--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # aws_s3_bucket{% #aws_s3_bucket %} ## `abac_status`{% #abac_status %} **Type**: `STRUCT`**Provider name**: `AbacStatus`**Description**: The ABAC status of the general purpose bucket. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: The ABAC status of the general purpose bucket. ## `account_id`{% #account_id %} **Type**: `STRING` ## `bucket_arn`{% #bucket_arn %} **Type**: `STRING` ## `bucket_policy_statement`{% #bucket_policy_statement %} **Type**: `UNORDERED_LIST_STRUCT` - `account_id`**Type**: `STRING` - `condition`**Type**: `MAP_STRING_STRING` - `policy_id`**Type**: `STRING` - `policy_not_principal`**Type**: `STRUCT` - `policy_id`**Type**: `STRING` - `principal`**Type**: `STRING` - `principal_aws`**Type**: `UNORDERED_LIST_STRING` - `principal_canonical_user`**Type**: `UNORDERED_LIST_STRING` - `principal_federated`**Type**: `UNORDERED_LIST_STRING` - `principal_service`**Type**: `UNORDERED_LIST_STRING` - `policy_principal`**Type**: `STRUCT` - `policy_id`**Type**: `STRING` - `principal`**Type**: `STRING` - `principal_aws`**Type**: `UNORDERED_LIST_STRING` - `principal_canonical_user`**Type**: `UNORDERED_LIST_STRING` - `principal_federated`**Type**: `UNORDERED_LIST_STRING` - `principal_service`**Type**: `UNORDERED_LIST_STRING` - `principal_aws`**Type**: `UNORDERED_LIST_STRING` - `statement_action`**Type**: `UNORDERED_LIST_STRING` - `statement_effect`**Type**: `STRING` - `statement_has_condition`**Type**: `BOOLEAN` - `statement_id`**Type**: `INT32` - `statement_not_action`**Type**: `UNORDERED_LIST_STRING` - `statement_not_resource`**Type**: `UNORDERED_LIST_STRING` - `statement_resource`**Type**: `UNORDERED_LIST_STRING` - `statement_sid`**Type**: `STRING` - `version_id`**Type**: `STRING` ## `bucket_region`{% #bucket_region %} **Type**: `STRING`**Provider name**: `BucketRegion`**Description**: `BucketRegion` indicates the Amazon Web Services region where the bucket is located. If the request contains at least one valid parameter, it is included in the response. ## `bucket_versioning`{% #bucket_versioning %} **Type**: `STRUCT`**Provider name**: `GetBucketVersioningOutput` - `mfa_delete`**Type**: `STRING`**Provider name**: `MFADelete`**Description**: Specifies whether MFA delete is enabled in the bucket versioning configuration. This element is only returned if the bucket has been configured with MFA delete. If the bucket has never been so configured, this element is not returned. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: The versioning state of the bucket. ## `bucket_website`{% #bucket_website %} **Type**: `STRUCT`**Provider name**: `GetBucketWebsiteOutput` - `error_document`**Type**: `STRUCT`**Provider name**: `ErrorDocument`**Description**: The object key name of the website error document to use for 4XX class errors. - `key`**Type**: `STRING`**Provider name**: `Key`**Description**: The object key name to use when a 4XX class error occurs.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `index_document`**Type**: `STRUCT`**Provider name**: `IndexDocument`**Description**: The name of the index document for the website (for example `index.html`). - `suffix`**Type**: `STRING`**Provider name**: `Suffix`**Description**: A suffix that is appended to a request that is for a directory on the website endpoint. (For example, if the suffix is `index.html` and you make a request to `samplebucket/images/`, the data that is returned will be for the object with the key name `images/index.html`.) The suffix must not be empty and must not include a slash character.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `redirect_all_requests_to`**Type**: `STRUCT`**Provider name**: `RedirectAllRequestsTo`**Description**: Specifies the redirect behavior of all requests to a website endpoint of an Amazon S3 bucket. - `host_name`**Type**: `STRING`**Provider name**: `HostName`**Description**: Name of the host where requests are redirected. - `protocol`**Type**: `STRING`**Provider name**: `Protocol`**Description**: Protocol to use when redirecting requests. The default is the protocol that is used in the original request. - `routing_rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `RoutingRules`**Description**: Rules that define when a redirect is applied and the redirect behavior. - `condition`**Type**: `STRUCT`**Provider name**: `Condition`**Description**: A container for describing a condition that must be met for the specified redirect to apply. For example, 1. If request is for pages in the `/docs` folder, redirect to the `/documents` folder. 2. If request results in HTTP error 4xx, redirect request to another host where you might process the error. - `http_error_code_returned_equals`**Type**: `STRING`**Provider name**: `HttpErrorCodeReturnedEquals`**Description**: The HTTP error code when the redirect is applied. In the event of an error, if the error code equals this value, then the specified redirect is applied. Required when parent element `Condition` is specified and sibling `KeyPrefixEquals` is not specified. If both are specified, then both must be true for the redirect to be applied. - `key_prefix_equals`**Type**: `STRING`**Provider name**: `KeyPrefixEquals`**Description**: The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html`, the key prefix will be `ExamplePage.html`. To redirect request for all pages with the prefix `docs/`, the key prefix will be `/docs`, which identifies all objects in the `docs/` folder. Required when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `redirect`**Type**: `STRUCT`**Provider name**: `Redirect`**Description**: Container for redirect information. You can redirect requests to another host, to another page, or with another protocol. In the event of an error, you can specify a different error code to return. - `host_name`**Type**: `STRING`**Provider name**: `HostName`**Description**: The host name to use in the redirect request. - `http_redirect_code`**Type**: `STRING`**Provider name**: `HttpRedirectCode`**Description**: The HTTP redirect code to use on the response. Not required if one of the siblings is present. - `protocol`**Type**: `STRING`**Provider name**: `Protocol`**Description**: Protocol to use when redirecting requests. The default is the protocol that is used in the original request. - `replace_key_prefix_with`**Type**: `STRING`**Provider name**: `ReplaceKeyPrefixWith`**Description**: The object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix `docs/` (objects in the `docs/` folder) to `documents/`, you can set a condition block with `KeyPrefixEquals` set to `docs/` and in the Redirect set `ReplaceKeyPrefixWith` to `/documents`. Not required if one of the siblings is present. Can be present only if `ReplaceKeyWith` is not provided.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `replace_key_with`**Type**: `STRING`**Provider name**: `ReplaceKeyWith`**Description**: The specific object key to use in the redirect request. For example, redirect request to `error.html`. Not required if one of the siblings is present. Can be present only if `ReplaceKeyPrefixWith` is not provided.