Directory buckets - The HTTP Host header syntax isBucket-name.s3express-zone-id.region-code.amazonaws.com.

The bucket name to which the PUT action was initiated.

Directory buckets - When you use this operation with a directory bucket, you must use virtual-hosted-style requests in the formatBucket-name.s3express-zone-id.region-code.amazonaws.com. Path-style requests are not supported. Directory bucket names must be unique in the chosen Zone (Availability Zone or Local Zone). Bucket names must follow the formatbucket-base-name--zone-id--x-s3 (for example,amzn-s3-demo-bucket--usw2-az1--x-s3). For information about bucket naming restrictions, seeDirectory bucket naming rules in theAmazon S3 User Guide.

Access points - When you use this action with an access point for general purpose buckets, you must provide the alias of the access point in place of the bucket name or specify the access point ARN. When you use this action with an access point for directory buckets, you must provide the access point name in place of the bucket name. When using the access point ARN, you must direct requests to the access point hostname. The access point hostname takes the formAccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the AWS SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, seeUsing access points in theAmazon S3 User Guide.

S3 on Outposts - When you use this action with S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the formAccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts, the destination bucket must be the Outposts access point ARN or the access point alias. For more information about S3 on Outposts, seeWhat is S3 on Outposts? in theAmazon S3 User Guide.

Required: Yes

Can be used to specify caching behavior along the request/reply chain. For more information, seehttp://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.

Specifies presentational information for the object. For more information, seehttps://www.rfc-editor.org/rfc/rfc6266#section-4.

Specifies what content encodings have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. For more information, seehttps://www.rfc-editor.org/rfc/rfc9110.html#field.content-encoding.

The language the content is in.

Size of the body in bytes. This parameter is useful when the size of the body cannot be determined automatically. For more information, seehttps://www.rfc-editor.org/rfc/rfc9110.html#name-content-length.

The Base64 encoded 128-bitMD5 digest of the message (without the headers) according to RFC 1864. This header can be used as a message integrity check to verify that the data is the same data that was originally sent. Although it is optional, we recommend using the Content-MD5 mechanism as an end-to-end integrity check. For more information about REST request authentication, seeREST Authentication.

A standard MIME type describing the format of the contents. For more information, seehttps://www.rfc-editor.org/rfc/rfc9110.html#name-content-type.

The date and time at which the object is no longer cacheable. For more information, seehttps://www.rfc-editor.org/rfc/rfc7234#section-5.3.

Uploads the object only if the ETag (entity tag) value provided during the WRITE operation matches the ETag of the object in S3. If the ETag values do not match, the operation returns a412 Precondition Failed error.

If a conflicting operation occurs during the upload S3 returns a409 ConditionalRequestConflict response. On a 409 failure you should fetch the object's ETag and retry the upload.

Expects the ETag value as a string.

For more information about conditional requests, seeRFC 7232, orConditional requests in theAmazon S3 User Guide.

Uploads the object only if the object key name does not already exist in the bucket specified. Otherwise, Amazon S3 returns a412 Precondition Failed error.

If a conflicting operation occurs during the upload S3 returns a409 ConditionalRequestConflict response. On a 409 failure you should retry the upload.

Expects the '*' (asterisk) character.

For more information about conditional requests, seeRFC 7232, orConditional requests in theAmazon S3 User Guide.

Object key for which the PUT action was initiated.

Length Constraints: Minimum length of 1.

Required: Yes

The canned ACL to apply to the object. For more information, seeCanned ACL in theAmazon S3 User Guide.

When adding a new object, you can use headers to grant ACL-based permissions to individual AWS accounts or to predefined groups defined by Amazon S3. These permissions are then added to the ACL on the object. By default, all objects are private. Only the owner has full access control. For more information, seeAccess Control List (ACL) Overview andManaging ACLs Using the REST API in theAmazon S3 User Guide.

If the bucket that you're uploading objects to uses the bucket owner enforced setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use this setting only accept PUT requests that don't specify an ACL or PUT requests that specify bucket owner full control ACLs, such as thebucket-owner-full-control canned ACL or an equivalent form of this ACL expressed in the XML format. PUT requests that contain other ACLs (for example, custom grants to certain AWS accounts) fail and return a400 error with the error codeAccessControlListNotSupported. For more information, see Controlling ownership of objects and disabling ACLs in theAmazon S3 User Guide.

