2023/03/13 - AWS S3 Control - 3 new4 updated api methods
Changes Added support for cross-account Multi-Region Access Points. Added support for S3 Replication for S3 on Outposts.
Creates a replication configuration or replaces an existing one. For information about S3 replication on Outposts configuration, see Replicating objects for Amazon Web Services Outposts in the Amazon S3 User Guide.
Specify the replication configuration in the request body. In the replication configuration, you provide the following information:
The name of the destination bucket or buckets where you want S3 on Outposts to replicate objects
The Identity and Access Management (IAM) role that S3 on Outposts can assume to replicate objects on your behalf
Other relevant information, such as replication rules
A replication configuration must include at least one rule and can contain a maximum of 100. Each rule identifies a subset of objects to replicate by filtering the objects in the source Outposts bucket. To choose additional subsets of objects to replicate, add a rule for each subset.
To specify a subset of the objects in the source Outposts bucket to apply a replication rule to, add the Filter element as a child of the Rule element. You can filter objects based on an object key prefix, one or more object tags, or both. When you add the Filter element in the configuration, you must also add the following elements: DeleteMarkerReplication, Status, and Priority.
Using PutBucketReplication on Outposts requires that both the source and destination buckets must have versioning enabled. For information about enabling versioning on a bucket, see Managing S3 Versioning for your S3 on Outposts bucket.
For information about S3 on Outposts replication failure reasons, see Replication failure reasons in the Amazon S3 User Guide.
Handling Replication of Encrypted Objects
Outposts buckets are encrypted at all times. All the objects in the source Outposts bucket are encrypted and can be replicated. Also, all the replicas in the destination Outposts bucket are encrypted with the same encryption key as the objects in the source Outposts bucket.
Permissions
To create a PutBucketReplication request, you must have s3-outposts:PutReplicationConfiguration permissions for the bucket. The Outposts bucket owner has this permission by default and can grant it to others. For more information about permissions, see Setting up IAM with S3 on Outposts and Managing access to S3 on Outposts buckets.
All Amazon S3 on Outposts REST API requests for this action require an additional parameter of x-amz-outpost-id to be passed with the request. In addition, you must use an S3 on Outposts endpoint hostname prefix instead of s3-control. For an example of the request syntax for Amazon S3 on Outposts that uses the S3 on Outposts endpoint hostname prefix and the x-amz-outpost-id derived by using the access point ARN, see the Examples section.
The following operations are related to PutBucketReplication:
See also: AWS API Documentation
Request Syntax
client.put_bucket_replication( AccountId='string', Bucket='string', ReplicationConfiguration={ 'Role': 'string', 'Rules': [ { 'ID': 'string', 'Priority': 123, 'Prefix': 'string', 'Filter': { 'Prefix': 'string', 'Tag': { 'Key': 'string', 'Value': 'string' }, 'And': { 'Prefix': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] } }, 'Status': 'Enabled'|'Disabled', 'SourceSelectionCriteria': { 'SseKmsEncryptedObjects': { 'Status': 'Enabled'|'Disabled' }, 'ReplicaModifications': { 'Status': 'Enabled'|'Disabled' } }, 'ExistingObjectReplication': { 'Status': 'Enabled'|'Disabled' }, 'Destination': { 'Account': 'string', 'Bucket': 'string', 'ReplicationTime': { 'Status': 'Enabled'|'Disabled', 'Time': { 'Minutes': 123 } }, 'AccessControlTranslation': { 'Owner': 'Destination' }, 'EncryptionConfiguration': { 'ReplicaKmsKeyID': 'string' }, 'Metrics': { 'Status': 'Enabled'|'Disabled', 'EventThreshold': { 'Minutes': 123 } }, 'StorageClass': 'STANDARD'|'REDUCED_REDUNDANCY'|'STANDARD_IA'|'ONEZONE_IA'|'INTELLIGENT_TIERING'|'GLACIER'|'DEEP_ARCHIVE'|'OUTPOSTS'|'GLACIER_IR' }, 'DeleteMarkerReplication': { 'Status': 'Enabled'|'Disabled' }, 'Bucket': 'string' }, ] } )
string
[REQUIRED]
The Amazon Web Services account ID of the Outposts bucket.
string
[REQUIRED]
Specifies the S3 on Outposts bucket to set the configuration for.
For using this parameter with Amazon S3 on Outposts with the REST API, you must specify the name and the x-amz-outpost-id as well.
For using this parameter with S3 on Outposts with the Amazon Web Services SDK and CLI, you must specify the ARN of the bucket accessed in the format arn:aws:s3-outposts:<Region>:<account-id>:outpost/<outpost-id>/bucket/<my-bucket-name>. For example, to access the bucket reports through Outpost my-outpost owned by account 123456789012 in Region us-west-2, use the URL encoding of arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outpost/bucket/reports. The value must be URL encoded.
dict
[REQUIRED]
Role (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that S3 on Outposts assumes when replicating objects. For information about S3 replication on Outposts configuration, see Setting up replication in the Amazon S3 User Guide.