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). ## `creation_date`{% #creation_date %} **Type**: `TIMESTAMP`**Provider name**: `CreationDate`**Description**: Date the bucket was created. This date can change when making changes to your bucket, such as editing its bucket policy. ## `get_bucket_metadata_configuration_result`{% #get_bucket_metadata_configuration_result %} **Type**: `STRUCT`**Provider name**: `GetBucketMetadataConfigurationResult`**Description**: The metadata configuration for the general purpose bucket. - `metadata_configuration_result`**Type**: `STRUCT`**Provider name**: `MetadataConfigurationResult`**Description**: The metadata configuration for a general purpose bucket. - `destination_result`**Type**: `STRUCT`**Provider name**: `DestinationResult`**Description**: The destination settings for a metadata configuration. - `table_bucket_arn`**Type**: `STRING`**Provider name**: `TableBucketArn`**Description**: The Amazon Resource Name (ARN) of the table bucket where the metadata configuration is stored. - `table_bucket_type`**Type**: `STRING`**Provider name**: `TableBucketType`**Description**: The type of the table bucket where the metadata configuration is stored. The `aws` value indicates an Amazon Web Services managed table bucket, and the `customer` value indicates a customer-managed table bucket. V2 metadata configurations are stored in Amazon Web Services managed table buckets, and V1 metadata configurations are stored in customer-managed table buckets. - `table_namespace`**Type**: `STRING`**Provider name**: `TableNamespace`**Description**: The namespace in the table bucket where the metadata tables for a metadata configuration are stored. - `inventory_table_configuration_result`**Type**: `STRUCT`**Provider name**: `InventoryTableConfigurationResult`**Description**: The inventory table configuration for a metadata configuration. - `configuration_state`**Type**: `STRING`**Provider name**: `ConfigurationState`**Description**: The configuration state of the inventory table, indicating whether the inventory table is enabled or disabled. - `error`**Type**: `STRUCT`**Provider name**: `Error` - `error_code`**Type**: `STRING`**Provider name**: `ErrorCode`**Description**: If the V1 `CreateBucketMetadataTableConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error code. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable` and `s3tables:PutTablePolicy` permissions, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableAlreadyExists` - The table that you specified already exists in the table bucket's namespace. Specify a different table name. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableBucketNotFound` - The table bucket that you specified doesn't exist in this Amazon Web Services Region and account. Create or choose a different table bucket. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. If the V2 `CreateBucketMetadataConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error code. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateTableBucket`, `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable`, `s3tables:PutTablePolicy`, `kms:DescribeKey`, and `s3tables:PutTableEncryption` permissions. Additionally, ensure that the KMS key used to encrypt the table still exists, is active and has a resource policy granting access to the S3 service principals '`maintenance.s3tables.amazonaws.com`' and '`metadata.s3.amazonaws.com`'. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableAlreadyExists` - A journal table already exists in the Amazon Web Services managed table bucket's namespace. Delete the journal table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `InventoryTableAlreadyExists` - An inventory table already exists in the Amazon Web Services managed table bucket's namespace. Delete the inventory table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableNotAvailable` - The journal table that the inventory table relies on has a `FAILED` status. An inventory table requires a journal table with an `ACTIVE` status. To create a new journal or inventory table, you must delete the metadata configuration for this bucket, along with any journal or inventory tables, and then create a new metadata configuration. - `NoSuchBucket` - The specified general purpose bucket does not exist. - `error_message`**Type**: `STRING`**Provider name**: `ErrorMessage`**Description**: If the V1 `CreateBucketMetadataTableConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error message. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable` and `s3tables:PutTablePolicy` permissions, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableAlreadyExists` - The table that you specified already exists in the table bucket's namespace. Specify a different table name. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableBucketNotFound` - The table bucket that you specified doesn't exist in this Amazon Web Services Region and account. Create or choose a different table bucket. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. If the V2 `CreateBucketMetadataConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error code. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateTableBucket`, `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable`, `s3tables:PutTablePolicy`, `kms:DescribeKey`, and `s3tables:PutTableEncryption` permissions. Additionally, ensure that the KMS key used to encrypt the table still exists, is active and has a resource policy granting access to the S3 service principals '`maintenance.s3tables.amazonaws.com`' and '`metadata.s3.amazonaws.com`'. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableAlreadyExists` - A journal table already exists in the Amazon Web Services managed table bucket's namespace. Delete the journal table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `InventoryTableAlreadyExists` - An inventory table already exists in the Amazon Web Services managed table bucket's namespace. Delete the inventory table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableNotAvailable` - The journal table that the inventory table relies on has a `FAILED` status. An inventory table requires a journal table with an `ACTIVE` status. To create a new journal or inventory table, you must delete the metadata configuration for this bucket, along with any journal or inventory tables, and then create a new metadata configuration. - `NoSuchBucket` - The specified general purpose bucket does not exist. - `table_arn`**Type**: `STRING`**Provider name**: `TableArn`**Description**: The Amazon Resource Name (ARN) for the inventory table. - `table_name`**Type**: `STRING`**Provider name**: `TableName`**Description**: The name of the inventory table. - `table_status`**Type**: `STRING`**Provider name**: `TableStatus`**Description**: The status of the inventory table. The status values are: - `CREATING` - The inventory table is in the process of being created in the specified Amazon Web Services managed table bucket. - `BACKFILLING` - The inventory table is in the process of being backfilled. When you enable the inventory table for your metadata configuration, the table goes through a process known as backfilling, during which Amazon S3 scans your general purpose bucket to retrieve the initial metadata for all objects in the bucket. Depending on the number of objects in your bucket, this process can take several hours. When the backfilling process is finished, the status of your inventory table changes from `BACKFILLING` to `ACTIVE`. After backfilling is completed, updates to your objects are reflected in the inventory table within one hour. - `ACTIVE` - The inventory table has been created successfully, and records are being delivered to the table. - `FAILED` - Amazon S3 is unable to create the inventory table, or Amazon S3 is unable to deliver records. - `journal_table_configuration_result`**Type**: `STRUCT`**Provider name**: `JournalTableConfigurationResult`**Description**: The journal table configuration for a metadata configuration. - `error`**Type**: `STRUCT`**Provider name**: `Error` - `error_code`**Type**: `STRING`**Provider name**: `ErrorCode`**Description**: If the V1 `CreateBucketMetadataTableConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error code. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable` and `s3tables:PutTablePolicy` permissions, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableAlreadyExists` - The table that you specified already exists in the table bucket's namespace. Specify a different table name. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableBucketNotFound` - The table bucket that you specified doesn't exist in this Amazon Web Services Region and account. Create or choose a different table bucket. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. If the V2 `CreateBucketMetadataConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error code. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateTableBucket`, `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable`, `s3tables:PutTablePolicy`, `kms:DescribeKey`, and `s3tables:PutTableEncryption` permissions. Additionally, ensure that the KMS key used to encrypt the table still exists, is active and has a resource policy granting access to the S3 service principals '`maintenance.s3tables.amazonaws.com`' and '`metadata.s3.amazonaws.com`'. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableAlreadyExists` - A journal table already exists in the Amazon Web Services managed table bucket's namespace. Delete the journal table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `InventoryTableAlreadyExists` - An inventory table already exists in the Amazon Web Services managed table bucket's namespace. Delete the inventory table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableNotAvailable` - The journal table that the inventory table relies on has a `FAILED` status. An inventory table requires a journal table with an `ACTIVE` status. To create a new journal or inventory table, you must delete the metadata configuration for this bucket, along with any journal or inventory tables, and then create a new metadata configuration. - `NoSuchBucket` - The specified general purpose bucket does not exist. - `error_message`**Type**: `STRING`**Provider name**: `ErrorMessage`**Description**: If the V1 `CreateBucketMetadataTableConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error message. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable` and `s3tables:PutTablePolicy` permissions, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableAlreadyExists` - The table that you specified already exists in the table bucket's namespace. Specify a different table name. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `TableBucketNotFound` - The table bucket that you specified doesn't exist in this Amazon Web Services Region and account. Create or choose a different table bucket. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. If the V2 `CreateBucketMetadataConfiguration` request succeeds, but S3 Metadata was unable to create the table, this structure contains the error code. The possible error codes and error messages are as follows: - `AccessDeniedCreatingResources` - You don't have sufficient permissions to create the required resources. Make sure that you have `s3tables:CreateTableBucket`, `s3tables:CreateNamespace`, `s3tables:CreateTable`, `s3tables:GetTable`, `s3tables:PutTablePolicy`, `kms:DescribeKey`, and `s3tables:PutTableEncryption` permissions. Additionally, ensure that the KMS key used to encrypt the table still exists, is active and has a resource policy granting access to the S3 service principals '`maintenance.s3tables.amazonaws.com`' and '`metadata.s3.amazonaws.com`'. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `AccessDeniedWritingToTable` - Unable to write to the metadata table because of missing resource permissions. To fix the resource policy, Amazon S3 needs to create a new metadata table. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `DestinationTableNotFound` - The destination table doesn't exist. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `ServerInternalError` - An internal error has occurred. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableAlreadyExists` - A journal table already exists in the Amazon Web Services managed table bucket's namespace. Delete the journal table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `InventoryTableAlreadyExists` - An inventory table already exists in the Amazon Web Services managed table bucket's namespace. Delete the inventory table, and then try again. To create a new metadata table, you must delete the metadata configuration for this bucket, and then create a new metadata configuration. - `JournalTableNotAvailable` - The journal table that the inventory table relies on has a `FAILED` status. An inventory table requires a journal table with an `ACTIVE` status. To create a new journal or inventory table, you must delete the metadata configuration for this bucket, along with any journal or inventory tables, and then create a new metadata configuration. - `NoSuchBucket` - The specified general purpose bucket does not exist. - `record_expiration`**Type**: `STRUCT`**Provider name**: `RecordExpiration`**Description**: The journal table record expiration settings for the journal table. - `days`**Type**: `INT32`**Provider name**: `Days`**Description**: If you enable journal table record expiration, you can set the number of days to retain your journal table records. Journal table records must be retained for a minimum of 7 days. To set this value, specify any whole number from `7` to `2147483647`. For example, to retain your journal table records for one year, set this value to `365`. - `expiration`**Type**: `STRING`**Provider name**: `Expiration`**Description**: Specifies whether journal table record expiration is enabled or disabled. - `table_arn`**Type**: `STRING`**Provider name**: `TableArn`**Description**: The Amazon Resource Name (ARN) for the journal table. - `table_name`**Type**: `STRING`**Provider name**: `TableName`**Description**: The name of the journal table. - `table_status`**Type**: `STRING`**Provider name**: `TableStatus`**Description**: The status of the journal table. The status values are: - `CREATING` - The journal table is in the process of being created in the specified table bucket. - `ACTIVE` - The journal table has been created successfully, and records are being delivered to the table. - `FAILED` - Amazon S3 is unable to create the journal table, or Amazon S3 is unable to deliver records. ## `grants`{% #grants %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Grants`**Description**: A list of grants. - `grantee`**Type**: `STRUCT`**Provider name**: `Grantee`**Description**: The person being granted permissions. - `display_name`**Type**: `STRING`**Provider name**: `DisplayName`**Description**: Screen name of the grantee. - `email_address`**Type**: `STRING`**Provider name**: `EmailAddress`**Description**: Email address of the grantee.Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions: - US East (N. Virginia) - US West (N. California) - US West (Oregon) - Asia Pacific (Singapore) - Asia Pacific (Sydney) - Asia Pacific (Tokyo) - Europe (Ireland) - South America (São Paulo) For a list of all the Amazon S3 supported Regions and endpoints, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) in the Amazon Web Services General Reference. - `id`**Type**: `STRING`**Provider name**: `ID`**Description**: The canonical user ID of the grantee. - `type`**Type**: `STRING`**Provider name**: `Type`**Description**: Type of grantee - `uri`**Type**: `STRING`**Provider name**: `URI`**Description**: URI of the grantee group. - `permission`**Type**: `STRING`**Provider name**: `Permission`**Description**: Specifies the permission given to the grantee. ## `inventory_configuration_list`{% #inventory_configuration_list %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `InventoryConfigurationList`**Description**: The list of inventory configurations for a bucket. - `destination`**Type**: `STRUCT`**Provider name**: `Destination`**Description**: Contains information about where to publish the inventory results. - `s3_bucket_destination`**Type**: `STRUCT`**Provider name**: `S3BucketDestination`**Description**: Contains the bucket name, file format, bucket owner (optional), and prefix (optional) where inventory results are published. - `account_id`**Type**: `STRING`**Provider name**: `AccountId`**Description**: The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data.Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes. - `bucket`**Type**: `STRING`**Provider name**: `Bucket`**Description**: The Amazon Resource Name (ARN) of the bucket where inventory results will be published. - `encryption`**Type**: `STRUCT`**Provider name**: `Encryption`**Description**: Contains the type of server-side encryption used to encrypt the inventory results. - `ssekms`**Type**: `STRUCT`**Provider name**: `SSEKMS`**Description**: Specifies the use of SSE-KMS to encrypt delivered inventory reports. - `key_id`**Type**: `STRING`**Provider name**: `KeyId`**Description**: Specifies the ID of the Key Management Service (KMS) symmetric encryption customer managed key to use for encrypting inventory reports. - `sses3`**Type**: `STRUCT`**Provider name**: `SSES3`**Description**: Specifies the use of SSE-S3 to encrypt delivered inventory reports. - `format`**Type**: `STRING`**Provider name**: `Format`**Description**: Specifies the output format of the inventory results. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: The prefix that is prepended to all inventory results. - `filter`**Type**: `STRUCT`**Provider name**: `Filter`**Description**: Specifies an inventory filter. The inventory only includes objects that meet the filter's criteria. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: The prefix that an object must have to be included in the inventory results. - `id`**Type**: `STRING`**Provider name**: `Id`**Description**: The ID used to identify the inventory configuration. - `included_object_versions`**Type**: `STRING`**Provider name**: `IncludedObjectVersions`**Description**: Object versions to include in the inventory list. If set to `All`, the list includes all the object versions, which adds the version-related fields `VersionId`, `IsLatest`, and `DeleteMarker` to the list. If set to `Current`, the list does not contain these version-related fields. - `is_enabled`**Type**: `BOOLEAN`**Provider name**: `IsEnabled`**Description**: Specifies whether the inventory is enabled or disabled. If set to `True`, an inventory list is generated. If set to `False`, no inventory list is generated. - `optional_fields`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `OptionalFields`**Description**: Contains the optional fields that are included in the inventory results. - `schedule`**Type**: `STRUCT`**Provider name**: `Schedule`**Description**: Specifies the schedule for generating inventory results. - `frequency`**Type**: `STRING`**Provider name**: `Frequency`**Description**: Specifies how frequently inventory results are produced. ## `location_constraint`{% #location_constraint %} **Type**: `STRING`**Provider name**: `LocationConstraint`**Description**: Specifies the Region where the bucket resides. For a list of all the Amazon S3 supported location constraints by Region, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region). Buckets in Region `us-east-1` have a LocationConstraint of `null`. Buckets with a LocationConstraint of `EU` reside in `eu-west-1`. ## `logging_enabled`{% #logging_enabled %} **Type**: `STRUCT`**Provider name**: `LoggingEnabled` - `target_bucket`**Type**: `STRING`**Provider name**: `TargetBucket`**Description**: Specifies the bucket where you want Amazon S3 to store server access logs. You can have your logs delivered to any bucket that you own, including the same bucket that is being logged. You can also configure multiple buckets to deliver their logs to the same target bucket. In this case, you should choose a different `TargetPrefix` for each source bucket so that the delivered log files can be distinguished by key. - `target_grants`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `TargetGrants`**Description**: Container for granting information. Buckets that use the bucket owner enforced setting for Object Ownership don't support target grants. For more information, see [Permissions for server access log delivery](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-general) in the Amazon S3 User Guide. - `grantee`**Type**: `STRUCT`**Provider name**: `Grantee`**Description**: Container for the person being granted permissions. - `display_name`**Type**: `STRING`**Provider name**: `DisplayName`**Description**: Screen name of the grantee. - `email_address`**Type**: `STRING`**Provider name**: `EmailAddress`**Description**: Email address of the grantee.Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions: - US East (N. Virginia) - US West (N. California) - US West (Oregon) - Asia Pacific (Singapore) - Asia Pacific (Sydney) - Asia Pacific (Tokyo) - Europe (Ireland) - South America (São Paulo) For a list of all the Amazon S3 supported Regions and endpoints, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) in the Amazon Web Services General Reference. - `id`**Type**: `STRING`**Provider name**: `ID`**Description**: The canonical user ID of the grantee. - `type`**Type**: `STRING`**Provider name**: `Type`**Description**: Type of grantee - `uri`**Type**: `STRING`**Provider name**: `URI`**Description**: URI of the grantee group. - `permission`**Type**: `STRING`**Provider name**: `Permission`**Description**: Logging permissions assigned to the grantee for the bucket. - `target_object_key_format`**Type**: `STRUCT`**Provider name**: `TargetObjectKeyFormat`**Description**: Amazon S3 key format for log objects. - `partitioned_prefix`**Type**: `STRUCT`**Provider name**: `PartitionedPrefix`**Description**: Partitioned S3 key for log objects. - `partition_date_source`**Type**: `STRING`**Provider name**: `PartitionDateSource`**Description**: Specifies the partition date source for the partitioned prefix. `PartitionDateSource` can be `EventTime` or `DeliveryTime`. For `DeliveryTime`, the time in the log file names corresponds to the delivery time for the log files. For `EventTime`, The logs delivered are for a specific day only. The year, month, and day correspond to the day on which the event occurred, and the hour, minutes and seconds are set to 00 in the key. - `simple_prefix`**Type**: `STRUCT`**Provider name**: `SimplePrefix`**Description**: To use the simple format for S3 keys for log objects. To specify SimplePrefix format, set SimplePrefix to {}. - `target_prefix`**Type**: `STRING`**Provider name**: `TargetPrefix`**Description**: A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket. ## `name`{% #name %} **Type**: `STRING`**Provider name**: `Name`**Description**: The name of the bucket. ## `notification_configuration`{% #notification_configuration %} **Type**: `STRUCT`**Provider name**: `NotificationConfiguration` - `lambda_function_configurations`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `LambdaFunctionConfigurations`**Description**: Describes the Lambda functions to invoke and the events for which to invoke them. - `events`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `Events`**Description**: The Amazon S3 bucket event for which to invoke the Lambda function. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the Amazon S3 User Guide. - `filter`**Type**: `STRUCT`**Provider name**: `Filter` - `key`**Type**: `STRUCT`**Provider name**: `Key` - `filter_rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `FilterRules` - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the Amazon S3 User Guide. - `value`**Type**: `STRING`**Provider name**: `Value`**Description**: The value that the filter searches for in object key names. - `id`**Type**: `STRING`**Provider name**: `Id` - `lambda_function_arn`**Type**: `STRING`**Provider name**: `LambdaFunctionArn`**Description**: The Amazon Resource Name (ARN) of the Lambda function that Amazon S3 invokes when the specified event type occurs. - `queue_configurations`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `QueueConfigurations`**Description**: The Amazon Simple Queue Service queues to publish messages to and the events for which to publish messages. - `events`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `Events`**Description**: A collection of bucket events for which to send notifications - `filter`**Type**: `STRUCT`**Provider name**: `Filter` - `key`**Type**: `STRUCT`**Provider name**: `Key` - `filter_rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `FilterRules` - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the Amazon S3 User Guide. - `value`**Type**: `STRING`**Provider name**: `Value`**Description**: The value that the filter searches for in object key names. - `id`**Type**: `STRING`**Provider name**: `Id` - `queue_arn`**Type**: `STRING`**Provider name**: `QueueArn`**Description**: The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3 publishes a message when it detects events of the specified type. - `topic_configurations`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `TopicConfigurations`**Description**: The topic to which notifications are sent and the events for which notifications are generated. - `events`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `Events`**Description**: The Amazon S3 bucket event about which to send notifications. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the Amazon S3 User Guide. - `filter`**Type**: `STRUCT`**Provider name**: `Filter` - `key`**Type**: `STRUCT`**Provider name**: `Key` - `filter_rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `FilterRules` - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the Amazon S3 User Guide. - `value`**Type**: `STRING`**Provider name**: `Value`**Description**: The value that the filter searches for in object key names. - `id`**Type**: `STRING`**Provider name**: `Id` - `topic_arn`**Type**: `STRING`**Provider name**: `TopicArn`**Description**: The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon S3 publishes a message when it detects events of the specified type. ## `object_lock_configuration`{% #object_lock_configuration %} **Type**: `STRUCT`**Provider name**: `ObjectLockConfiguration`**Description**: The specified bucket's Object Lock configuration. - `object_lock_enabled`**Type**: `STRING`**Provider name**: `ObjectLockEnabled`**Description**: Indicates whether this bucket has an Object Lock configuration enabled. Enable `ObjectLockEnabled` when you apply `ObjectLockConfiguration` to a bucket. - `rule`**Type**: `STRUCT`**Provider name**: `Rule`**Description**: Specifies the Object Lock rule for the specified object. Enable the this rule when you apply `ObjectLockConfiguration` to a bucket. Bucket settings require both a mode and a period. The period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time. - `default_retention`**Type**: `STRUCT`**Provider name**: `DefaultRetention`**Description**: The default Object Lock retention mode and period that you want to apply to new objects placed in the specified bucket. Bucket settings require both a mode and a period. The period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time. - `days`**Type**: `INT32`**Provider name**: `Days`**Description**: The number of days that you want to specify for the default retention period. Must be used with `Mode`. - `mode`**Type**: `STRING`**Provider name**: `Mode`**Description**: The default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Must be used with either `Days` or `Years`. - `years`**Type**: `INT32`**Provider name**: `Years`**Description**: The number of years that you want to specify for the default retention period. Must be used with `Mode`. ## `owner`{% #owner %} **Type**: `STRUCT`**Provider name**: `Owner`**Description**: Container for the bucket owner's display name and ID. - `display_name`**Type**: `STRING`**Provider name**: `DisplayName`**Description**: Container for the display name of the owner. This value is only supported in the following Amazon Web Services Regions: - US East (N. Virginia) - US West (N. California) - US West (Oregon) - Asia Pacific (Singapore) - Asia Pacific (Sydney) - Asia Pacific (Tokyo) - Europe (Ireland) - South America (São Paulo) This functionality is not supported for directory buckets. - `id`**Type**: `STRING`**Provider name**: `ID`**Description**: Container for the ID of the owner. ## `ownership_controls`{% #ownership_controls %} **Type**: `STRUCT`**Provider name**: `OwnershipControls`**Description**: The `OwnershipControls` (BucketOwnerEnforced, BucketOwnerPreferred, or ObjectWriter) currently in effect for this Amazon S3 bucket. - `rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Rules`**Description**: The container element for an ownership control rule. - `object_ownership`**Type**: `STRING`**Provider name**: `ObjectOwnership` ## `policy`{% #policy %} **Type**: `STRING`**Provider name**: `Policy`**Description**: The bucket policy as a JSON document. ## `policy_status`{% #policy_status %} **Type**: `STRUCT`**Provider name**: `PolicyStatus`**Description**: The policy status for the specified bucket. - `is_public`**Type**: `BOOLEAN`**Provider name**: `IsPublic`**Description**: The policy status for this bucket. `TRUE` indicates that this bucket is public. `FALSE` indicates that the bucket is not public. ## `public_access_block_configuration`{% #public_access_block_configuration %} **Type**: `STRUCT`**Provider name**: `PublicAccessBlockConfiguration`**Description**: The `PublicAccessBlock` configuration currently in effect for this Amazon S3 bucket. - `block_public_acls`**Type**: `BOOLEAN`**Provider name**: `BlockPublicAcls`**Description**: Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior: - PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. - PUT Object calls fail if the request includes a public ACL. - PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs. - `block_public_policy`**Type**: `BOOLEAN`**Provider name**: `BlockPublicPolicy`**Description**: Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. Enabling this setting doesn't affect existing bucket policies. - `ignore_public_acls`**Type**: `BOOLEAN`**Provider name**: `IgnorePublicAcls`**Description**: Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. - `restrict_public_buckets`**Type**: `BOOLEAN`**Provider name**: `RestrictPublicBuckets`**Description**: Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only Amazon Web Services service principals and authorized users within this account if the bucket has a public policy. Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. ## `replication_configuration`{% #replication_configuration %} **Type**: `STRUCT`**Provider name**: `ReplicationConfiguration` - `role`**Type**: `STRING`**Provider name**: `Role`**Description**: The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that Amazon S3 assumes when replicating objects. For more information, see [How to Set Up Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-how-setup.html) in the Amazon S3 User Guide. - `rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Rules`**Description**: A container for one or more replication rules. A replication configuration must have at least one rule and can contain a maximum of 1,000 rules. - `delete_marker_replication`**Type**: `STRUCT`**Provider name**: `DeleteMarkerReplication` - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: Indicates whether to replicate delete markers.Indicates whether to replicate delete markers. - `destination`**Type**: `STRUCT`**Provider name**: `Destination`**Description**: A container for information about the replication destination and its configurations including enabling the S3 Replication Time Control (S3 RTC). - `access_control_translation`**Type**: `STRUCT`**Provider name**: `AccessControlTranslation`**Description**: Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the Amazon Web Services account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same Amazon Web Services account that owns the source object. - `owner`**Type**: `STRING`**Provider name**: `Owner`**Description**: Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) in the Amazon S3 API Reference. - `account`**Type**: `STRING`**Provider name**: `Account`**Description**: Destination bucket owner account ID. In a cross-account scenario, if you direct Amazon S3 to change replica ownership to the Amazon Web Services account that owns the destination bucket by specifying the `AccessControlTranslation` property, this is the account ID of the destination bucket owner. For more information, see [Replication Additional Configuration: Changing the Replica Owner](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-change-owner.html) in the Amazon S3 User Guide. - `bucket`**Type**: `STRING`**Provider name**: `Bucket`**Description**: The Amazon Resource Name (ARN) of the bucket where you want Amazon S3 to store the results. - `encryption_configuration`**Type**: `STRUCT`**Provider name**: `EncryptionConfiguration`**Description**: A container that provides information about encryption. If `SourceSelectionCriteria` is specified, you must specify this element. - `replica_kms_key_id`**Type**: `STRING`**Provider name**: `ReplicaKmsKeyID`**Description**: Specifies the ID (Key ARN or Alias ARN) of the customer managed Amazon Web Services KMS key stored in Amazon Web Services Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in Amazon Web Services KMS](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the Amazon Web Services Key Management Service Developer Guide. - `metrics`**Type**: `STRUCT`**Provider name**: `Metrics`**Description**: A container specifying replication metrics-related settings enabling replication metrics and events. - `event_threshold`**Type**: `STRUCT`**Provider name**: `EventThreshold`**Description**: A container specifying the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event. - `minutes`**Type**: `INT32`**Provider name**: `Minutes`**Description**: Contains an integer specifying time in minutes. Valid value: 15 - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: Specifies whether the replication metrics are enabled. - `replication_time`**Type**: `STRUCT`**Provider name**: `ReplicationTime`**Description**: A container specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a `Metrics` block. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: Specifies whether the replication time is enabled. - `time`**Type**: `STRUCT`**Provider name**: `Time`**Description**: A container specifying the time by which replication should be complete for all objects and operations on objects. - `minutes`**Type**: `INT32`**Provider name**: `Minutes`**Description**: Contains an integer specifying time in minutes. Valid value: 15 - `storage_class`**Type**: `STRING`**Provider name**: `StorageClass`**Description**: The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. For valid values, see the `StorageClass` element of the [PUT Bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) action in the Amazon S3 API Reference. `FSX_OPENZFS` is not an accepted value when replicating objects. - `existing_object_replication`**Type**: `STRUCT`**Provider name**: `ExistingObjectReplication`**Description**: Optional configuration to replicate existing source bucket objects.This parameter is no longer supported. To replicate existing objects, see [Replicating existing objects with S3 Batch Replication](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html) in the Amazon S3 User Guide. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: Specifies whether Amazon S3 replicates existing source bucket objects. - `filter`**Type**: `STRUCT`**Provider name**: `Filter` - `and`**Type**: `STRUCT`**Provider name**: `And`**Description**: A container for specifying rule filters. The filters determine the subset of objects to which the rule applies. This element is required only if you specify more than one filter. For example: - If you specify both a `Prefix` and a `Tag` filter, wrap these filters in an `And` tag. - If you specify a filter based on multiple tags, wrap the `Tag` elements in an `And` tag. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: An object key name prefix that identifies the subset of objects to which the rule applies. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: An object key name prefix that identifies the subset of objects to which the rule applies.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `tag`**Type**: `STRUCT`**Provider name**: `Tag`**Description**: A container for specifying a tag key and value. The rule applies only to objects that have the tag in their tag set. - `key`**Type**: `STRING`**Provider name**: `Key`**Description**: Name of the object key. - `value`**Type**: `STRING`**Provider name**: `Value`**Description**: Value of the tag. - `id`**Type**: `STRING`**Provider name**: `ID`**Description**: A unique identifier for the rule. The maximum value is 255 characters. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: An object key name prefix that identifies the object or objects to which the rule applies. The maximum prefix length is 1,024 characters. To include all objects in a bucket, specify an empty string.