Valid Values:private | public-read | public-read-write | authenticated-read | aws-exec-read | bucket-owner-read | bucket-owner-full-control

This header can be used as a data integrity check to verify that the data received is the same data that was originally sent. This header specifies the Base64 encoded, 32-bitCRC32 checksum of the object. For more information, seeChecking object integrity in theAmazon S3 User Guide.

This header can be used as a data integrity check to verify that the data received is the same data that was originally sent. This header specifies the Base64 encoded, 32-bitCRC32C checksum of the object. For more information, seeChecking object integrity in theAmazon S3 User Guide.

This header can be used as a data integrity check to verify that the data received is the same data that was originally sent. This header specifies the Base64 encoded, 64-bitCRC64NVME checksum of the object. TheCRC64NVME checksum is always a full object checksum. For more information, seeChecking object integrity in the Amazon S3 User Guide.

This header can be used as a data integrity check to verify that the data received is the same data that was originally sent. This header specifies the Base64 encoded, 160-bitSHA1 digest of the object. For more information, seeChecking object integrity in theAmazon S3 User Guide.

This header can be used as a data integrity check to verify that the data received is the same data that was originally sent. This header specifies the Base64 encoded, 256-bitSHA256 digest of the object. For more information, seeChecking object integrity in theAmazon S3 User Guide.

The account ID of the expected bucket owner. If the account ID that you provide does not match the actual owner of the bucket, the request fails with the HTTP status code403 Forbidden (access denied).

Gives the grantee READ, READ_ACP, and WRITE_ACP permissions on the object.

Allows grantee to read the object data and its metadata.

Allows grantee to read the object ACL.

Allows grantee to write the ACL for the applicable object.

Specifies whether a legal hold will be applied to this object. For more information about S3 Object Lock, seeObject Lock in theAmazon S3 User Guide.

Valid Values:ON | OFF

The Object Lock mode that you want to apply to this object.

Valid Values:GOVERNANCE | COMPLIANCE

The date and time when you want this object's Object Lock to expire. Must be formatted as a timestamp parameter.

Confirms that the requester knows that they will be charged for the request. Bucket owners need not specify this parameter in their requests. If either the source or destination S3 bucket has Requester Pays enabled, the requester will pay for corresponding charges to copy the object. For information about downloading objects from Requester Pays buckets, seeDownloading Objects in Requester Pays Buckets in theAmazon S3 User Guide.

Valid Values:requester

Indicates the algorithm used to create the checksum for the object when you use the SDK. This header will not provide any additional functionality if you don't use the SDK. When you send this header, there must be a correspondingx-amz-checksum-algorithm orx-amz-trailer header sent. Otherwise, Amazon S3 fails the request with the HTTP status code400 Bad Request.

For thex-amz-checksum-algorithm header, replacealgorithm with the supported algorithm from the following list:

For more information, seeChecking object integrity in theAmazon S3 User Guide.

If the individual checksum value you provide throughx-amz-checksum-algorithm doesn't match the checksum algorithm you set throughx-amz-sdk-checksum-algorithm, Amazon S3 fails the request with aBadDigest error.

For directory buckets, when you use AWS SDKs,CRC32 is the default checksum algorithm that's used for performance.

Valid Values:CRC32 | CRC32C | SHA1 | SHA256 | CRC64NVME

The server-side encryption algorithm that was used when you store this object in Amazon S3 or Amazon FSx.

Valid Values:AES256 | aws:fsx | aws:kms | aws:kms:dsse

Specifies the AWS KMS key ID (Key ID, Key ARN, or Key Alias) to use for object encryption. If the KMS key doesn't exist in the same account that's issuing the command, you must use the full Key ARN not the Key ID.

General purpose buckets - If you specifyx-amz-server-side-encryption withaws:kms oraws:kms:dsse, this header specifies the ID (Key ID, Key ARN, or Key Alias) of the AWS KMS key to use. If you specifyx-amz-server-side-encryption:aws:kms orx-amz-server-side-encryption:aws:kms:dsse, but do not providex-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the AWS managed key (aws/s3) to protect the data.