Rules (list) -- [REQUIRED]
A container for one or more replication rules. A replication configuration must have at least one rule and can contain an array of 100 rules at the most.
(dict) --
Specifies which S3 on Outposts objects to replicate and where to store the replicas.
ID (string) --
A unique identifier for the rule. The maximum value is 255 characters.
Priority (integer) --
The priority indicates which rule has precedence whenever two or more replication rules conflict. S3 on Outposts attempts to replicate objects according to all replication rules. However, if there are two or more rules with the same destination Outposts bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority.
For more information, see Creating replication rules between Outposts in the Amazon S3 User Guide.
Prefix (string) --
An object key name prefix that identifies the object or objects to which the rule applies. The maximum prefix length is 1,024 characters. To include all objects in an Outposts bucket, specify an empty string.
Filter (dict) --
A filter that identifies the subset of objects to which the replication rule applies. A Filter element must specify exactly one Prefix, Tag, or And child element.
Prefix (string) --
An object key name prefix that identifies the subset of objects that the rule applies to.
Tag (dict) --
A container for a key-value name pair.
Key (string) -- [REQUIRED]
Key of the tag
Value (string) -- [REQUIRED]
Value of the tag
And (dict) --
A container for specifying rule filters. The filters determine the subset of objects that the rule applies to. This element is required only if you specify more than one filter. For example:
If you specify both a Prefix and a Tag filter, wrap these filters in an And element.
If you specify a filter based on multiple tags, wrap the Tag elements in an And element.
Prefix (string) --
An object key name prefix that identifies the subset of objects that the rule applies to.
Tags (list) --
An array of tags that contain key and value pairs.
(dict) --
A container for a key-value name pair.
Key (string) -- [REQUIRED]
Key of the tag
Value (string) -- [REQUIRED]
Value of the tag
Status (string) -- [REQUIRED]
Specifies whether the rule is enabled.
SourceSelectionCriteria (dict) --
A container that describes additional filters for identifying the source Outposts objects that you want to replicate. You can choose to enable or disable the replication of these objects.
SseKmsEncryptedObjects (dict) --
A filter that you can use to select Amazon S3 objects that are encrypted with server-side encryption by using Key Management Service (KMS) keys. If you include SourceSelectionCriteria in the replication configuration, this element is required.
Status (string) -- [REQUIRED]
Specifies whether Amazon S3 replicates objects that are created with server-side encryption by using an KMS key stored in Key Management Service.
ReplicaModifications (dict) --
A filter that you can use to specify whether replica modification sync is enabled. S3 on Outposts replica modification sync can help you keep object metadata synchronized between replicas and source objects. By default, S3 on Outposts replicates metadata from the source objects to the replicas only. When replica modification sync is enabled, S3 on Outposts replicates metadata changes made to the replica copies back to the source object, making the replication bidirectional.
To replicate object metadata modifications on replicas, you can specify this element and set the Status of this element to Enabled.
Status (string) -- [REQUIRED]
Specifies whether S3 on Outposts replicates modifications to object metadata on replicas.
ExistingObjectReplication (dict) --
An optional configuration to replicate existing source bucket objects.
Status (string) -- [REQUIRED]
Specifies whether Amazon S3 replicates existing source bucket objects.
Destination (dict) -- [REQUIRED]
A container for information about the replication destination and its configurations.
Account (string) --
The destination bucket owner's account ID.
Bucket (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the access point for the destination bucket where you want S3 on Outposts to store the replication results.
ReplicationTime (dict) --
A container that specifies S3 Replication Time Control (S3 RTC) settings, including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a Metrics block.
Status (string) -- [REQUIRED]
Specifies whether S3 Replication Time Control (S3 RTC) is enabled.
Time (dict) -- [REQUIRED]
A container that specifies the time by which replication should be complete for all objects and operations on objects.
Minutes (integer) --
Contains an integer that specifies the time period in minutes.
Valid value: 15
AccessControlTranslation (dict) --
Specify this property only in a cross-account scenario (where the source and destination bucket owners are not the same), and you want to change replica ownership to the Amazon Web Services account that owns the destination bucket. If this property is not specified in the replication configuration, the replicas are owned by same Amazon Web Services account that owns the source object.
Owner (string) -- [REQUIRED]
Specifies the replica ownership.
EncryptionConfiguration (dict) --
A container that provides information about encryption. If SourceSelectionCriteria is specified, you must specify this element.
ReplicaKmsKeyID (string) --
Specifies the ID of the customer managed KMS key that's stored in Key Management Service (KMS) for the destination bucket. This ID is either the Amazon Resource Name (ARN) for the KMS key or the alias ARN for the KMS key. Amazon S3 uses this KMS key to encrypt replica objects. Amazon S3 supports only symmetric encryption KMS keys. For more information, see Symmetric encryption KMS keys in the Amazon Web Services Key Management Service Developer Guide.
Metrics (dict) --
A container that specifies replication metrics-related settings.
