This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::S3Express::DirectoryBucket The `AWS::S3Express::DirectoryBucket` resource defines an Amazon S3 directory bucket in the same AWS Region where you create the AWS CloudFormation stack. To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to *retain* the bucket or to *delete* the bucket. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html). **Important** You can only delete empty buckets. Deletion fails for buckets that have contents. Permissions The required permissions for CloudFormation to use are based on the operations that are performed on the stack. + Create + s3express:CreateBucket + s3express:ListAllMyDirectoryBuckets + Read + s3express:ListAllMyDirectoryBuckets + ec2:DescribeAvailabilityZones + Delete + s3express:DeleteBucket + s3express:ListAllMyDirectoryBuckets + List + s3express:ListAllMyDirectoryBuckets + PutBucketEncryption + s3express:PutEncryptionConfiguration + To set a directory bucket default encryption with SSE-KMS, you must also have the kms:GenerateDataKey and kms:Decrypt permissions in IAM identity-based policies and AWS KMS key policies for the target AWS KMS key. + GetBucketEncryption + s3express:GetBucketEncryption + DeleteBucketEncryption + s3express:PutEncryptionConfiguration The following operations are related to `AWS::S3Express::DirectoryBucket`: + [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) + [ListDirectoryBuckets](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListDirectoryBuckets.html) + [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html) ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::S3Express::DirectoryBucket", "Properties" : { "[BucketEncryption](#cfn-s3express-directorybucket-bucketencryption)" : BucketEncryption, "[BucketName](#cfn-s3express-directorybucket-bucketname)" : String, "[DataRedundancy](#cfn-s3express-directorybucket-dataredundancy)" : String, "[LifecycleConfiguration](#cfn-s3express-directorybucket-lifecycleconfiguration)" : LifecycleConfiguration, "[LocationName](#cfn-s3express-directorybucket-locationname)" : String, "[MetricsConfigurations](#cfn-s3express-directorybucket-metricsconfigurations)" : [ MetricsConfiguration, ... ], "[Tags](#cfn-s3express-directorybucket-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::S3Express::DirectoryBucket Properties: [BucketEncryption](#cfn-s3express-directorybucket-bucketencryption): BucketEncryption [BucketName](#cfn-s3express-directorybucket-bucketname): String [DataRedundancy](#cfn-s3express-directorybucket-dataredundancy): String [LifecycleConfiguration](#cfn-s3express-directorybucket-lifecycleconfiguration): LifecycleConfiguration [LocationName](#cfn-s3express-directorybucket-locationname): String [MetricsConfigurations](#cfn-s3express-directorybucket-metricsconfigurations): - MetricsConfiguration [Tags](#cfn-s3express-directorybucket-tags): - Tag ``` ## Properties `BucketEncryption` Specifies default encryption for a bucket using server-side encryption with Amazon S3 managed keys (SSE-S3) or AWS KMS keys (SSE-KMS). For information about default encryption for directory buckets, see [Setting and monitoring default encryption for directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: [BucketEncryption](aws-properties-s3express-directorybucket-bucketencryption.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BucketName` A name for the bucket. The bucket name must contain only lowercase letters, numbers, and hyphens (-). A directory bucket name must be unique in the chosen Zone (Availability Zone or Local Zone). The bucket name must also follow the format `bucket_base_name--zone_id--x-s3` (for example, `bucket_base_name--usw2-az1--x-s3`). If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. For information about bucket naming restrictions, see [Directory bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html) in the *Amazon S3 User Guide*. If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name. *Required*: No *Type*: String *Pattern*: `^[a-z0-9][a-z0-9//.//-]*[a-z0-9]$` *Maximum*: `63` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DataRedundancy` The number of Zone (Availability Zone or Local Zone) that's used for redundancy for the bucket. *Required*: Yes *Type*: String *Allowed values*: `SingleAvailabilityZone | SingleLocalZone` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `LifecycleConfiguration` Container for lifecycle rules. You can add as many as 1000 rules. For more information see, [Creating and managing a lifecycle configuration for directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.html ) in the *Amazon S3 User Guide*. *Required*: No *Type*: [LifecycleConfiguration](aws-properties-s3express-directorybucket-lifecycleconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LocationName` The name of the location where the bucket will be created. For directory buckets, the name of the location is the Zone ID of the Availability Zone (AZ) or Local Zone (LZ) where the bucket will be created. An example AZ ID value is `usw2-az1`. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `MetricsConfigurations` Property description not available. *Required*: No *Type*: Array of [MetricsConfiguration](aws-properties-s3express-directorybucket-metricsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of tags that you can apply to the S3 directory bucket. Tags are key-value pairs of metadata used to categorize and organize your buckets, track costs, and control access. For more information, see [Using tags with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html). *Required*: No *Type*: Array of [Tag](aws-properties-s3express-directorybucket-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the bucket name. Example: `bucket_base_name--usw2-az1--x-s3` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) of the specified bucket. Example: `arn:aws:s3express:us-west-2:account_id:bucket/bucket_base_name--usw2-az1--x-s3` `AvailabilityZoneName` Returns the code for the Availability Zone or the Local Zone where the directory bucket was created. Example value for an Availability Zone code: *us-east-1f* An Availability Zone code might not represent the same physical location for different AWS accounts. For more information, see [Availability Zones and Regions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Endpoints.html) in the *Amazon S3 User Guide*. # AWS::S3Express::DirectoryBucket AbortIncompleteMultipartUpload Specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload. For more information, see [ Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DaysAfterInitiation](#cfn-s3express-directorybucket-abortincompletemultipartupload-daysafterinitiation)" : Integer } ``` ### YAML ``` [DaysAfterInitiation](#cfn-s3express-directorybucket-abortincompletemultipartupload-daysafterinitiation): Integer ``` ## Properties `DaysAfterInitiation` Specifies the number of days after which Amazon S3 aborts an incomplete multipart upload. *Required*: Yes *Type*: Integer *Minimum*: `0` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::DirectoryBucket BucketEncryption Specifies default encryption for a bucket using server-side encryption with Amazon S3 managed keys (SSE-S3) or AWS KMS keys (SSE-KMS). For information about default encryption for directory buckets, see [Setting and monitoring default encryption for directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ServerSideEncryptionConfiguration](#cfn-s3express-directorybucket-bucketencryption-serversideencryptionconfiguration)" : [ ServerSideEncryptionRule, ... ] } ``` ### YAML ``` [ServerSideEncryptionConfiguration](#cfn-s3express-directorybucket-bucketencryption-serversideencryptionconfiguration): - ServerSideEncryptionRule ``` ## Properties `ServerSideEncryptionConfiguration` Specifies the default server-side-encryption configuration. *Required*: Yes *Type*: Array of [ServerSideEncryptionRule](aws-properties-s3express-directorybucket-serversideencryptionrule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::DirectoryBucket LifecycleConfiguration Container for lifecycle rules. You can add as many as 1000 rules. For more information see, [Creating and managing a lifecycle configuration for directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.html ) in the *Amazon S3 User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Rules](#cfn-s3express-directorybucket-lifecycleconfiguration-rules)" : [ Rule, ... ] } ``` ### YAML ``` [Rules](#cfn-s3express-directorybucket-lifecycleconfiguration-rules): - Rule ``` ## Properties `Rules` A lifecycle rule for individual objects in an Amazon S3 Express bucket. *Required*: Yes *Type*: Array of [Rule](aws-properties-s3express-directorybucket-rule.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Manage the lifecycle for S3 objects The following example template shows an S3 directory bucket with a lifecycle configuration rule. The rule applies to all objects with the `foo/` key prefix. The objects are expired after seven days, and incomplete multipart uploads are deleted 3 days after initiation. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3ExpressBucket": { "Type": "AWS::S3Express::DirectoryBucket", "Properties": { "LocationName": "usw2-az1", "DataRedundancy": "SingleAvailabilityZone", "LifecycleConfiguration": { "Rules": [ { "Id": "ExipiryRule", "Prefix": "foo/", "Status": "Enabled", "ExpirationInDays": 7, "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 3 }, } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3ExpressBucket" }, "Description": "Name of the sample Amazon S3 Directory Bucket with a lifecycle configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3ExpressBucket: Type: 'AWS::S3Express::DirectoryBucket' Properties: LocationName: usw2-az1 DataRedundancy: SingleAvailabilityZone LifecycleConfiguration: Rules: - Id: ExipiryRule Prefix: foo/ Status: Enabled ExpirationInDays:7 AbortIncompleteMultipartUpload: DaysAfterInitiation:3 Outputs: BucketName: Value: !Ref S3ExpressBucket Description: Name of the sample Amazon S3 Directory Bucket with a lifecycle configuration. ``` # AWS::S3Express::DirectoryBucket MetricsConfiguration Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccessPointArn](#cfn-s3express-directorybucket-metricsconfiguration-accesspointarn)" : String, "[Id](#cfn-s3express-directorybucket-metricsconfiguration-id)" : String, "[Prefix](#cfn-s3express-directorybucket-metricsconfiguration-prefix)" : String } ``` ### YAML ``` [AccessPointArn](#cfn-s3express-directorybucket-metricsconfiguration-accesspointarn): String [Id](#cfn-s3express-directorybucket-metricsconfiguration-id): String [Prefix](#cfn-s3express-directorybucket-metricsconfiguration-prefix): String ``` ## Properties `AccessPointArn` Property description not available. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` The ID used to identify the metrics configuration. The ID has a 64 character limit and can only contain letters, numbers, periods, dashes, and underscores. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` Property description not available. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::DirectoryBucket Rule Specifies lifecycle rules for an Amazon S3 bucket. For more information, see [Put Bucket Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlifecycle.html) in the *Amazon S3 API Reference*. For examples, see [Put Bucket Lifecycle Configuration Examples](https://docs.aws.amazon.com//AmazonS3/latest/API/API_PutBucketLifecycleConfiguration.html#API_PutBucketLifecycleConfiguration_Examples). You must specify at least one of the following properties: `AbortIncompleteMultipartUpload`, or `ExpirationInDays`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AbortIncompleteMultipartUpload](#cfn-s3express-directorybucket-rule-abortincompletemultipartupload)" : AbortIncompleteMultipartUpload, "[ExpirationInDays](#cfn-s3express-directorybucket-rule-expirationindays)" : Integer, "[Id](#cfn-s3express-directorybucket-rule-id)" : String, "[ObjectSizeGreaterThan](#cfn-s3express-directorybucket-rule-objectsizegreaterthan)" : String, "[ObjectSizeLessThan](#cfn-s3express-directorybucket-rule-objectsizelessthan)" : String, "[Prefix](#cfn-s3express-directorybucket-rule-prefix)" : String, "[Status](#cfn-s3express-directorybucket-rule-status)" : String } ``` ### YAML ``` [AbortIncompleteMultipartUpload](#cfn-s3express-directorybucket-rule-abortincompletemultipartupload): AbortIncompleteMultipartUpload [ExpirationInDays](#cfn-s3express-directorybucket-rule-expirationindays): Integer [Id](#cfn-s3express-directorybucket-rule-id): String [ObjectSizeGreaterThan](#cfn-s3express-directorybucket-rule-objectsizegreaterthan): String [ObjectSizeLessThan](#cfn-s3express-directorybucket-rule-objectsizelessthan): String [Prefix](#cfn-s3express-directorybucket-rule-prefix): String [Status](#cfn-s3express-directorybucket-rule-status): String ``` ## Properties `AbortIncompleteMultipartUpload` Specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload. *Required*: No *Type*: [AbortIncompleteMultipartUpload](aws-properties-s3express-directorybucket-abortincompletemultipartupload.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExpirationInDays` Indicates the number of days after creation when objects are deleted from Amazon S3 and Amazon S3 Glacier. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` Unique identifier for the rule. The value can't be longer than 255 characters. *Required*: No *Type*: String *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ObjectSizeGreaterThan` Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. *Required*: No *Type*: String *Pattern*: `[0-9]+` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ObjectSizeLessThan` Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. *Required*: No *Type*: String *Pattern*: `[0-9]+` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` Object key prefix that identifies one or more objects to which this rule applies. Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [ XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` If `Enabled`, the rule is currently being applied. If `Disabled`, the rule is not currently being applied. *Required*: Yes *Type*: String *Allowed values*: `Enabled | Disabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Manage the lifecycle for S3 objects The following example template shows an S3 directory bucket with a lifecycle configuration rule. The rule applies to all objects with the `foo/` key prefix. The objects are expired after seven days, and incomplete multipart uploads are deleted 3 days after initiation. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3ExpressBucket": { "Type": "AWS::S3Express::DirectoryBucket", "Properties": { "LocationName": "usw2-az1", "DataRedundancy": "SingleAvailabilityZone", "LifecycleConfiguration": { "Rules": [ { "Id": "ExipiryRule", "Prefix": "foo/", "Status": "Enabled", "ExpirationInDays": 7, "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 3 }, } ] } } } }, "Outputs": { "BucketName": { "Value": { "Ref": "S3ExpressBucket" }, "Description": "Name of the sample Amazon S3 Directory Bucket with a lifecycle configuration." } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: S3ExpressBucket: Type: 'AWS::S3Express::DirectoryBucket' Properties: LocationName: usw2-az1 DataRedundancy: SingleAvailabilityZone LifecycleConfiguration: Rules: - Id: ExipiryRule Prefix: foo/ Status: Enabled ExpirationInDays:7 AbortIncompleteMultipartUpload: DaysAfterInitiation:3 Outputs: BucketName: Value: !Ref S3ExpressBucket Description: Name of the sample Amazon S3 Directory Bucket with a lifecycle configuration. ``` # AWS::S3Express::DirectoryBucket