Directory buckets - To encrypt data using SSE-KMS, it's recommended to specify thex-amz-server-side-encryption header toaws:kms. Then, thex-amz-server-side-encryption-aws-kms-key-id header implicitly uses the bucket's default KMS customer managed key ID. If you want to explicitly set the x-amz-server-side-encryption-aws-kms-key-id header, it must match the bucket's default customer managed key (using key ID or ARN, not alias). Your SSE-KMS configuration can only support 1customer managed key per directory bucket's lifetime. TheAWS managed key (aws/s3) isn't supported. Incorrect key specification results in an HTTP400 Bad Request error.

Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption with server-side encryption using AWS Key Management Service (AWS KMS) keys (SSE-KMS).

General purpose buckets - Setting this header totrue causes Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS. Also, specifying this header with a PUT action doesn't affect bucket-level settings for S3 Bucket Key.

Directory buckets - S3 Bucket Keys are always enabled forGET andPUT operations in a directory bucket and can’t be disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, throughCopyObject,UploadPartCopy,the Copy operation in Batch Operations, orthe import jobs. In this case, Amazon S3 makes a call to AWS KMS every time a copy request is made for a KMS-encrypted object.

Specifies the AWS KMS Encryption Context as an additional encryption context to use for object encryption. The value of this header is a Base64 encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs. This value is stored as object metadata and automatically gets passed on to AWS KMS for futureGetObject operations on this object.

General purpose buckets - This value must be explicitly added duringCopyObject operations if you want an additional encryption context for your object. For more information, seeEncryption context in theAmazon S3 User Guide.

Directory buckets - You can optionally provide an explicit encryption context value. The value must match the default encryption context - the bucket Amazon Resource Name (ARN). An additional encryption context value is not supported.

Specifies the algorithm to use when encrypting the object (for example,AES256).

Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data. This value is used to store the object and then it is discarded; Amazon S3 does not store the encryption key. The key must be appropriate for use with the algorithm specified in thex-amz-server-side-encryption-customer-algorithm header.

Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error.

By default, Amazon S3 uses the STANDARD Storage Class to store newly created objects. The STANDARD storage class provides high durability and high availability. Depending on performance needs, you can specify a different Storage Class. For more information, seeStorage Classes in theAmazon S3 User Guide.

Valid Values:STANDARD | REDUCED_REDUNDANCY | STANDARD_IA | ONEZONE_IA | INTELLIGENT_TIERING | GLACIER | DEEP_ARCHIVE | OUTPOSTS | GLACIER_IR | SNOW | EXPRESS_ONEZONE | FSX_OPENZFS

The tag-set for the object. The tag-set must be encoded as URL Query parameters. (For example, "Key1=Value1")

If the bucket is configured as a website, redirects requests for this object to another object in the same bucket or to an external URL. Amazon S3 stores the value of this header in the object metadata. For information about object metadata, seeObject Key and Metadata in theAmazon S3 User Guide.

In the following example, the request header sets the redirect to an object (anotherPage.html) in the same bucket:

x-amz-website-redirect-location: /anotherPage.html

In the following example, the request header sets the object redirect to another website:

x-amz-website-redirect-location: http://www.example.com/

For more information about website hosting in Amazon S3, seeHosting Websites on Amazon S3 andHow to Configure Website Page Redirects in theAmazon S3 User Guide.

Specifies the offset for appending data to existing objects in bytes. The offset must be equal to the size of the existing object being appended to. If no object exists, setting this header to 0 will create a new object.

Entity tag for the uploaded object.

General purpose buckets - To ensure that data is not corrupted traversing the network, for objects where the ETag is the MD5 digest of the object, you can calculate the MD5 while putting an object to Amazon S3 and compare the returned ETag to the calculated MD5 value.

Directory buckets - The ETag for the object in a directory bucket isn't the MD5 digest of the object.

The Base64 encoded, 32-bitCRC32 checksum of the object. This checksum is only be present if the checksum was uploaded with the object. When you use an API operation on an object that was uploaded using multipart uploads, this value may not be a direct checksum value of the full object. Instead, it's a calculation based on the checksum values of each individual part. For more information about how checksums are calculated with multipart uploads, see Checking object integrity in theAmazon S3 User Guide.