Status (string) -- [REQUIRED]
Specifies whether replication metrics are enabled.
EventThreshold (dict) --
A container that specifies the time threshold for emitting the s3:Replication:OperationMissedThreshold event.
Minutes (integer) --
Contains an integer that specifies the time period in minutes.
Valid value: 15
StorageClass (string) --
The storage class to use when replicating objects. All objects stored on S3 on Outposts are stored in the OUTPOSTS storage class. S3 on Outposts uses the OUTPOSTS storage class to create the object replicas.
DeleteMarkerReplication (dict) --
Specifies whether S3 on Outposts replicates delete markers. If you specify a Filter element in your replication configuration, you must also include a DeleteMarkerReplication element. If your Filter includes a Tag element, the DeleteMarkerReplication element's Status child element must be set to Disabled, because S3 on Outposts doesn't support replicating delete markers for tag-based rules.
For more information about delete marker replication, see How delete operations affect replication in the Amazon S3 User Guide.
Status (string) -- [REQUIRED]
Indicates whether to replicate delete markers.
Bucket (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the access point for the source Outposts bucket that you want S3 on Outposts to replicate the objects from.
None
Returns the replication configuration of an S3 on Outposts bucket. For more information about S3 on Outposts, see Using Amazon S3 on Outposts in the Amazon S3 User Guide. For information about S3 replication on Outposts configuration, see Replicating objects for Amazon Web Services Outposts in the Amazon S3 User Guide.
This action requires permissions for the s3-outposts:GetReplicationConfiguration action. The Outposts bucket owner has this permission by default and can grant it to others. For more information about permissions, see Setting up IAM with S3 on Outposts and Managing access to S3 on Outposts bucket in the Amazon S3 User Guide.
All Amazon S3 on Outposts REST API requests for this action require an additional parameter of x-amz-outpost-id to be passed with the request. In addition, you must use an S3 on Outposts endpoint hostname prefix instead of s3-control. For an example of the request syntax for Amazon S3 on Outposts that uses the S3 on Outposts endpoint hostname prefix and the x-amz-outpost-id derived by using the access point ARN, see the Examples section.
If you include the Filter element in a replication configuration, you must also include the DeleteMarkerReplication, Status, and Priority elements. The response also returns those elements.
For information about S3 on Outposts replication failure reasons, see Replication failure reasons in the Amazon S3 User Guide.
The following operations are related to GetBucketReplication:
See also: AWS API Documentation
Request Syntax
client.get_bucket_replication( AccountId='string', Bucket='string' )
string
[REQUIRED]
The Amazon Web Services account ID of the Outposts bucket.
string
[REQUIRED]
Specifies the bucket to get the replication information for.
For using this parameter with Amazon S3 on Outposts with the REST API, you must specify the name and the x-amz-outpost-id as well.
For using this parameter with S3 on Outposts with the Amazon Web Services SDK and CLI, you must specify the ARN of the bucket accessed in the format arn:aws:s3-outposts:<Region>:<account-id>:outpost/<outpost-id>/bucket/<my-bucket-name>. For example, to access the bucket reports through Outpost my-outpost owned by account 123456789012 in Region us-west-2, use the URL encoding of arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outpost/bucket/reports. The value must be URL encoded.
dict
Response Syntax
{ 'ReplicationConfiguration': { 'Role': 'string', 'Rules': [ { 'ID': 'string', 'Priority': 123, 'Prefix': 'string', 'Filter': { 'Prefix': 'string', 'Tag': { 'Key': 'string', 'Value': 'string' }, 'And': { 'Prefix': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] } }, 'Status': 'Enabled'|'Disabled', 'SourceSelectionCriteria': { 'SseKmsEncryptedObjects': { 'Status': 'Enabled'|'Disabled' }, 'ReplicaModifications': { 'Status': 'Enabled'|'Disabled' } }, 'ExistingObjectReplication': { 'Status': 'Enabled'|'Disabled' }, 'Destination': { 'Account': 'string', 'Bucket': 'string', 'ReplicationTime': { 'Status': 'Enabled'|'Disabled', 'Time': { 'Minutes': 123 } }, 'AccessControlTranslation': { 'Owner': 'Destination' }, 'EncryptionConfiguration': { 'ReplicaKmsKeyID': 'string' }, 'Metrics': { 'Status': 'Enabled'|'Disabled', 'EventThreshold': { 'Minutes': 123 } }, 'StorageClass': 'STANDARD'|'REDUCED_REDUNDANCY'|'STANDARD_IA'|'ONEZONE_IA'|'INTELLIGENT_TIERING'|'GLACIER'|'DEEP_ARCHIVE'|'OUTPOSTS'|'GLACIER_IR' }, 'DeleteMarkerReplication': { 'Status': 'Enabled'|'Disabled' }, 'Bucket': 'string' }, ] } }
Response Structure
(dict) --
ReplicationConfiguration (dict) --
A container for one or more replication rules. A replication configuration must have at least one rule and you can add up to 100 rules. The maximum size of a replication configuration is 128 KB.
