Hi, if i set isEnabled to false when i make a put-bucket-inventory request, will the inventory be generated?

or generate a empty inventory?

and the last question is: can i get the inventory(isEnabled = false)'s detail info when i use get-bucket-inventory api?

thanks.

https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/upload-objects.md specifies everything in GB for simple upload but the multi-part doc https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/qfacts.md uses GiB/TiB for everything.

Attempting to use XML returns an error "The CORS configuration must be written in valid JSON."

The docs should not show an example of using XML.

I've implemented and activated the SCP on my accounts as suggested in the docs: https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/ensure-object-ownership.md#disabling-acls-for-all-new-buckets-bucket-owner-enforced

However when I try to create an S3 bucket with CloudFormation where I enforce: "ObjectOwnership": "BucketOwnerEnforced", CloudFormation get's the following error:

CREATE_FAILED | API: s3:CreateBucket Access Denied

Here is the resource:

  "trainingLogs1BCCC4D1": {
   "Type": "AWS::S3::Bucket",
   "Properties": {
    "OwnershipControls": {
     "Rules": [
      {
       "ObjectOwnership": "BucketOwnerEnforced"
      }
     ]
    }
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain"
  },

What am I missing? If I create the same bucket through the console with bucket owner enforced, the resource get's created successfully.

Hello, I followed this documentation: https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/replication-walkthrough1.md

However I did not to replicate my bucket.

By adding s3:* in the policy of the IAM role it works. Do you know which action specifically I should add in this role ?

There is code under EnableNotificationOnABucket showing the usage of SetBucketNotificationConfigurationRequest.

I am looking for programmatic way of receiving notification on a bucket.
I searched the repository but haven't found such example.

Thanks

The docs at https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/UsingClientSideEncryption.md link to https://aws.amazon.com/articles/client-side-data-encryption-with-the-aws-sdk-for-java-and-amazon-s3/

That article is from 2011. The APIs it uses are all deprecated. The information however, is relevant since new APIs for similar functionality exist.

Commit 0d17598 (13 May) announced the deprecation plan for S3 BitTorrent:

# doc_source/S3Torrent.md
+ As of April 29, 2021 Amazon S3 is discontinuing the S3 BitTorrent feature and it will no
+ longer be available to enable\. AWS will support customers currently using the
+ S3 BitTorrent feature for 12 months\. After April 29, 2022, BitTorrent clients will
+ no longer connect to Amazon S3\.

The entire page was then removed in commit 7a83e40 (19 May).

At present, the discontinuation notice doesn't appear anywhere in the S3 documentation; all mention of BitTorrent has been completely removed. If somebody is wondering if this feature is still supported or for how much longer it'll be available, that's pretty difficult to find right now.

It would be helpful if there was a page with this warning as part of the S3 documentation, so people could find this information more easily than poking through the commit history.

Hello,

On the 'Deleting multiple objects' page, the below warning is given:

To delete an object in a versioning-enabled bucket with versioning Off, Amazon S3 creates a delete marker. To undo the delete action, delete this delete marker. To confirm this action, type delete.

To delete an object version in a versioning-enabled bucket with versioning On, Amazon S3 will permanently delete the object version. To confirm this action, type permanently delete.

This is incorrect & is the other way round.

It should be:

To delete an object in a versioning-enabled bucket with versioning Off, Amazon S3 will permanently delete the object version. To confirm this action, type permanently delete.

To delete an object version in a versioning-enabled bucket with versioning On, Amazon S3 creates a delete marker. To undo the delete action, delete this delete marker. To confirm this action, type delete.

Following the guide from the snippet below, I've gotten this far, but I don't have the option to select Services for my report.

I created a report with default settings which included some S3 API calls, but I don't think it included all, or it doesn't have the granularity I was looking for. I need to get the egress cost per IAM user.

I have created a policy with full control in S3. I want to read list of users/email address who can access designated s3 bucket?

When i used getBucketAcl it is throwing me my own permissions info (FULL_CONTROL).

List bucketPermissions = s3Client.getBucketAcl(bucket.getName())
.getGrantsAsList().stream().distinct()
.map(t -> t.getPermission().toString())
.collect(Collectors.toList());

Is there a way to read users list with S3 bucket access?

I'm trying to understand the use case for this policy directive "s3:x-amz-server-side-encryption" as demonstrated in this server side encryption page.

If one can enable transparent default encryption for the whole bucket, why use this policy?

Is it to be used where buckets do not have encryption enabled, and therefore enforcing encryption on specific conditions, like specific prefixes, extensions, etc? In this case some files are encryption, some are not.

When use one, and not the other?

{
  "Version": "2012-10-17",
  "Id": "PutObjectPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket1/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}

It enforces the client to select the encryption algorithm:

aws s3api put-object --body somefile.png --bucket mybucket --server-side-encryption 'AES256'

This is the help text form the AWS CLI for the --server-side-encryption option:

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

The second example of Example 8: Requiring a minimum TLS version shows an use case which grants access to upload files to everyone ("Principal": "*") if they match the condition of the TLS Version.
In my opinion, this is a poor example inside the official documentation, since inexperienced users could simple copy & paste that example without realizing they open up their bucket to the whole world.

I would like to suggest to expand that example with an IAM role (pull request will follow) in order to mitigate this risky bucket policy.

Thanks!
Marcel

For anonymous users, the following elements are equivalent

"Principal": "*"
"Principal" : { "AWS" : "*" }

This doc stating otherwise: https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/s3-bucket-user-policy-specifying-principal-intro.md
Tested and validated that both allow curl/browser (https://) as well as aws s3 cp (s3://) if you specify "Principal" : { "AWS" : "*" }

I followed the instructions and the Route 53 domain does not link to S3 bucket. The S3 bucket endpoint works, but the domain doesn't. http://gypsyparadise.io.s3-website-us-east-1.amazonaws.com

The only missing part I found, was "create host zone."

1. Select "Create host zone"
2. Enter domain name in box
3. leave default "public hosted zone" selected
4. Finish by selecting "Create host zone" at bottom

Could someone help me with this?

I will add to instructions if this is correct.

The documentation covers what events are generated when the content changes on unversioned s3 buckets, but doesn't document what events if any are generated when a prior version becomes current due to the deletion of the current version (or for that matter, what events are generated when prior versions are deleted).