# Data residency workloads
AWS Dedicated Local Zones (Dedicated Local Zones) are a type of AWS Infrastructure that are fully managed by AWS, built for exclusive use by you or your community, and placed in a location or data center specified by you to help comply with regulatory requirements. Dedicated Local Zones are a type of AWS Local Zones (Local Zones) offering. For more information, see [AWS Dedicated Local Zones](https://aws.amazon.com/dedicatedlocalzones/).
In Dedicated Local Zones, you can create S3 directory buckets to store data in a specific data perimeter, which helps support data residency and isolation use cases. Directory buckets in Dedicated Local Zones can support the S3 Express One Zone and S3 One Zone-Infrequent Access (S3 One Zone-IA; Z-IA) storage classes. Directory buckets are not currently available in other [AWS Local Zones locations](https://aws.amazon.com/about-aws/global-infrastructure/localzones/locations/).
You can use the AWS Management Console, REST API, AWS Command Line Interface (AWS CLI), and AWS SDKs in Dedicated Local Zones.
For more information about working with the directory buckets in Local Zones, see the following topics:
**Topics**
+ [
# Concepts for directory buckets in Local Zones
](s3-lzs-for-directory-buckets.md)
+ [
# Enable accounts for Local Zones
](opt-in-directory-bucket-lz.md)
+ [
# Private connectivity from your VPC
](connectivity-lz-directory-buckets.md)
+ [
# Creating a directory bucket in a Local Zone
](create-directory-bucket-LZ.md)
+ [
# Authenticating and authorizing for directory buckets in Local Zones
](iam-directory-bucket-LZ.md)
# Concepts for directory buckets in Local Zones
Before creating a directory bucket in a Local Zone, you must have the Local Zone ID where you want to create a bucket. You can find all Local Zone information by using the [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) API operation. This API operation lists information about Local Zones, including their Local Zone IDs, parent Region names, network border groups, and opt-in status. After you have your Local Zone ID and you are opted in, you can create a directory bucket in the Local Zone. A directory bucket name consists of a base name that you provide and a suffix that contains the Zone ID of your bucket location, followed by `--x-s3`.
A Local Zone is connected to the **parent Region** using the Amazon redundant and very high-bandwidth private network. This gives applications running in the Local Zone fast, secure, and seamless access to the rest of the AWS services in the parent Region. **Parent Zone ID** is the ID of the zone that handles the Local Zone control plane operations. **Network Border Group** is a unique group from which AWS advertises public IP addresses. For more information about Local Zones, parent Region, and parent Zone ID, see [AWS Local Zones concepts](https://docs.aws.amazon.com/local-zones/latest/ug/concepts-local-zones.html) in the AWS Local Zones* User Guide*.
All directory buckets use the `s3express` namespace, which is separate from the `s3` namespace for general purpose buckets. For directory buckets, requests are routed to either a **Regional endpoint** or a **Zonal endpoint**. The routing is handled automatically for you if you use the AWS Management Console, AWS CLI, or AWS SDKs.
Most bucket-level API operations (such as `CreateBucket` and `DeleteBucket`) are routed to Regional endpoints, and are referred to as Regional endpoint API operations. Regional endpoints are in the format of `s3express-control.ParentRegionCode.amazonaws.com`. All object-level API operations (such as `PutObject`) and two bucket-level API operations (`CreateSession` and `HeadBucket`) are routed to Zonal endpoints, and are referred to as Zonal endpoint API operations. Zonal endpoints are in the format of `s3express-LocalZoneID.ParentRegionCode.amazonaws.com`. For a complete list of API operations by endpoint type, see [Directory bucket API operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations).
To access directory buckets in Local Zones from your virtual private cloud (VPC), you can use gateway VPC endpoints. There is no additional charge for using gateway endpoints. To configure gateway VPC endpoints to access directory buckets and objects in Local Zones, see [Private connectivity from your VPC](connectivity-lz-directory-buckets.md).
# Enable accounts for Local Zones
The following topic describes how accounts are enabled for Dedicated Local Zones.
For all the services in AWS Dedicated Local Zones (Dedicated Local Zones), including Amazon S3, your administrator must enable your AWS account before you can create or access any resource in the Dedicated Local Zone. You can use the [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) API operation to confirm your account ID access to a Local Zone.