Role (string) --
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that S3 on Outposts assumes when replicating objects. For information about S3 replication on Outposts configuration, see Setting up replication in the Amazon S3 User Guide.
Rules (list) --
A container for one or more replication rules. A replication configuration must have at least one rule and can contain an array of 100 rules at the most.
(dict) --
Specifies which S3 on Outposts objects to replicate and where to store the replicas.
ID (string) --
A unique identifier for the rule. The maximum value is 255 characters.
Priority (integer) --
The priority indicates which rule has precedence whenever two or more replication rules conflict. S3 on Outposts attempts to replicate objects according to all replication rules. However, if there are two or more rules with the same destination Outposts bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority.
For more information, see Creating replication rules between Outposts in the Amazon S3 User Guide.
Prefix (string) --
An object key name prefix that identifies the object or objects to which the rule applies. The maximum prefix length is 1,024 characters. To include all objects in an Outposts bucket, specify an empty string.
Filter (dict) --
A filter that identifies the subset of objects to which the replication rule applies. A Filter element must specify exactly one Prefix, Tag, or And child element.
Prefix (string) --
An object key name prefix that identifies the subset of objects that the rule applies to.
Tag (dict) --
A container for a key-value name pair.
Key (string) --
Key of the tag
Value (string) --
Value of the tag
And (dict) --
A container for specifying rule filters. The filters determine the subset of objects that the rule applies to. This element is required only if you specify more than one filter. For example:
If you specify both a Prefix and a Tag filter, wrap these filters in an And element.
If you specify a filter based on multiple tags, wrap the Tag elements in an And element.
Prefix (string) --
An object key name prefix that identifies the subset of objects that the rule applies to.
Tags (list) --
An array of tags that contain key and value pairs.
(dict) --
A container for a key-value name pair.
Key (string) --
Key of the tag
Value (string) --
Value of the tag
Status (string) --
Specifies whether the rule is enabled.
SourceSelectionCriteria (dict) --
A container that describes additional filters for identifying the source Outposts objects that you want to replicate. You can choose to enable or disable the replication of these objects.
SseKmsEncryptedObjects (dict) --
A filter that you can use to select Amazon S3 objects that are encrypted with server-side encryption by using Key Management Service (KMS) keys. If you include SourceSelectionCriteria in the replication configuration, this element is required.
Status (string) --
Specifies whether Amazon S3 replicates objects that are created with server-side encryption by using an KMS key stored in Key Management Service.
ReplicaModifications (dict) --
A filter that you can use to specify whether replica modification sync is enabled. S3 on Outposts replica modification sync can help you keep object metadata synchronized between replicas and source objects. By default, S3 on Outposts replicates metadata from the source objects to the replicas only. When replica modification sync is enabled, S3 on Outposts replicates metadata changes made to the replica copies back to the source object, making the replication bidirectional.
To replicate object metadata modifications on replicas, you can specify this element and set the Status of this element to Enabled.
Status (string) --
Specifies whether S3 on Outposts replicates modifications to object metadata on replicas.
ExistingObjectReplication (dict) --
An optional configuration to replicate existing source bucket objects.
Status (string) --
Specifies whether Amazon S3 replicates existing source bucket objects.
Destination (dict) --
A container for information about the replication destination and its configurations.
Account (string) --
The destination bucket owner's account ID.
Bucket (string) --
The Amazon Resource Name (ARN) of the access point for the destination bucket where you want S3 on Outposts to store the replication results.
ReplicationTime (dict) --
A container that specifies S3 Replication Time Control (S3 RTC) settings, including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a Metrics block.
Status (string) --
Specifies whether S3 Replication Time Control (S3 RTC) is enabled.
Time (dict) --
A container that specifies the time by which replication should be complete for all objects and operations on objects.
Minutes (integer) --
Contains an integer that specifies the time period in minutes.
Valid value: 15
AccessControlTranslation (dict) --
Specify this property only in a cross-account scenario (where the source and destination bucket owners are not the same), and you want to change replica ownership to the Amazon Web Services account that owns the destination bucket. If this property is not specified in the replication configuration, the replicas are owned by same Amazon Web Services account that owns the source object.
Owner (string) --
Specifies the replica ownership.
EncryptionConfiguration (dict) --
A container that provides information about encryption. If SourceSelectionCriteria is specified, you must specify this element.
ReplicaKmsKeyID (string) --
Specifies the ID of the customer managed KMS key that's stored in Key Management Service (KMS) for the destination bucket. This ID is either the Amazon Resource Name (ARN) for the KMS key or the alias ARN for the KMS key. Amazon S3 uses this KMS key to encrypt replica objects. Amazon S3 supports only symmetric encryption KMS keys. For more information, see Symmetric encryption KMS keys in the Amazon Web Services Key Management Service Developer Guide.
Metrics (dict) --
A container that specifies replication metrics-related settings.
Status (string) --
Specifies whether replication metrics are enabled.
