packages feed

amazonka-s3-2.0: gen/Amazonka/S3/Types/ServerSideEncryptionByDefault.hs

{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.S3.Types.ServerSideEncryptionByDefault
-- Copyright   : (c) 2013-2023 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.S3.Types.ServerSideEncryptionByDefault where

import qualified Amazonka.Core as Core
import qualified Amazonka.Core.Lens.Internal as Lens
import qualified Amazonka.Data as Data
import qualified Amazonka.Prelude as Prelude
import Amazonka.S3.Internal
import Amazonka.S3.Types.ServerSideEncryption

-- | Describes the default server-side encryption to apply to new objects in
-- the bucket. If a PUT Object request doesn\'t specify any server-side
-- encryption, this default encryption will be applied. If you don\'t
-- specify a customer managed key at configuration, Amazon S3 automatically
-- creates an Amazon Web Services KMS key in your Amazon Web Services
-- account the first time that you add an object encrypted with SSE-KMS to
-- a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more
-- information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html PUT Bucket encryption>
-- in the /Amazon S3 API Reference/.
--
-- /See:/ 'newServerSideEncryptionByDefault' smart constructor.
data ServerSideEncryptionByDefault = ServerSideEncryptionByDefault'
  { -- | Amazon Web Services Key Management Service (KMS) customer Amazon Web
    -- Services KMS key ID to use for the default encryption. This parameter is
    -- allowed if and only if @SSEAlgorithm@ is set to @aws:kms@.
    --
    -- You can specify the key ID or the Amazon Resource Name (ARN) of the KMS
    -- key. However, if you are using encryption with cross-account or Amazon
    -- Web Services service operations you must use a fully qualified KMS key
    -- ARN. For more information, see
    -- <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy Using encryption for cross-account operations>.
    --
    -- __For example:__
    --
    -- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- -   Key ARN:
    --     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- Amazon S3 only supports symmetric KMS keys and not asymmetric KMS keys.
    -- For more information, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html Using symmetric and asymmetric keys>
    -- in the /Amazon Web Services Key Management Service Developer Guide/.
    kmsMasterKeyID :: Prelude.Maybe (Data.Sensitive Prelude.Text),
    -- | Server-side encryption algorithm to use for the default encryption.
    sSEAlgorithm :: ServerSideEncryption
  }
  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)

-- |
-- Create a value of 'ServerSideEncryptionByDefault' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'kmsMasterKeyID', 'serverSideEncryptionByDefault_kmsMasterKeyID' - Amazon Web Services Key Management Service (KMS) customer Amazon Web
-- Services KMS key ID to use for the default encryption. This parameter is
-- allowed if and only if @SSEAlgorithm@ is set to @aws:kms@.
--
-- You can specify the key ID or the Amazon Resource Name (ARN) of the KMS
-- key. However, if you are using encryption with cross-account or Amazon
-- Web Services service operations you must use a fully qualified KMS key
-- ARN. For more information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy Using encryption for cross-account operations>.
--
-- __For example:__
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- Amazon S3 only supports symmetric KMS keys and not asymmetric KMS keys.
-- For more information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html Using symmetric and asymmetric keys>
-- in the /Amazon Web Services Key Management Service Developer Guide/.
--
-- 'sSEAlgorithm', 'serverSideEncryptionByDefault_sSEAlgorithm' - Server-side encryption algorithm to use for the default encryption.
newServerSideEncryptionByDefault ::
  -- | 'sSEAlgorithm'
  ServerSideEncryption ->
  ServerSideEncryptionByDefault
newServerSideEncryptionByDefault pSSEAlgorithm_ =
  ServerSideEncryptionByDefault'
    { kmsMasterKeyID =
        Prelude.Nothing,
      sSEAlgorithm = pSSEAlgorithm_
    }

-- | Amazon Web Services Key Management Service (KMS) customer Amazon Web
-- Services KMS key ID to use for the default encryption. This parameter is
-- allowed if and only if @SSEAlgorithm@ is set to @aws:kms@.
--
-- You can specify the key ID or the Amazon Resource Name (ARN) of the KMS
-- key. However, if you are using encryption with cross-account or Amazon
-- Web Services service operations you must use a fully qualified KMS key
-- ARN. For more information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy Using encryption for cross-account operations>.
--
-- __For example:__
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- Amazon S3 only supports symmetric KMS keys and not asymmetric KMS keys.
-- For more information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html Using symmetric and asymmetric keys>
-- in the /Amazon Web Services Key Management Service Developer Guide/.
serverSideEncryptionByDefault_kmsMasterKeyID :: Lens.Lens' ServerSideEncryptionByDefault (Prelude.Maybe Prelude.Text)
serverSideEncryptionByDefault_kmsMasterKeyID = Lens.lens (\ServerSideEncryptionByDefault' {kmsMasterKeyID} -> kmsMasterKeyID) (\s@ServerSideEncryptionByDefault' {} a -> s {kmsMasterKeyID = a} :: ServerSideEncryptionByDefault) Prelude.. Lens.mapping Data._Sensitive

-- | Server-side encryption algorithm to use for the default encryption.
serverSideEncryptionByDefault_sSEAlgorithm :: Lens.Lens' ServerSideEncryptionByDefault ServerSideEncryption
serverSideEncryptionByDefault_sSEAlgorithm = Lens.lens (\ServerSideEncryptionByDefault' {sSEAlgorithm} -> sSEAlgorithm) (\s@ServerSideEncryptionByDefault' {} a -> s {sSEAlgorithm = a} :: ServerSideEncryptionByDefault)

instance Data.FromXML ServerSideEncryptionByDefault where
  parseXML x =
    ServerSideEncryptionByDefault'
      Prelude.<$> (x Data..@? "KMSMasterKeyID")
      Prelude.<*> (x Data..@ "SSEAlgorithm")

instance
  Prelude.Hashable
    ServerSideEncryptionByDefault
  where
  hashWithSalt _salt ServerSideEncryptionByDefault' {..} =
    _salt
      `Prelude.hashWithSalt` kmsMasterKeyID
      `Prelude.hashWithSalt` sSEAlgorithm

instance Prelude.NFData ServerSideEncryptionByDefault where
  rnf ServerSideEncryptionByDefault' {..} =
    Prelude.rnf kmsMasterKeyID
      `Prelude.seq` Prelude.rnf sSEAlgorithm

instance Data.ToXML ServerSideEncryptionByDefault where
  toXML ServerSideEncryptionByDefault' {..} =
    Prelude.mconcat
      [ "KMSMasterKeyID" Data.@= kmsMasterKeyID,
        "SSEAlgorithm" Data.@= sSEAlgorithm
      ]