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `priority`**Type**: `INT32`**Provider name**: `Priority`**Description**: The priority indicates which rule has precedence whenever two or more replication rules conflict. Amazon S3 will attempt to replicate objects according to all replication rules. However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority. For more information, see [Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html) in the Amazon S3 User Guide. - `source_selection_criteria`**Type**: `STRUCT`**Provider name**: `SourceSelectionCriteria`**Description**: A container that describes additional filters for identifying the source objects that you want to replicate. You can choose to enable or disable the replication of these objects. Currently, Amazon S3 supports only the filter that you can specify for objects created with server-side encryption using a customer managed key stored in Amazon Web Services Key Management Service (SSE-KMS). - `replica_modifications`**Type**: `STRUCT`**Provider name**: `ReplicaModifications`**Description**: A filter that you can specify for selections for modifications on replicas. Amazon S3 doesn't replicate replica modifications by default. In the latest version of replication configuration (when `Filter` is specified), you can specify this element and set the status to `Enabled` to replicate modifications on replicas.If you don't specify the `Filter` element, Amazon S3 assumes that the replication configuration is the earlier version, V1. In the earlier version, this element is not allowed - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: Specifies whether Amazon S3 replicates modifications on replicas. - `sse_kms_encrypted_objects`**Type**: `STRUCT`**Provider name**: `SseKmsEncryptedObjects`**Description**: A container for filter information for the selection of Amazon S3 objects encrypted with Amazon Web Services KMS. If you include `SourceSelectionCriteria` in the replication configuration, this element is required. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: Specifies whether Amazon S3 replicates objects created with server-side encryption using an Amazon Web Services KMS key stored in Amazon Web Services Key Management Service. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: Specifies whether the rule is enabled. ## `rules`{% #rules %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Rules`**Description**: Container for a lifecycle rule. - `abort_incomplete_multipart_upload`**Type**: `STRUCT`**Provider name**: `AbortIncompleteMultipartUpload` - `days_after_initiation`**Type**: `INT32`**Provider name**: `DaysAfterInitiation`**Description**: Specifies the number of days after which Amazon S3 aborts an incomplete multipart upload. - `expiration`**Type**: `STRUCT`**Provider name**: `Expiration`**Description**: Specifies the expiration for the lifecycle of the object in the form of date, days and, whether the object has a delete marker. - `date`**Type**: `TIMESTAMP`**Provider name**: `Date`**Description**: Indicates at what date the object is to be moved or deleted. The date value must conform to the ISO 8601 format. The time is always midnight UTC.This parameter applies to general purpose buckets only. It is not supported for directory bucket lifecycle configurations. - `days`**Type**: `INT32`**Provider name**: `Days`**Description**: Indicates the lifetime, in days, of the objects that are subject to the rule. The value must be a non-zero positive integer. - `expired_object_delete_marker`**Type**: `BOOLEAN`**Provider name**: `ExpiredObjectDeleteMarker`**Description**: Indicates whether Amazon S3 will remove a delete marker with no noncurrent versions. If set to true, the delete marker will be expired; if set to false the policy takes no action. This cannot be specified with Days or Date in a Lifecycle Expiration Policy.This parameter applies to general purpose buckets only. It is not supported for directory bucket lifecycle configurations. - `filter`**Type**: `STRUCT`**Provider name**: `Filter`**Description**: The `Filter` is used to identify objects that a Lifecycle Rule applies to. A `Filter` must have exactly one of `Prefix`, `Tag`, `ObjectSizeGreaterThan`, `ObjectSizeLessThan`, or `And` specified. `Filter` is required if the `LifecycleRule` does not contain a `Prefix` element. For more information about `Tag` filters, see [Adding filters to Lifecycle rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-filters.html) in the Amazon S3 User Guide.`Tag` filters are not supported for directory buckets. - `and`**Type**: `STRUCT`**Provider name**: `And` - `object_size_greater_than`**Type**: `INT64`**Provider name**: `ObjectSizeGreaterThan`**Description**: Minimum object size to which the rule applies. - `object_size_less_than`**Type**: `INT64`**Provider name**: `ObjectSizeLessThan`**Description**: Maximum object size to which the rule applies. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: Prefix identifying one or more objects to which the rule applies. - `object_size_greater_than`**Type**: `INT64`**Provider name**: `ObjectSizeGreaterThan`**Description**: Minimum object size to which the rule applies. - `object_size_less_than`**Type**: `INT64`**Provider name**: `ObjectSizeLessThan`**Description**: Maximum object size to which the rule applies. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: Prefix identifying one or more objects to which the rule applies.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `tag`**Type**: `STRUCT`**Provider name**: `Tag`**Description**: This tag must exist in the object's tag set in order for the rule to apply.This parameter applies to general purpose buckets only. It is not supported for directory bucket lifecycle configurations. - `key`**Type**: `STRING`**Provider name**: `Key`**Description**: Name of the object key. - `value`**Type**: `STRING`**Provider name**: `Value`**Description**: Value of the tag. - `id`**Type**: `STRING`**Provider name**: `ID`**Description**: Unique identifier for the rule. The value cannot be longer than 255 characters. - `noncurrent_version_expiration`**Type**: `STRUCT`**Provider name**: `NoncurrentVersionExpiration` - `newer_noncurrent_versions`**Type**: `INT32`**Provider name**: `NewerNoncurrentVersions`**Description**: Specifies how many noncurrent versions Amazon S3 will retain. You can specify up to 100 noncurrent versions to retain. Amazon S3 will permanently delete any additional noncurrent versions beyond the specified number to retain. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the Amazon S3 User Guide.This parameter applies to general purpose buckets only. It is not supported for directory bucket lifecycle configurations. - `noncurrent_days`**Type**: `INT32`**Provider name**: `NoncurrentDays`**Description**: Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. The value must be a non-zero positive integer. For information about the noncurrent days calculations, see [How Amazon S3 Calculates When an Object Became Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the Amazon S3 User Guide.This parameter applies to general purpose buckets only. It is not supported for directory bucket lifecycle configurations. - `noncurrent_version_transitions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `NoncurrentVersionTransitions`**Description**: Specifies the transition rule for the lifecycle rule that describes when noncurrent objects transition to a specific storage class. If your bucket is versioning-enabled (or versioning is suspended), you can set this action to request that Amazon S3 transition noncurrent object versions to a specific storage class at a set period in the object's lifetime.This parameter applies to general purpose buckets only. It is not supported for directory bucket lifecycle configurations. - `newer_noncurrent_versions`**Type**: `INT32`**Provider name**: `NewerNoncurrentVersions`**Description**: Specifies how many noncurrent versions Amazon S3 will retain in the same storage class before transitioning objects. You can specify up to 100 noncurrent versions to retain. Amazon S3 will transition any additional noncurrent versions beyond the specified number to retain. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the Amazon S3 User Guide. - `noncurrent_days`**Type**: `INT32`**Provider name**: `NoncurrentDays`**Description**: Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates How Long an Object Has Been Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the Amazon S3 User Guide. - `storage_class`**Type**: `STRING`**Provider name**: `StorageClass`**Description**: The class of storage used to store the object. - `prefix`**Type**: `STRING`**Provider name**: `Prefix`**Description**: The general purpose bucket prefix that identifies one or more objects to which the rule applies. We recommend using `Filter` instead of `Prefix` for new PUTs. Previous configurations where a prefix is defined will continue to operate as before.Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: If 'Enabled', the rule is currently being applied. If 'Disabled', the rule is not currently being applied. - `transitions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Transitions`**Description**: Specifies when an Amazon S3 object transitions to a specified storage class.This parameter applies to general purpose buckets only. It is not supported for directory bucket lifecycle configurations. - `date`**Type**: `TIMESTAMP`**Provider name**: `Date`**Description**: Indicates when objects are transitioned to the specified storage class. The date value must be in ISO 8601 format. The time is always midnight UTC. - `days`**Type**: `INT32`**Provider name**: `Days`**Description**: Indicates the number of days after creation when objects are transitioned to the specified storage class. If the specified storage class is `INTELLIGENT_TIERING`, `GLACIER_IR`, `GLACIER`, or `DEEP_ARCHIVE`, valid values are `0` or positive integers. If the specified storage class is `STANDARD_IA` or `ONEZONE_IA`, valid values are positive integers greater than `30`. Be aware that some storage classes have a minimum storage duration and that you're charged for transitioning objects before their minimum storage duration. For more information, see [Constraints and considerations for transitions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html#lifecycle-configuration-constraints) in the Amazon S3 User Guide. - `storage_class`**Type**: `STRING`**Provider name**: `StorageClass`**Description**: The storage class to which you want the object to transition. ## `server_side_encryption_configuration`{% #server_side_encryption_configuration %} **Type**: `STRUCT`**Provider name**: `ServerSideEncryptionConfiguration` - `rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Rules`**Description**: Container for information about a particular server-side encryption configuration rule. - `apply_server_side_encryption_by_default`**Type**: `STRUCT`**Provider name**: `ApplyServerSideEncryptionByDefault`**Description**: Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. - `kms_master_key_id`**Type**: `STRING`**Provider name**: `KMSMasterKeyID`**Description**: Amazon Web Services Key Management Service (KMS) customer managed key ID to use for the default encryption. - General purpose buckets - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`. - Directory buckets - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms`. You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. - Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab` - Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` - Key Alias: `alias/alias-name` If you are using encryption with cross-account or Amazon Web Services service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy). - General purpose buckets - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester's account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. - Directory buckets - When you specify an [KMS customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in Amazon Web Services KMS](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the Amazon Web Services Key Management Service Developer Guide. - `sse_algorithm`**Type**: `STRING`**Provider name**: `SSEAlgorithm`**Description**: Server-side encryption algorithm to use for the default encryption.For directory buckets, there are only two supported values for server-side encryption: `AES256` and `aws:kms`. - `blocked_encryption_types`**Type**: `STRUCT`**Provider name**: `BlockedEncryptionTypes`**Description**: A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block `PutObject`, `CopyObject`, `PostObject`, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see [Blocking an encryption type for a general purpose bucket](https://docs.aws.amazon.com/AmazonS3/userguide/block-encryption-type.html).Currently, this parameter only supports blocking or unblocking Server Side Encryption with Customer Provided Keys (SSE-C). For more information about SSE-C, see [Using server-side encryption with customer-provided keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html). - `encryption_type`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `EncryptionType`**Description**: The object encryption type that you want to block or unblock for an Amazon S3 general purpose bucket.Currently, this parameter only supports blocking or unblocking server side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see [Using server-side encryption with customer-provided keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html). - `bucket_key_enabled`**Type**: `BOOLEAN`**Provider name**: `BucketKeyEnabled`**Description**: Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the `BucketKeyEnabled` element to `true` causes Amazon S3 to use an S3 Bucket Key. - General purpose buckets - By default, S3 Bucket Key is not enabled. For more information, see [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) in the Amazon S3 User Guide. - Directory buckets - S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a directory bucket and can't be disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, through [CopyObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html), [UploadPartCopy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html), [the Copy operation in Batch Operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops), or [the import jobs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job). In this case, Amazon S3 makes a call to KMS every time a copy request is made for a KMS-encrypted object. ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `transition_default_minimum_object_size`{% #transition_default_minimum_object_size %} **Type**: `STRING`**Provider name**: `TransitionDefaultMinimumObjectSize`**Description**: Indicates which default minimum object size behavior is applied to the lifecycle configuration.This parameter applies to general purpose buckets only. It isn't supported for directory bucket lifecycle configurations. - `all_storage_classes_128K` - Objects smaller than 128 KB will not transition to any storage class by default. - `varies_by_storage_class` - Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier Deep Archive storage classes. By default, all other storage classes will prevent transitions smaller than 128 KB. To customize the minimum object size for any transition you can add a filter that specifies a custom `ObjectSizeGreaterThan` or `ObjectSizeLessThan` in the body of your transition rule. Custom filters always take precedence over the default transition behavior.