ServerSideEncryptionByDefault Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[KMSMasterKeyID](#cfn-s3express-directorybucket-serversideencryptionbydefault-kmsmasterkeyid)" : String, "[SSEAlgorithm](#cfn-s3express-directorybucket-serversideencryptionbydefault-ssealgorithm)" : String } ``` ### YAML ``` [KMSMasterKeyID](#cfn-s3express-directorybucket-serversideencryptionbydefault-kmsmasterkeyid): String [SSEAlgorithm](#cfn-s3express-directorybucket-serversideencryptionbydefault-ssealgorithm): String ``` ## Properties `KMSMasterKeyID` AWS Key Management Service (KMS) customer managed key ID to use for the default encryption. This parameter is allowed only if `SSEAlgorithm` is set to `aws:kms`. You can specify this parameter with the key ID or the Amazon Resource Name (ARN) of the KMS key. You can’t use the key alias of the KMS key. + Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab` + Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html#s3-express-bucket-encryption-update-bucket-policy). Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket for the lifetime of the bucket. [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) (`aws/s3`) isn't supported. Also, after you specify a customer managed key for SSE-KMS and upload objects with this configuration, you can't override the customer managed key for your SSE-KMS configuration. To use a new customer manager key for your data, we recommend copying your existing objects to a new directory bucket with a new customer managed key. Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SSEAlgorithm` Server-side encryption algorithm to use for the default encryption. For directory buckets, there are only two supported values for server-side encryption: `AES256` and `aws:kms`. *Required*: Yes *Type*: String *Allowed values*: `aws:kms | AES256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::DirectoryBucket ServerSideEncryptionRule Specifies the default server-side encryption configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BucketKeyEnabled](#cfn-s3express-directorybucket-serversideencryptionrule-bucketkeyenabled)" : Boolean, "[ServerSideEncryptionByDefault](#cfn-s3express-directorybucket-serversideencryptionrule-serversideencryptionbydefault)" : ServerSideEncryptionByDefault } ``` ### YAML ``` [BucketKeyEnabled](#cfn-s3express-directorybucket-serversideencryptionrule-bucketkeyenabled): Boolean [ServerSideEncryptionByDefault](#cfn-s3express-directorybucket-serversideencryptionrule-serversideencryptionbydefault): ServerSideEncryptionByDefault ``` ## Properties `BucketKeyEnabled` Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. S3 Bucket Keys are always enabled for `GET` and `PUT` operations on a directory bucket and can’t be disabled. It's only allowed to set the `BucketKeyEnabled` element to `true`. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, through [CopyObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html), [UploadPartCopy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html), [the Copy operation in Batch Operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops), or [the import jobs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job). In this case, Amazon S3 makes a call to AWS KMS every time a copy request is made for a KMS-encrypted object. For more information, see [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.html#s3-express-sse-kms-bucket-keys) in the *Amazon S3 User Guide*. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ServerSideEncryptionByDefault` Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. *Required*: No *Type*: [ServerSideEncryptionByDefault](aws-properties-s3express-directorybucket-serversideencryptionbydefault.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::S3Express::DirectoryBucket Tag A key-value pair that you use to label your directory buckets. You can add tags to new directory buckets when you create them, or you can add tags to existing directory buckets. Tags can help you organize, track costs for, and control access to directory buckets. For more information, see [Using tags with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-s3express-directorybucket-tag-key)" : String, "[Value](#cfn-s3express-directorybucket-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-s3express-directorybucket-tag-key): String [Value](#cfn-s3express-directorybucket-tag-value): String ``` ## Properties `Key` The key of the tag. Tags are key-value pairs that you use to label your directory buckets. Tags can help you organize, track costs for, and control access to directory buckets. For more information, see [Using tags with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html). *Required*: Yes *Type*: String *Pattern*: `^(?!aws:.*)([\p{L}\p{Z}\p{N}_.:=+\/\-@%]*)$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value of the tag. Tags are key-value pairs that you use to label your directory buckets. Tags can help you organize, track costs for, and control access to directory buckets. For more information, see [Using tags with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html). *Required*: Yes *Type*: String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:=+\/\-@%]*)$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)