To further protect your data in Amazon S3, by default, you only have access to the S3 resources that you create. Buckets in Local Zones have all S3 Block Public Access settings enabled by default and S3 Object Ownership is set to bucket owner enforced. These settings can't be modified. Optionally, to restrict access to only within the Local Zone network border groups, you can use the condition key `s3express:AllAccessRestrictedToLocalZoneGroup` in your IAM policies. For more information, see [Authenticating and authorizing for directory buckets in Local Zones](iam-directory-bucket-LZ.md).
# Private connectivity from your VPC
To reduce the amount of time your packets spend on the network, configure your virtual private cloud (VPC) with a gateway endpoint to access directory buckets in Availability Zones while keeping traffic within the AWS network, and at no additional cost.
**To configure a gateway VPC endpoint**
1. Open the [Amazon VPC Console](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Choose **Create endpoint**.
1. Create a name for your endpoint.
1. For **Service category**, choose **AWS services**.
1. For **Services**, add the filter **Type=Gateway** and then choose the option button next to **com.amazonaws.*region*.s3express**.
1. For **VPC**, choose the VPC in which to create the endpoint.
1. For **Route tables**, choose the route table in your VPC to be used by the endpoint. After the endpoint is created, a route record will be added to the route table that you select in this step.
1. For **Policy**, choose **Full access** to allow all operations by all principals on all resources over the VPC endpoint. Otherwise, choose **Custom** to attach a VPC endpoint policy that controls the principals' permissions to perform actions on resources over the VPC endpoint.
1. For **IP address type**, choose from the following options:
+ **IPv4** – Assign IPv4 addresses to the endpoint network interfaces. This option is supported only if all selected subnets have IPv4 address ranges and the service accepts IPv4 requests.
+ **IPv6** – Assign IPv6 addresses to the endpoint network interfaces. This option is supported only if all selected subnets are IPv6 only subnets and the service accepts IPv6 requests.
+ **Dualstack** – Assign both IPv4 and IPv6 addresses to the endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges and the service accepts both IPv4 and IPv6 requests.
1. (Optional) To add a tag, choose **Add new tag**, and enter the tag key and the tag value.
1. Choose **Create endpoint**.
To learn more about gateway VPC endpoints, see [Gateway endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html) in the *AWS PrivateLink Guide*. For the data residency use cases, we recommend enabling access to your buckets only from your VPC using gateway VPC endpoints. When access is restricted to a VPC or a VPC endpoint, you can access the objects through the AWS Management Console, the REST API, AWS CLI, and AWS SDKs.
**Note**
To restrict access to a VPC or a VPC endpoint using the AWS Management Console, you must use the AWS Management Console Private Access. For more information, see [AWS Management Console Private Access](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/console-private-access.html) in the *AWS Management Console guide*.
# Creating a directory bucket in a Local Zone
In Dedicated Local Zones, you can create directory buckets to store and retrieve objects in a specific data perimeter to help meet your data residency and data isolation use cases. S3 directory buckets are the only supported bucket type in Local Zones, and contain a bucket location type called `LocalZone`. A directory bucket name consists of a base name that you provide and a suffix that contains the Zone ID of your bucket location and `--x-s3`. You can obtain a list of Local Zone IDs by using the [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) API operation. For more information, see [Directory bucket naming rules](directory-bucket-naming-rules.md).
**Note**
For all the services in AWS Dedicated Local Zones (Dedicated Local Zones), including S3, your administrator must enable your AWS account before you can create or access any resource in the Dedicated Local Zone. For more information, see [Enable accounts for Local Zones](opt-in-directory-bucket-lz.md).
For the data residency requirements, we recommend enabling access to your buckets only from gateway VPC endpoints. For more information, see [Private connectivity from your VPC](connectivity-lz-directory-buckets.md).
To restrict access to only within the Local Zone network border groups, you can use the condition key `s3express:AllAccessRestrictedToLocalZoneGroup` in your IAM policies. For more information, see [Authenticating and authorizing for directory buckets in Local Zones](iam-directory-bucket-LZ.md).
The following describes ways to create a directory bucket in a single Local Zone with the AWS Management Console, AWS CLI, and AWS SDKs.
## Using the S3 console
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the parent Region of a Local Zone in which you want to create a directory bucket.
**Note**
For more information about the parent Regions, see [Concepts for directory buckets in Local Zones](s3-lzs-for-directory-buckets.md).
1. In the left navigation pane, choose **Buckets**.
1. Choose **Create bucket**.
The **Create bucket** page opens.
