{
   "Version":"2012-10-17",
   "Id":"PutObjectPolicy",
   "Statement":[{
         "Sid":"DenyObjectsThatAreNotSSEKMS",
         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::multi-key-poc/*",
         "Condition":{
            "Null":{
               "s3:x-amz-server-side-encryption-aws-kms-key-id":"true"
            }
         }
      }
   ]

			[in] uint32_t access_mask,
			[in] uint32_t rid,
			[out] policy_handle *alias_handle);

	[op(0x21)]
	int SamrGetMembersInAlias([in] policy_handle *alias_handle,
			[out] LsarSidArray *sids);

	typedef [v1_enum] enum {
		SE_GROUP_MANDATORY          = 0x00000001,
		SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
		SE_GROUP_ENABLED            = 0x00000004,
		SE_GROUP_OWNER              = 0x00000008,

	return
}

// EncryptSinglePart encrypts an io.Reader which must be the
// body of a single-part PUT request.
func EncryptSinglePart(r io.Reader, key ObjectKey) io.Reader {
	r, err := sio.EncryptReader(r, sio.Config{MinVersion: sio.Version20, Key: key[:], CipherSuites: fips.DARECiphers()})
	if err != nil {
		logger.CriticalIf(context.Background(), errors.New("Unable to encrypt io.Reader using object key"))
	}
	return r
}

//
//	For example: ceb8853ddc5086cc4ab9e149f8f09c88-5
//
// However, this scheme is only used for multipart objects that are
// not encrypted.
//
// # Server-side Encryption
//
// S3 specifies three types of server-side-encryption - SSE-C, SSE-S3
// and SSE-KMS - with different semantics w.r.t. ETags.
// In case of SSE-S3, the ETag of an object is computed the same as

Poorna <******@****.***> 1716056341 -0700

	objectEncryptionKey, err := newEncryptMetadata(ctx, kind, keyID, key, bucket, object, metadata, cryptoCtx)
	if err != nil {
		return nil, crypto.ObjectKey{}, err
	}

	reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()})
	if err != nil {
		return nil, crypto.ObjectKey{}, crypto.ErrInvalidCustomerKey
	}

	return reader, objectEncryptionKey, nil
}

- To be able to easily get the temporary credentials to upload to a prefix. Make it possible for a client to upload a whole folder using the session. The server side applications need not create a presigned URL and serve to the client for each file. Since, the client would have the session it can do it by itself.

			[in] uint32_t access_mask,
			[in] uint32_t rid,
			[out] policy_handle *alias_handle);

	[op(0x21)]
	int SamrGetMembersInAlias([in] policy_handle *alias_handle,
			[out] LsarSidArray *sids);

	typedef [v1_enum] enum {
		SE_GROUP_MANDATORY          = 0x00000001,
		SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
		SE_GROUP_ENABLED            = 0x00000004,
		SE_GROUP_OWNER              = 0x00000008,

test-iam-import-with-openid: install-race
	@echo "Test IAM import configurations with openid"
	@env bash $(PWD)/docs/distributed/iam-import-with-openid.sh

test-sio-error:
	@(env bash $(PWD)/docs/bucket/replication/sio-error.sh)

test-replication-2site:
	@(env bash $(PWD)/docs/bucket/replication/setup_2site_existing_replication.sh)

test-replication-3site:

bject-retention.html) enabled. Similarly objects encrypted on the server side, will be replicated if destination also supports encryption.

Replication status can be seen in the metadata on the source and destination objects. On the source side, the `X-Amz-Replication-Status` changes from `PENDING` to `COMPLETED` or `FAILED` after replication attempt either succeeded or failed respectively. On the destination side, a `X-Amz-Replication-Status` status of `REPLICA` indicates that the object...