EventThreshold (dict) --
A container that specifies the time threshold for emitting the s3:Replication:OperationMissedThreshold event.
Minutes (integer) --
Contains an integer that specifies the time period in minutes.
Valid value: 15
StorageClass (string) --
The storage class to use when replicating objects. All objects stored on S3 on Outposts are stored in the OUTPOSTS storage class. S3 on Outposts uses the OUTPOSTS storage class to create the object replicas.
DeleteMarkerReplication (dict) --
Specifies whether S3 on Outposts replicates delete markers. If you specify a Filter element in your replication configuration, you must also include a DeleteMarkerReplication element. If your Filter includes a Tag element, the DeleteMarkerReplication element's Status child element must be set to Disabled, because S3 on Outposts doesn't support replicating delete markers for tag-based rules.
For more information about delete marker replication, see How delete operations affect replication in the Amazon S3 User Guide.
Status (string) --
Indicates whether to replicate delete markers.
Bucket (string) --
The Amazon Resource Name (ARN) of the access point for the source Outposts bucket that you want S3 on Outposts to replicate the objects from.
Deletes the replication configuration from the specified S3 on Outposts bucket.
To use this operation, you must have permissions to perform the s3-outposts:PutReplicationConfiguration action. The Outposts bucket owner has this permission by default and can grant it to others. For more information about permissions, see Setting up IAM with S3 on Outposts and Managing access to S3 on Outposts buckets in the Amazon S3 User Guide.
All Amazon S3 on Outposts REST API requests for this action require an additional parameter of x-amz-outpost-id to be passed with the request. In addition, you must use an S3 on Outposts endpoint hostname prefix instead of s3-control. For an example of the request syntax for Amazon S3 on Outposts that uses the S3 on Outposts endpoint hostname prefix and the x-amz-outpost-id derived by using the access point ARN, see the Examples section.
For information about S3 replication on Outposts configuration, see Replicating objects for Amazon Web Services Outposts in the Amazon S3 User Guide.
The following operations are related to DeleteBucketReplication:
See also: AWS API Documentation
Request Syntax
client.delete_bucket_replication( AccountId='string', Bucket='string' )
string
[REQUIRED]
The Amazon Web Services account ID of the Outposts bucket to delete the replication configuration for.
string
[REQUIRED]
Specifies the S3 on Outposts bucket to delete the replication configuration for.
For using this parameter with Amazon S3 on Outposts with the REST API, you must specify the name and the x-amz-outpost-id as well.
For using this parameter with S3 on Outposts with the Amazon Web Services SDK and CLI, you must specify the ARN of the bucket accessed in the format arn:aws:s3-outposts:<Region>:<account-id>:outpost/<outpost-id>/bucket/<my-bucket-name>. For example, to access the bucket reports through Outpost my-outpost owned by account 123456789012 in Region us-west-2, use the URL encoding of arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outpost/bucket/reports. The value must be URL encoded.
None
{'Details': {'Regions': {'BucketAccountId': 'string'}}}
Creates a Multi-Region Access Point and associates it with the specified buckets. For more information about creating Multi-Region Access Points, see Creating Multi-Region Access Points in the Amazon S3 User Guide.
This action will always be routed to the US West (Oregon) Region. For more information about the restrictions around managing Multi-Region Access Points, see Managing Multi-Region Access Points in the Amazon S3 User Guide.
This request is asynchronous, meaning that you might receive a response before the command has completed. When this request provides a response, it provides a token that you can use to monitor the status of the request with DescribeMultiRegionAccessPointOperation.
The following actions are related to CreateMultiRegionAccessPoint:
See also: AWS API Documentation
Request Syntax
client.create_multi_region_access_point( AccountId='string', ClientToken='string', Details={ 'Name': 'string', 'PublicAccessBlock': { 'BlockPublicAcls': True|False, 'IgnorePublicAcls': True|False, 'BlockPublicPolicy': True|False, 'RestrictPublicBuckets': True|False }, 'Regions': [ { 'Bucket': 'string', 'BucketAccountId': 'string' }, ] } )
string
[REQUIRED]
The Amazon Web Services account ID for the owner of the Multi-Region Access Point. The owner of the Multi-Region Access Point also must own the underlying buckets.
string
[REQUIRED]
An idempotency token used to identify the request and guarantee that requests are unique.
This field is autopopulated if not provided.
dict
[REQUIRED]
A container element containing details about the Multi-Region Access Point.
Name (string) -- [REQUIRED]
The name of the Multi-Region Access Point associated with this request.
PublicAccessBlock (dict) --
The PublicAccessBlock configuration that you want to apply to this Amazon S3 account. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.
This data type is not supported for Amazon S3 on Outposts.
BlockPublicAcls (boolean) --
Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to TRUE causes the following behavior:
PutBucketAcl and PutObjectAcl calls fail if the specified ACL is public.
PUT Object calls fail if the request includes a public ACL.
PUT Bucket calls fail if the request includes a public ACL.
Enabling this setting doesn't affect existing policies or ACLs.
