Module Encryption.Kms

type t

KMS options for ordinary and dual-layer KMS object encryption.

bucket_key_enabled applies to ordinary SSE-KMS destinations. DSSE-KMS request builders reject bucket-key settings because S3 does not support S3 bucket keys for dual-layer KMS encryption.

val create : ?key_id:string -> ?bucket_key_enabled:bool -> unit -> (t, Awskit.Error.t) Stdlib.result

Build KMS encryption options. key_id, when present, must be a valid HTTP header value.

val create_exn : ?key_id:string -> ?bucket_key_enabled:bool -> unit -> t

Like create, but raises Awskit.Error.Awskit_error carrying the structured validation error on validation failure.

val key_id : t -> string option

Return the optional KMS key id.

val bucket_key_enabled : t -> bool option

Return the optional S3 bucket-key setting.