1. Under **General configuration**, view the AWS Region where your bucket will be created.
1. Under **Bucket type**, choose **Directory**.
**Note**
If you've chosen a Region that doesn't support directory buckets, the bucket type defaults to a general purpose bucket. To create a directory bucket, you must choose a supported Region. For a list of Regions that support directory buckets, see [Regional and Zonal endpoints for directory buckets](s3-express-Regions-and-Zones.md).
After you create the bucket, you can't change the bucket type.
1. Under **Bucket location**, choose a Local Zone that you want to use.
**Note**
The Local Zone can't be changed after the bucket is created.
1. Under **Bucket location**, select the checkbox to acknowledge that in the event of a Local Zone outage, your data might be unavailable or lost.
**Important**
Although directory buckets are stored across multiple devices within a single Local Zone, directory buckets don't store data redundantly across Local Zones.
1. For **Bucket name**, enter a name for your directory bucket.
For more information about the naming rules for directory buckets, see [General purpose bucket naming rules](bucketnamingrules.md). A suffix is automatically added to the base name that you provide when you create a directory bucket using the console. This suffix includes the Zone ID of the Local Zone that you chose.
After you create the bucket, you can't change its name.
**Important**
Don't include sensitive information, such as account numbers, in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket.
1. Under **Object Ownership**, the **Bucket owner enforced** setting is automatically enabled, and all access control lists (ACLs) are disabled. For directory buckets, ACLs are disabled and can't be enabled.
With the **Bucket owner enforced** setting enabled, the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect access permissions to data in the S3 bucket. The bucket uses policies exclusively to define access control. A majority of modern use cases in Amazon S3 no longer require the use of ACLs. For more information, see [Controlling ownership of objects and disabling ACLs for your bucket](about-object-ownership.md).
1. Under **Block Public Access settings for this bucket**, all Block Public Access settings for your directory bucket are automatically enabled. These settings can't be modified for directory buckets. For more information about blocking public access, see [Blocking public access to your Amazon S3 storage](access-control-block-public-access.md).
1. Under **Default encryption**, directory buckets use **Server-side encryption with Amazon S3 managed keys (SSE-S3)** to encrypt data by default. You also have the option to encrypt data in directory buckets with **Server-side encryption with AWS Key Management Service keys (SSE-KMS)**.
1. Choose **Create bucket**.
After creating the bucket, you can add files and folders to the bucket. For more information, see [Working with objects in a directory bucket](directory-buckets-objects.md).
## Using the AWS CLI
This example shows how to create a directory bucket in a Local Zone by using the AWS CLI. To use the command, replace the *user input placeholders* with your own information.
When you create a directory bucket, you must provide configuration details and use the following naming convention: `bucket-base-name--zone-id--x-s3`.
```
aws s3api create-bucket
--bucket bucket-base-name--zone-id--x-s3
--create-bucket-configuration 'Location={Type=LocalZone,Name=local-zone-id},Bucket={DataRedundancy=SingleLocalZone,Type=Directory}'
--region parent-region-code
```
For more information about Local Zone ID and Parent Region Code, see [Concepts for directory buckets in Local Zones](s3-lzs-for-directory-buckets.md). For more information about the AWS CLI command, see [create-bucket](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html) in the *AWS CLI Command Reference*.
## Using the AWS SDKs
------
#### [ SDK for Go ]
This example shows how to create a directory bucket in a Local Zone by using the AWS SDK for Go.
**Example**
```
var bucket = "bucket-base-name--zone-id--x-s3" // The full directory bucket name
func runCreateBucket(c *s3.Client) {
resp, err := c.CreateBucket(context.Background(), &s3.CreateBucketInput{
Bucket: &bucket,
CreateBucketConfiguration: &types.CreateBucketConfiguration{
Location: &types.LocationInfo{
Name: aws.String("local-zone-id"),
Type: types.LocationTypeLocalZone,
},
Bucket: &types.BucketInfo{
DataRedundancy: types.DataRedundancySingleLocalZone,
Type: types.BucketTypeDirectory,
},
},
})
var terr *types.BucketAlreadyOwnedByYou
if errors.As(err, &terr) {
fmt.Printf("BucketAlreadyOwnedByYou: %s\n", aws.ToString(terr.Message))
fmt.Printf("noop...\n") // No operation performed, just printing a message
return
}
if err != nil {
log.Fatal(err)
}
fmt.Printf("bucket created at %s\n", aws.ToString(resp.Location))
}
```
------
#### [ SDK for Java 2.x ]
This example shows how to create a directory bucket in a Local Zone by using the AWS SDK for Java 2.x.