This property is not supported for Amazon S3 on Outposts.
IgnorePublicAcls (boolean) --
Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on buckets in this account and any objects that they contain.
Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
This property is not supported for Amazon S3 on Outposts.
BlockPublicPolicy (boolean) --
Specifies whether Amazon S3 should block public bucket policies for buckets in this account. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
Enabling this setting doesn't affect existing bucket policies.
This property is not supported for Amazon S3 on Outposts.
RestrictPublicBuckets (boolean) --
Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. Setting this element to TRUE restricts access to buckets with public policies to only Amazon Web Service principals and authorized users within this account.
Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
This property is not supported for Amazon S3 on Outposts.
Regions (list) -- [REQUIRED]
The buckets in different Regions that are associated with the Multi-Region Access Point.
(dict) --
A Region that supports a Multi-Region Access Point as well as the associated bucket for the Region.
Bucket (string) -- [REQUIRED]
The name of the associated bucket for the Region.
BucketAccountId (string) --
The Amazon Web Services account ID that owns the Amazon S3 bucket that's associated with this Multi-Region Access Point.
dict
Response Syntax
{ 'RequestTokenARN': 'string' }
Response Structure
(dict) --
RequestTokenARN (string) --
The request token associated with the request. You can use this token with DescribeMultiRegionAccessPointOperation to determine the status of asynchronous requests.
{'AsyncOperation': {'RequestParameters': {'CreateMultiRegionAccessPointRequest': {'Regions': {'BucketAccountId': 'string'}}}}}
Retrieves the status of an asynchronous request to manage a Multi-Region Access Point. For more information about managing Multi-Region Access Points and how asynchronous requests work, see Managing Multi-Region Access Points in the Amazon S3 User Guide.
The following actions are related to GetMultiRegionAccessPoint:
See also: AWS API Documentation
Request Syntax
client.describe_multi_region_access_point_operation( AccountId='string', RequestTokenARN='string' )
string
[REQUIRED]
The Amazon Web Services account ID for the owner of the Multi-Region Access Point.
string
[REQUIRED]
The request token associated with the request you want to know about. This request token is returned as part of the response when you make an asynchronous request. You provide this token to query about the status of the asynchronous action.
dict
Response Syntax
{ 'AsyncOperation': { 'CreationTime': datetime(2015, 1, 1), 'Operation': 'CreateMultiRegionAccessPoint'|'DeleteMultiRegionAccessPoint'|'PutMultiRegionAccessPointPolicy', 'RequestTokenARN': 'string', 'RequestParameters': { 'CreateMultiRegionAccessPointRequest': { 'Name': 'string', 'PublicAccessBlock': { 'BlockPublicAcls': True|False, 'IgnorePublicAcls': True|False, 'BlockPublicPolicy': True|False, 'RestrictPublicBuckets': True|False }, 'Regions': [ { 'Bucket': 'string', 'BucketAccountId': 'string' }, ] }, 'DeleteMultiRegionAccessPointRequest': { 'Name': 'string' }, 'PutMultiRegionAccessPointPolicyRequest': { 'Name': 'string', 'Policy': 'string' } }, 'RequestStatus': 'string', 'ResponseDetails': { 'MultiRegionAccessPointDetails': { 'Regions': [ { 'Name': 'string', 'RequestStatus': 'string' }, ] }, 'ErrorDetails': { 'Code': 'string', 'Message': 'string', 'Resource': 'string', 'RequestId': 'string' } } } }
Response Structure
(dict) --
AsyncOperation (dict) --
A container element containing the details of the asynchronous operation.
CreationTime (datetime) --
The time that the request was sent to the service.
Operation (string) --
The specific operation for the asynchronous request.
RequestTokenARN (string) --
The request token associated with the request.
RequestParameters (dict) --
The parameters associated with the request.
CreateMultiRegionAccessPointRequest (dict) --
A container of the parameters for a CreateMultiRegionAccessPoint request.
Name (string) --
The name of the Multi-Region Access Point associated with this request.
PublicAccessBlock (dict) --
The PublicAccessBlock configuration that you want to apply to this Amazon S3 account. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.
This data type is not supported for Amazon S3 on Outposts.
BlockPublicAcls (boolean) --
Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to TRUE causes the following behavior:
PutBucketAcl and PutObjectAcl calls fail if the specified ACL is public.
PUT Object calls fail if the request includes a public ACL.
PUT Bucket calls fail if the request includes a public ACL.
Enabling this setting doesn't affect existing policies or ACLs.
This property is not supported for Amazon S3 on Outposts.
IgnorePublicAcls (boolean) --
Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on buckets in this account and any objects that they contain.
Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
This property is not supported for Amazon S3 on Outposts.
BlockPublicPolicy (boolean) --
Specifies whether Amazon S3 should block public bucket policies for buckets in this account. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
Enabling this setting doesn't affect existing bucket policies.
This property is not supported for Amazon S3 on Outposts.
RestrictPublicBuckets (boolean) --
Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. Setting this element to TRUE restricts access to buckets with public policies to only Amazon Web Service principals and authorized users within this account.
Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
This property is not supported for Amazon S3 on Outposts.
Regions (list) --
The buckets in different Regions that are associated with the Multi-Region Access Point.
(dict) --
A Region that supports a Multi-Region Access Point as well as the associated bucket for the Region.
Bucket (string) --
The name of the associated bucket for the Region.
BucketAccountId (string) --
The Amazon Web Services account ID that owns the Amazon S3 bucket that's associated with this Multi-Region Access Point.
DeleteMultiRegionAccessPointRequest (dict) --
A container of the parameters for a DeleteMultiRegionAccessPoint request.
Name (string) --
The name of the Multi-Region Access Point associated with this request.
PutMultiRegionAccessPointPolicyRequest (dict) --
A container of the parameters for a PutMultiRegionAccessPoint request.
Name (string) --
The name of the Multi-Region Access Point associated with the request.
Policy (string) --
The policy details for the PutMultiRegionAccessPoint request.
RequestStatus (string) --
The current status of the request.
ResponseDetails (dict) --
The details of the response.
MultiRegionAccessPointDetails (dict) --
The details for the Multi-Region Access Point.
Regions (list) --
A collection of status information for the different Regions that a Multi-Region Access Point supports.
(dict) --
Status information for a single Multi-Region Access Point Region.
Name (string) --
The name of the Region in the Multi-Region Access Point.
RequestStatus (string) --
The current status of the Multi-Region Access Point in this Region.
ErrorDetails (dict) --
Error details for an asynchronous request.
Code (string) --
A string that uniquely identifies the error condition.
Message (string) --
A generic description of the error condition in English.
Resource (string) --
The identifier of the resource associated with the error.
RequestId (string) --
The ID of the request associated with the error.
{'AccessPoint': {'Regions': {'BucketAccountId': 'string'}}}
Returns configuration information about the specified Multi-Region Access Point.
This action will always be routed to the US West (Oregon) Region. For more information about the restrictions around managing Multi-Region Access Points, see Managing Multi-Region Access Points in the Amazon S3 User Guide.
The following actions are related to GetMultiRegionAccessPoint:
See also: AWS API Documentation
Request Syntax
client.get_multi_region_access_point( AccountId='string', Name='string' )
string
[REQUIRED]
The Amazon Web Services account ID for the owner of the Multi-Region Access Point.
string
[REQUIRED]
The name of the Multi-Region Access Point whose configuration information you want to receive. The name of the Multi-Region Access Point is different from the alias. For more information about the distinction between the name and the alias of an Multi-Region Access Point, see Managing Multi-Region Access Points in the Amazon S3 User Guide.
dict
Response Syntax
{ 'AccessPoint': { 'Name': 'string', 'Alias': 'string', 'CreatedAt': datetime(2015, 1, 1), 'PublicAccessBlock': { 'BlockPublicAcls': True|False, 'IgnorePublicAcls': True|False, 'BlockPublicPolicy': True|False, 'RestrictPublicBuckets': True|False }, 'Status': 'READY'|'INCONSISTENT_ACROSS_REGIONS'|'CREATING'|'PARTIALLY_CREATED'|'PARTIALLY_DELETED'|'DELETING', 'Regions': [ { 'Bucket': 'string', 'Region': 'string', 'BucketAccountId': 'string' }, ] } }
Response Structure
(dict) --
AccessPoint (dict) --
A container element containing the details of the requested Multi-Region Access Point.
Name (string) --
The name of the Multi-Region Access Point.
Alias (string) --
The alias for the Multi-Region Access Point. For more information about the distinction between the name and the alias of an Multi-Region Access Point, see Managing Multi-Region Access Points.
CreatedAt (datetime) --
When the Multi-Region Access Point create request was received.
PublicAccessBlock (dict) --
The PublicAccessBlock configuration that you want to apply to this Amazon S3 account. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.
This data type is not supported for Amazon S3 on Outposts.
BlockPublicAcls (boolean) --
Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to TRUE causes the following behavior:
PutBucketAcl and PutObjectAcl calls fail if the specified ACL is public.
PUT Object calls fail if the request includes a public ACL.
PUT Bucket calls fail if the request includes a public ACL.
Enabling this setting doesn't affect existing policies or ACLs.
This property is not supported for Amazon S3 on Outposts.
IgnorePublicAcls (boolean) --
Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on buckets in this account and any objects that they contain.
Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
This property is not supported for Amazon S3 on Outposts.
BlockPublicPolicy (boolean) --
Specifies whether Amazon S3 should block public bucket policies for buckets in this account. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
Enabling this setting doesn't affect existing bucket policies.
This property is not supported for Amazon S3 on Outposts.
RestrictPublicBuckets (boolean) --
Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. Setting this element to TRUE restricts access to buckets with public policies to only Amazon Web Service principals and authorized users within this account.
Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
This property is not supported for Amazon S3 on Outposts.
Status (string) --
The current status of the Multi-Region Access Point.
