To obtain temporary security credentials, you must create a bucket policy or an IAM identity-based policy that grantss3express:CreateSession permission to the bucket. In a policy, you can have thes3express:SessionMode condition key to control who can create aReadWrite orReadOnly session. For more information aboutReadWrite orReadOnly sessions, seex-amz-create-session-mode. For example policies, seeExample bucket policies for S3 Express One Zone andAWS Identity and Access Management (IAM) identity-based policies for S3 Express One Zone in theAmazon S3 User Guide.

To grant cross-account access to Zonal endpoint API operations, the bucket policy should also grant both accounts thes3express:CreateSession permission.

If you want to encrypt objects with SSE-KMS, you must also have thekms:GenerateDataKey and thekms:Decrypt permissions in IAM identity-based policies and AWS KMS key policies for the target AWS KMS key.

For directory buckets, there are only two supported options for server-side encryption: server-side encryption with Amazon S3 managed keys (SSE-S3) (AES256) and server-side encryption with AWS KMS keys (SSE-KMS) (aws:kms). We recommend that the bucket's default encryption uses the desired encryption configuration and you don't override the bucket default encryption in yourCreateSession requests orPUT object requests. Then, new objects are automatically encrypted with the desired encryption settings. For more information, seeProtecting data with server-side encryption in theAmazon S3 User Guide. For more information about the encryption overriding behaviors in directory buckets, seeSpecifying server-side encryption with AWS KMS for new object uploads.

ForZonal endpoint (object-level) API operations exceptCopyObject andUploadPartCopy, you authenticate and authorize requests throughCreateSession for low latency. To encrypt new objects in a directory bucket with SSE-KMS, you must specify SSE-KMS as the directory bucket's default encryption configuration with a KMS key (specifically, acustomer managed key). Then, when a session is created for Zonal endpoint API operations, new objects are automatically encrypted and decrypted with SSE-KMS and S3 Bucket Keys during the session.

In the Zonal endpoint API calls (exceptCopyObject andUploadPartCopy) using the REST API, you can't override the values of the encryption settings (x-amz-server-side-encryption,x-amz-server-side-encryption-aws-kms-key-id,x-amz-server-side-encryption-context, andx-amz-server-side-encryption-bucket-key-enabled) from theCreateSession request. You don't need to explicitly specify these encryption settings values in Zonal endpoint API calls, and Amazon S3 will use the encryption settings values from theCreateSession request to protect new objects in the directory bucket.

Directory buckets - The HTTP Host header syntax isBucket-name.s3express-zone-id.region-code.amazonaws.com.

The name of the bucket that you create a session for.

Required: Yes

Specifies the mode of the session that will be created, eitherReadWrite orReadOnly. By default, aReadWrite session is created. AReadWrite session is capable of executing all the Zonal endpoint API operations on a directory bucket. AReadOnly session is constrained to execute the following Zonal endpoint API operations:GetObject,HeadObject,ListObjectsV2,GetObjectAttributes,ListParts, andListMultipartUploads.

Valid Values:ReadOnly | ReadWrite

The server-side encryption algorithm to use when you store objects in the directory bucket.

For directory buckets, there are only two supported options for server-side encryption: server-side encryption with Amazon S3 managed keys (SSE-S3) (AES256) and server-side encryption with AWS KMS keys (SSE-KMS) (aws:kms). By default, Amazon S3 encrypts data with SSE-S3. For more information, seeProtecting data with server-side encryption in theAmazon S3 User Guide.

S3 access points for Amazon FSx - When accessing data stored in Amazon FSx file systems using S3 access points, the only valid server side encryption option isaws:fsx. All Amazon FSx file systems have encryption configured by default and are encrypted at rest. Data is automatically encrypted before being written to the file system, and automatically decrypted as it is read. These processes are handled transparently by Amazon FSx.

Valid Values:AES256 | aws:fsx | aws:kms | aws:kms:dsse

If you specifyx-amz-server-side-encryption withaws:kms, you must specify the x-amz-server-side-encryption-aws-kms-key-id header with the ID (Key ID or Key ARN) of the AWS KMS symmetric encryption customer managed key to use. Otherwise, you get an HTTP400 Bad Request error. Only use the key ID or key ARN. The key alias format of the KMS key isn't supported. Also, if the KMS key doesn't exist in the same account that't issuing the command, you must use the full Key ARN not the Key ID.

Your SSE-KMS configuration can only support 1customer managed key per directory bucket's lifetime. TheAWS managed key (aws/s3) isn't supported.

Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption with server-side encryption using AWS KMS keys (SSE-KMS).

S3 Bucket Keys are always enabled forGET andPUT operations in a directory bucket and can’t be disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, throughCopyObject,UploadPartCopy,the Copy operation in Batch Operations, orthe import jobs. In this case, Amazon S3 makes a call to AWS KMS every time a copy request is made for a KMS-encrypted object.

Specifies the AWS KMS Encryption Context as an additional encryption context to use for object encryption. The value of this header is a Base64 encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs. This value is stored as object metadata and automatically gets passed on to AWS KMS for futureGetObject operations on this object.

General purpose buckets - This value must be explicitly added duringCopyObject operations if you want an additional encryption context for your object. For more information, seeEncryption context in theAmazon S3 User Guide.

Directory buckets - You can optionally provide an explicit encryption context value. The value must match the default encryption context - the bucket Amazon Resource Name (ARN). An additional encryption context value is not supported.

The server-side encryption algorithm used when you store objects in the directory bucket.

Valid Values:AES256 | aws:fsx | aws:kms | aws:kms:dsse

If you specifyx-amz-server-side-encryption withaws:kms, this header indicates the ID of the AWS KMS symmetric encryption customer managed key that was used for object encryption.

Indicates whether to use an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS).

If present, indicates the AWS KMS Encryption Context to use for object encryption. The value of this header is a Base64 encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs. This value is stored as object metadata and automatically gets passed on to AWS KMS for futureGetObject operations on this object.

Root level tag for the CreateSessionResult parameters.

Required: Yes

The established temporary security credentials for the created session.

Type:SessionCredentials data type

The specified bucket does not exist.

HTTP Status Code: 404