The Base64 encoded, 32-bitCRC32C checksum of the object. This checksum is only present if the checksum was uploaded with the object. When you use an API operation on an object that was uploaded using multipart uploads, this value may not be a direct checksum value of the full object. Instead, it's a calculation based on the checksum values of each individual part. For more information about how checksums are calculated with multipart uploads, see Checking object integrity in theAmazon S3 User Guide.

The Base64 encoded, 64-bitCRC64NVME checksum of the object. This header is present if the object was uploaded with theCRC64NVME checksum algorithm, or if it was uploaded without a checksum (and Amazon S3 added the default checksum,CRC64NVME, to the uploaded object). For more information about how checksums are calculated with multipart uploads, seeChecking object integrity in the Amazon S3 User Guide.

The Base64 encoded, 160-bitSHA1 digest of the object. This will only be present if the object was uploaded with the object. When you use the API operation on an object that was uploaded using multipart uploads, this value may not be a direct checksum value of the full object. Instead, it's a calculation based on the checksum values of each individual part. For more information about how checksums are calculated with multipart uploads, see Checking object integrity in theAmazon S3 User Guide.

The Base64 encoded, 256-bitSHA256 digest of the object. This will only be present if the object was uploaded with the object. When you use an API operation on an object that was uploaded using multipart uploads, this value may not be a direct checksum value of the full object. Instead, it's a calculation based on the checksum values of each individual part. For more information about how checksums are calculated with multipart uploads, see Checking object integrity in theAmazon S3 User Guide.

This header specifies the checksum type of the object, which determines how part-level checksums are combined to create an object-level checksum for multipart objects. ForPutObject uploads, the checksum type is alwaysFULL_OBJECT. You can use this header as a data integrity check to verify that the checksum type that is received is the same checksum that was specified. For more information, seeChecking object integrity in theAmazon S3 User Guide.

Valid Values:COMPOSITE | FULL_OBJECT

If the expiration is configured for the object (seePutBucketLifecycleConfiguration) in theAmazon S3 User Guide, the response includes this header. It includes theexpiry-date andrule-id key-value pairs that provide information about object expiration. The value of therule-id is URL-encoded.

The size of the object in bytes. This value is only be present if you append to an object.

If present, indicates that the requester was successfully charged for the request. For more information, seeUsing Requester Pays buckets for storage transfers and usage in theAmazon Simple Storage Service user guide.

Valid Values:requester

The server-side encryption algorithm used when you store this object in Amazon S3 or Amazon FSx.

Valid Values:AES256 | aws:fsx | aws:kms | aws:kms:dsse

If present, indicates the ID of the KMS key that was used for object encryption.

Indicates whether the uploaded object uses an S3 Bucket Key for server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).

If present, indicates the AWS KMS Encryption Context to use for object encryption. The value of this header is a Base64 encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs. This value is stored as object metadata and automatically gets passed on to AWS KMS for futureGetObject operations on this object.

If server-side encryption with a customer-provided encryption key was requested, the response will include this header to confirm the encryption algorithm that's used.

If server-side encryption with a customer-provided encryption key was requested, the response will include this header to provide the round-trip message integrity verification of the customer-provided encryption key.

Version ID of the object.

If you enable versioning for a bucket, Amazon S3 automatically generates a unique version ID for the object being stored. Amazon S3 returns this ID in the response. When you enable versioning for a bucket, if Amazon S3 receives multiple write requests for the same object simultaneously, it stores all of the objects. For more information about versioning, seeAdding Objects to Versioning-Enabled Buckets in theAmazon S3 User Guide. For information about returning the versioning state of a bucket, seeGetBucketVersioning.

The existing object was created with a different encryption type. Subsequent write requests must include the appropriate encryption parameters in the request or while creating the session.

HTTP Status Code: 400

You may receive this error in multiple cases. Depending on the reason for the error, you may receive one of the messages below:

HTTP Status Code: 400

The write offset value that you specified does not match the current object size.

HTTP Status Code: 400

You have attempted to add more parts than the maximum of 10000 that are allowed for this object. You can use the CopyObject operation to copy this object to another and then add more data to the newly copied object.

HTTP Status Code: 400