CREATING and DELETING are temporary states that exist while the request is propagating and being completed. If a Multi-Region Access Point has a status of PARTIALLY_CREATED, you can retry creation or send a request to delete the Multi-Region Access Point. If a Multi-Region Access Point has a status of PARTIALLY_DELETED, you can retry a delete request to finish the deletion of the Multi-Region Access Point.
Regions (list) --
A collection of the Regions and buckets associated with the Multi-Region Access Point.
(dict) --
A combination of a bucket and Region that's part of a Multi-Region Access Point.
Bucket (string) --
The name of the bucket.
Region (string) --
The name of the Region.
BucketAccountId (string) --
The Amazon Web Services account ID that owns the Amazon S3 bucket that's associated with this Multi-Region Access Point.
{'AccessPoints': {'Regions': {'BucketAccountId': 'string'}}}
Returns a list of the Multi-Region Access Points currently associated with the specified Amazon Web Services account. Each call can return up to 100 Multi-Region Access Points, the maximum number of Multi-Region Access Points that can be associated with a single account.
This action will always be routed to the US West (Oregon) Region. For more information about the restrictions around managing Multi-Region Access Points, see Managing Multi-Region Access Points in the Amazon S3 User Guide.
The following actions are related to ListMultiRegionAccessPoint:
See also: AWS API Documentation
Request Syntax
client.list_multi_region_access_points( AccountId='string', NextToken='string', MaxResults=123 )
string
[REQUIRED]
The Amazon Web Services account ID for the owner of the Multi-Region Access Point.
string
Not currently used. Do not use this parameter.
integer
Not currently used. Do not use this parameter.
dict
Response Syntax
{ 'AccessPoints': [ { 'Name': 'string', 'Alias': 'string', 'CreatedAt': datetime(2015, 1, 1), 'PublicAccessBlock': { 'BlockPublicAcls': True|False, 'IgnorePublicAcls': True|False, 'BlockPublicPolicy': True|False, 'RestrictPublicBuckets': True|False }, 'Status': 'READY'|'INCONSISTENT_ACROSS_REGIONS'|'CREATING'|'PARTIALLY_CREATED'|'PARTIALLY_DELETED'|'DELETING', 'Regions': [ { 'Bucket': 'string', 'Region': 'string', 'BucketAccountId': 'string' }, ] }, ], 'NextToken': 'string' }
Response Structure
(dict) --
AccessPoints (list) --
The list of Multi-Region Access Points associated with the user.
(dict) --
A collection of statuses for a Multi-Region Access Point in the various Regions it supports.
Name (string) --
The name of the Multi-Region Access Point.
Alias (string) --
The alias for the Multi-Region Access Point. For more information about the distinction between the name and the alias of an Multi-Region Access Point, see Managing Multi-Region Access Points.
CreatedAt (datetime) --
When the Multi-Region Access Point create request was received.
PublicAccessBlock (dict) --
The PublicAccessBlock configuration that you want to apply to this Amazon S3 account. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.
This data type is not supported for Amazon S3 on Outposts.
BlockPublicAcls (boolean) --
Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to TRUE causes the following behavior:
PutBucketAcl and PutObjectAcl calls fail if the specified ACL is public.
PUT Object calls fail if the request includes a public ACL.
PUT Bucket calls fail if the request includes a public ACL.
Enabling this setting doesn't affect existing policies or ACLs.
This property is not supported for Amazon S3 on Outposts.
IgnorePublicAcls (boolean) --
Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on buckets in this account and any objects that they contain.
Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
This property is not supported for Amazon S3 on Outposts.
BlockPublicPolicy (boolean) --
Specifies whether Amazon S3 should block public bucket policies for buckets in this account. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
Enabling this setting doesn't affect existing bucket policies.
This property is not supported for Amazon S3 on Outposts.
RestrictPublicBuckets (boolean) --
Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. Setting this element to TRUE restricts access to buckets with public policies to only Amazon Web Service principals and authorized users within this account.
Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
This property is not supported for Amazon S3 on Outposts.
Status (string) --
The current status of the Multi-Region Access Point.
CREATING and DELETING are temporary states that exist while the request is propagating and being completed. If a Multi-Region Access Point has a status of PARTIALLY_CREATED, you can retry creation or send a request to delete the Multi-Region Access Point. If a Multi-Region Access Point has a status of PARTIALLY_DELETED, you can retry a delete request to finish the deletion of the Multi-Region Access Point.
Regions (list) --
A collection of the Regions and buckets associated with the Multi-Region Access Point.
(dict) --
A combination of a bucket and Region that's part of a Multi-Region Access Point.
Bucket (string) --
The name of the bucket.
Region (string) --
The name of the Region.
BucketAccountId (string) --
The Amazon Web Services account ID that owns the Amazon S3 bucket that's associated with this Multi-Region Access Point.
NextToken (string) --
If the specified bucket has more Multi-Region Access Points than can be returned in one call to this action, this field contains a continuation token. You can use this token tin subsequent calls to this action to retrieve additional Multi-Region Access Points.