**Example**
```
public static void createBucket(S3Client s3Client, String bucketName) {
//Bucket name format is {base-bucket-name}--{local-zone-id}--x-s3
//example: doc-example-bucket--local-zone-id--x-s3 is a valid name for a directory bucket created in a Local Zone.
CreateBucketConfiguration bucketConfiguration = CreateBucketConfiguration.builder()
.location(LocationInfo.builder()
.type(LocationType.LOCAL_ZONE)
.name("local-zone-id").build()) //this must match the Local Zone ID in your bucket name
.bucket(BucketInfo.builder()
.type(BucketType.DIRECTORY)
.dataRedundancy(DataRedundancy.SINGLE_LOCAL_ZONE)
.build()).build();
try {
CreateBucketRequest bucketRequest = CreateBucketRequest.builder().bucket(bucketName).createBucketConfiguration(bucketConfiguration).build();
CreateBucketResponse response = s3Client.createBucket(bucketRequest);
System.out.println(response);
}
catch (S3Exception e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
------
#### [ AWS SDK for JavaScript ]
This example shows how to create a directory bucket in a Local Zone by using the AWS SDK for JavaScript.
**Example**
```
// file.mjs, run with Node.js v16 or higher
// To use with the preview build, place this in a folder
// inside the preview build directory, such as /aws-sdk-js-v3/workspace/
import { S3 } from "@aws-sdk/client-s3";
const region = "parent-region-code";
const zone = "local-zone-id";
const suffix = `${zone}--x-s3`;
const s3 = new S3({ region });
const bucketName = `bucket-base-name--${suffix}`; // Full directory bucket name
const createResponse = await s3.createBucket(
{ Bucket: bucketName,
CreateBucketConfiguration: {Location: {Type: "LocalZone", Name: "local-zone-id"},
Bucket: { Type: "Directory", DataRedundancy: "SingleLocalZone" }}
}
);
```
------
#### [ SDK for .NET ]
This example shows how to create a directory bucket in a Local Zone by using the SDK for .NET.
**Example**
```
using (var amazonS3Client = new AmazonS3Client())
{
var putBucketResponse = await amazonS3Client.PutBucketAsync(new PutBucketRequest
{
BucketName = "bucket-base-name--local-zone-id--x-s3",
PutBucketConfiguration = new PutBucketConfiguration
{
BucketInfo = new BucketInfo { DataRedundancy = DataRedundancy.SingleLocalZone, Type = BucketType.Directory },
Location = new LocationInfo { Name = "local-zone-id", Type = LocationType.LocalZone }
}
}).ConfigureAwait(false);
}
```
------
#### [ SDK for PHP ]
This example shows how to create a directory bucket in a Local Zone by using the AWS SDK for PHP.
**Example**
```
require 'vendor/autoload.php';
$s3Client = new S3Client([
'region' => 'parent-region-code',
]);
$result = $s3Client->createBucket([
'Bucket' => 'bucket-base-name--local-zone-id--x-s3',
'CreateBucketConfiguration' => [
'Location' => ['Name'=> 'local-zone-id', 'Type'=> 'LocalZone'],
'Bucket' => ["DataRedundancy" => "SingleLocalZone" ,"Type" => "Directory"] ],
]);
```
------
#### [ SDK for Python ]
This example shows how to create a directory bucket in a Local Zone by using the AWS SDK for Python (Boto3).
**Example**
```
import logging
import boto3
from botocore.exceptions import ClientError
def create_bucket(s3_client, bucket_name, local_zone):
'''
Create a directory bucket in a specified Local Zone
:param s3_client: boto3 S3 client
:param bucket_name: Bucket to create; for example, 'bucket-base-name--local-zone-id--x-s3'
:param local_zone: String; Local Zone ID to create the bucket in
:return: True if bucket is created, else False
'''
try:
bucket_config = {
'Location': {
'Type': 'LocalZone',
'Name': local_zone
},
'Bucket': {
'Type': 'Directory',
'DataRedundancy': 'SingleLocalZone'
}
}
s3_client.create_bucket(
Bucket = bucket_name,
CreateBucketConfiguration = bucket_config
)
except ClientError as e:
logging.error(e)
return False
return True
if __name__ == '__main__':
bucket_name = 'BUCKET_NAME'
region = 'parent-region-code'
local_zone = 'local-zone-id'
s3_client = boto3.client('s3', region_name = region)
create_bucket(s3_client, bucket_name, local_zone)
```
------
#### [ SDK for Ruby ]
This example shows how to create an directory bucket in a Local Zone by using the AWS SDK for Ruby.
