any noncurrent versions. If set to true, the delete marker will be removed if there are no noncurrent versions. This cannot be specified with ExpirationInDays, ExpirationDate, or TagFilters.
id
String(len: ..=255)
No
Unique identifier for the rule. The value can’t be longer than 255 characters.
Specifies when noncurrent object versions expire. Upon expiration, S3 permanently deletes the noncurrent object versions. You set this lifecycle configuration action on a bucket that has versioning enabled (or suspended) to request that S3 delete noncurrent object versions at a specific period in the object’s lifetime.
noncurrent_version_expiration_in_days
Int
No
(Deprecated.) For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time.
(Deprecated.) For buckets with versioning enabled (or suspended), specifies when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don’t specify the NoncurrentVersionTransitions property.
For buckets with versioning enabled (or suspended), one or more transition rules that specify when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don’t specify the NoncurrentVersionTransition property.
object_size_greater_than
NumericString(len: ..=20)
No
Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see Lifecycle configuration using size-based rules in the Amazon S3 User Guide.
object_size_less_than
NumericString(len: ..=20)
No
Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see Lifecycle configuration using size-based rules in the Amazon S3 User Guide.
prefix
String
No
Object key prefix that identifies one or more objects to which this rule applies. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see XML related object key constraints.
(Deprecated.) Specifies when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don’t specify the Transitions property.
One or more transition rules that specify when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don’t specify the Transition property.
A list of containers for the key-value pair that defines the criteria for the filter rule.
S3TablesDestination
Field
Type
Required
Description
table_arn
Arn
No
The Amazon Resource Name (ARN) for the metadata table in the metadata table configuration. The specified metadata table name must be unique within the aws_s3_metadata namespace in the destination table bucket.
table_bucket_arn
Arn
Yes
The Amazon Resource Name (ARN) for the table bucket that’s specified as the destination in the metadata table configuration. The destination table bucket must be in the same Region and AWS-account as the general purpose bucket.
table_name
String
Yes
The name for the metadata table in your metadata table configuration. The specified metadata table name must be unique within the aws_s3_metadata namespace in the destination table bucket.
table_namespace
String
No
The table bucket namespace for the metadata table in your metadata table configuration. This value is always aws_s3_metadata.
ServerSideEncryptionByDefault
Field
Type
Required
Description
kms_master_key_id
KmsKeyId
No
AWS Key Management Service (KMS) customer managed key ID to use for the default encryption. + General purpose buckets - This parameter is allowed if and only if SSEAlgorithm is set to aws:kms or aws:kms:dsse. + Directory buckets - This parameter is allowed if and only if SSEAlgorithm is set to aws:kms. You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. + Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + Key Alias: alias/alias-name If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations. + General purpose buckets - If you’re specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester?s account. This behavior can result in data that’s encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. + Directory buckets - When you specify an customer managed key for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn’t supported. Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in KMS in the Key Management Service Developer Guide.
Server-side encryption algorithm to use for the default encryption. For directory buckets, there are only two supported values for server-side encryption: AES256 and aws:kms.
A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block PutObject, CopyObject, PostObject, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see Blocking or unblocking SSE-C for a general purpose bucket. Currently, this parameter only supports blocking or unblocking server-side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see Using server-side encryption with customer-provided keys (SSE-C).
bucket_key_enabled
Bool
No
Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the BucketKeyEnabled element to true causes Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. For more information, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.
Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn’t specify any server-side encryption, this default encryption will be applied.
The number of consecutive days of no access after which an object will be eligible to be transitioned to the corresponding tier. The minimum number of days specified for Archive Access tier must be at least 90 days and Deep Archive Access tier must be at least 180 days. The maximum can be up to 2 years (730 days).
TopicConfiguration
Field
Type
Required
Description
event
String
Yes
The Amazon S3 bucket event about which to send notifications. For more information, see Supported Event Types in the Amazon S3 User Guide.
The filtering rules that determine for which objects to send notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a .jpg extension are added to the bucket.
topic
Arn
Yes
The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon S3 publishes a message when it detects events of the specified type.
The storage class to which you want the object to transition.
transition_date
String
No
Indicates when objects are transitioned to the specified storage class. The date value must be in ISO 8601 format. The time is always midnight UTC.
transition_in_days
Int
No
Indicates the number of days after creation when objects are transitioned to the specified storage class. If the specified storage class is INTELLIGENT_TIERING, GLACIER_IR, GLACIER, or DEEP_ARCHIVE, valid values are 0 or positive integers. If the specified storage class is STANDARD_IA or ONEZONE_IA, valid values are positive integers greater than 30. Be aware that some storage classes have a minimum storage duration and that you’re charged for transitioning objects before their minimum storage duration. For more information, see Constraints and considerations for transitions in the Amazon S3 User Guide.