**Example**
```
s3 = Aws::S3::Client.new(region:'parent-region-code')
s3.create_bucket(
bucket: "bucket-base-name--local-zone-id--x-s3",
create_bucket_configuration: {
location: { name: 'local-zone-id', type: 'LocalZone' },
bucket: { data_redundancy: 'SingleLocalZone', type: 'Directory' }
}
)
```
------
# Authenticating and authorizing for directory buckets in Local Zones
Directory buckets in Local Zones support both AWS Identity and Access Management (IAM) authorization and session-based authorization. For more information about authentication and authorization for directory buckets, see [Authenticating and authorizing requests](s3-express-authenticating-authorizing.md).
## Resources
Amazon Resource Names (ARNs) for directory buckets contain the `s3express` namespace, the AWS parent Region, the AWS account ID, and the directory bucket name which includes the Zone ID. To access and perform actions on your directory bucket, you must use the following ARN format:
```
arn:aws:s3express:region-code:account-id:bucket/bucket-base-name--ZoneID--x-s3
```
For directory buckets in a Local Zone, the Zone ID is the ID of the Local Zone. For more information about directory buckets in Local Zones, see [Concepts for directory buckets in Local Zones](s3-lzs-for-directory-buckets.md). For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) in the *IAM User Guide*. For more information about resources, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the *IAM User Guide*.
## Condition keys for directory buckets in Local Zones
In Local Zones, you can use all of these [condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3express.html#amazons3express-policy-keys) in your IAM policies. Additionally, to create a data perimeter around your Local Zone network border groups, you can use the condition key `s3express:AllAccessRestrictedToLocalZoneGroup` to deny all requests from outside the groups.
The following condition key can be used to further refine the conditions under which an IAM policy statement applies. For a complete list of API operations, policy actions, and condition keys that are supported by directory buckets, see [Policy actions for directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html#s3-express-security-iam-actions).
**Note**
The following condition key only applies to Local Zones and isn't supported in Availability Zones and AWS Regions.
| API operations | Policy actions | Description | Condition key | Description | Type |
| --- | --- | --- | --- | --- | --- |
| [Zonal endpoint API operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-APIs.html) | s3express:CreateSession | Grants permission to create a session token, which is used for granting access to all Zonal endpoint API operations, such as `CreateSession`, `HeadBucket`, `CopyObject`, `PutObject`, and `GetObject`. | s3express:AllAccessRestrictedToLocalZoneGroup | Filters all access to the bucket unless the request originates from the AWS Local Zone network border groups provided in this condition key. **Values:** Local Zone network border group value | String |
## Example policies
To restrict object access to requests from within a data residency boundary that you define (specifically, a Local Zone Group which is a set of Local Zones parented to the same AWS Region), you can set any of the following policies:
+ The service control policy (SCP). For information about SCPs, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ The IAM identity-based policy for the IAM role.
+ The VPC endpoint policy. For more information about the VPC endpoint policies, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *AWS PrivateLink Guide*.
+ The S3 bucket policy.
**Note**
The condition key `s3express:AllAccessRestrictedToLocalZoneGroup` doesn't support access from an on-premises environment. To support the access from an on-premises environment, you must add the source IP to the policies. For more information, see [aws:SourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) in the IAM User Guide.
**Example – SCP policy**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-LocalZones-only",
"Effect": "Deny",
"Action": [
"s3express:*",
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"s3express:AllAccessRestrictedToLocalZoneGroup": [
"local-zone-network-border-group-value"
]
}
}
}
]
}
```
**Example – IAM identity-based policy (attached to IAM role)**
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "s3express:CreateSession",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"s3express:AllAccessRestrictedToLocalZoneGroup": [
"local-zone-network-border-group-value"
]
}
}
}
}
```
**Example – VPC endpoint policy**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-LocalZones-only",
"Principal": "*",
"Action": "s3express:CreateSession",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"s3express:AllAccessRestrictedToLocalZoneGroup": [
"local-zone-network-border-group-value"
]
}
}
}
]
}
```
**Example – bucket policy**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-LocalZones-only",
"Principal": "*",
"Action": "s3express:CreateSession",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"s3express:AllAccessRestrictedToLocalZoneGroup": [
"local-zone-network-border-group-value"
]
}
}
}
]
}
```