AbortMultipartUpload

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.uploadId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CompleteMultipartUpload

enum_RequestPayer := [ "requester" ]

valid {
    input.Body.CompleteMultipartUpload.Part[_].ETag == STRING
    input.Body.CompleteMultipartUpload.Part[_].ChecksumCRC32 == STRING
    input.Body.CompleteMultipartUpload.Part[_].ChecksumCRC32C == STRING
    input.Body.CompleteMultipartUpload.Part[_].ChecksumSHA1 == STRING
    input.Body.CompleteMultipartUpload.Part[_].ChecksumSHA256 == STRING
    input.Body.CompleteMultipartUpload.Part[_].PartNumber == INTEGER
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.uploadId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CopyObject

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_MetadataDirective := [ "COPY", "REPLACE" ]
enum_ObjectCannedACL := [ "private", "public-read", "public-read-write", "authenticated-read", "aws-exec-read", "bucket-owner-read", "bucket-owner-full-control" ]
enum_ObjectLockLegalHoldStatus := [ "ON", "OFF" ]
enum_ObjectLockMode := [ "GOVERNANCE", "COMPLIANCE" ]
enum_RequestPayer := [ "requester" ]
enum_ServerSideEncryption := [ "AES256", "aws:kms", "aws:kms:dsse" ]
enum_StorageClass := [ "STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS", "GLACIER_IR", "SNOW", "EXPRESS_ONEZONE" ]
enum_TaggingDirective := [ "COPY", "REPLACE" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateBucket

enum_BucketCannedACL := [ "private", "public-read", "public-read-write", "authenticated-read" ]
enum_BucketLocationConstraint := [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-south-2", "ap-southeast-1", "ap-southeast-2", "ap-southeast-3", "ca-central-1", "cn-north-1", "cn-northwest-1", "EU", "eu-central-1", "eu-north-1", "eu-south-1", "eu-south-2", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ]
enum_BucketType := [ "Directory" ]
enum_DataRedundancy := [ "SingleAvailabilityZone", "SingleLocalZone" ]
enum_LocationType := [ "AvailabilityZone", "LocalZone" ]
enum_ObjectOwnership := [ "BucketOwnerPreferred", "ObjectWriter", "BucketOwnerEnforced" ]

valid {
    input.Body.CreateBucketConfiguration.LocationConstraint == enum_BucketLocationConstraint[_]
    input.Body.CreateBucketConfiguration.Location.Type == enum_LocationType[_]
    input.Body.CreateBucketConfiguration.Location.Name == STRING
    input.Body.CreateBucketConfiguration.Bucket.DataRedundancy == enum_DataRedundancy[_]
    input.Body.CreateBucketConfiguration.Bucket.Type == enum_BucketType[_]
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateBucketMetadataTableConfiguration

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]

valid {
    input.Body.MetadataTableConfiguration.S3TablesDestination.TableBucketArn == STRING
    input.Body.MetadataTableConfiguration.S3TablesDestination.TableName == STRING
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateMultipartUpload

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ObjectCannedACL := [ "private", "public-read", "public-read-write", "authenticated-read", "aws-exec-read", "bucket-owner-read", "bucket-owner-full-control" ]
enum_ObjectLockLegalHoldStatus := [ "ON", "OFF" ]
enum_ObjectLockMode := [ "GOVERNANCE", "COMPLIANCE" ]
enum_RequestPayer := [ "requester" ]
enum_ServerSideEncryption := [ "AES256", "aws:kms", "aws:kms:dsse" ]
enum_StorageClass := [ "STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS", "GLACIER_IR", "SNOW", "EXPRESS_ONEZONE" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateSession

enum_ServerSideEncryption := [ "AES256", "aws:kms", "aws:kms:dsse" ]
enum_SessionMode := [ "ReadOnly", "ReadWrite" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucket

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketAnalyticsConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketCors

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketEncryption

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketIntelligentTieringConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketInventoryConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketLifecycle

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketMetadataTableConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketMetricsConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketOwnershipControls

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketPolicy

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketReplication

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketTagging

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteBucketWebsite

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteObject

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteObjectTagging

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteObjects

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.Body.Delete.Object[_].Key == STRING
    input.Body.Delete.Object[_].VersionId == STRING
    input.Body.Delete.Object[_].ETag == STRING
    input.Body.Delete.Object[_].LastModifiedTime == TIMESTAMP
    input.Body.Delete.Object[_].Size == LONG
    input.Body.Delete.Quiet == BOOLEAN
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeletePublicAccessBlock

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketAccelerateConfiguration

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketAcl

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketAnalyticsConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketCors

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketEncryption

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketIntelligentTieringConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketInventoryConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketLifecycleConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketLocation

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketLogging

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketMetadataTableConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketMetricsConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketNotificationConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketOwnershipControls

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketPolicy

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketPolicyStatus

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketReplication

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketRequestPayment

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketTagging

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketVersioning

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetBucketWebsite

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObject

enum_ChecksumMode := [ "ENABLED" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.response-cache-control == STRING
    input.Qs.response-content-disposition == STRING
    input.Qs.response-content-encoding == STRING
    input.Qs.response-content-language == STRING
    input.Qs.response-content-type == STRING
    input.Qs.response-expires == TIMESTAMP
    input.Qs.versionId == STRING
    input.Qs.partNumber == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObjectAcl

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObjectAttributes

enum_ObjectAttributes := [ "ETag", "Checksum", "ObjectParts", "StorageClass", "ObjectSize" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObjectLegalHold

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObjectLockConfiguration

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObjectRetention

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObjectTagging

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetObjectTorrent

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetPublicAccessBlock

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

HeadBucket

valid {
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

HeadObject

enum_ChecksumMode := [ "ENABLED" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.response-cache-control == STRING
    input.Qs.response-content-disposition == STRING
    input.Qs.response-content-encoding == STRING
    input.Qs.response-content-language == STRING
    input.Qs.response-content-type == STRING
    input.Qs.response-expires == TIMESTAMP
    input.Qs.versionId == STRING
    input.Qs.partNumber == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListBucketAnalyticsConfigurations

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.continuation-token == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListBucketIntelligentTieringConfigurations

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.continuation-token == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListBucketInventoryConfigurations

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.continuation-token == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListBucketMetricsConfigurations

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.continuation-token == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListBuckets

valid {
    input.Qs.max-buckets == INTEGER
    input.Qs.continuation-token == STRING
    input.Qs.prefix == STRING
    input.Qs.bucket-region == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListMultipartUploads

enum_EncodingType := [ "url" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.delimiter == STRING
    input.Qs.encoding-type == enum_EncodingType[_]
    input.Qs.key-marker == STRING
    input.Qs.max-uploads == INTEGER
    input.Qs.prefix == STRING
    input.Qs.upload-id-marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListObjectVersions

enum_EncodingType := [ "url" ]
enum_OptionalObjectAttributes := [ "RestoreStatus" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.delimiter == STRING
    input.Qs.encoding-type == enum_EncodingType[_]
    input.Qs.key-marker == STRING
    input.Qs.max-keys == INTEGER
    input.Qs.prefix == STRING
    input.Qs.version-id-marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListObjects

enum_EncodingType := [ "url" ]
enum_OptionalObjectAttributes := [ "RestoreStatus" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.delimiter == STRING
    input.Qs.encoding-type == enum_EncodingType[_]
    input.Qs.marker == STRING
    input.Qs.max-keys == INTEGER
    input.Qs.prefix == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListObjectsV2

enum_EncodingType := [ "url" ]
enum_OptionalObjectAttributes := [ "RestoreStatus" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.Qs.delimiter == STRING
    input.Qs.encoding-type == enum_EncodingType[_]
    input.Qs.max-keys == INTEGER
    input.Qs.prefix == STRING
    input.Qs.continuation-token == STRING
    input.Qs.fetch-owner == BOOLEAN
    input.Qs.start-after == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListParts

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.max-parts == INTEGER
    input.Qs.part-number-marker == INTEGER
    input.Qs.uploadId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketAccelerateConfiguration

enum_BucketAccelerateStatus := [ "Enabled", "Suspended" ]
enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]

valid {
    input.Body.AccelerateConfiguration.Status == enum_BucketAccelerateStatus[_]
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketAcl

enum_BucketCannedACL := [ "private", "public-read", "public-read-write", "authenticated-read" ]
enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_Permission := [ "FULL_CONTROL", "WRITE", "WRITE_ACP", "READ", "READ_ACP" ]
enum_Type := [ "CanonicalUser", "AmazonCustomerByEmail", "Group" ]

valid {
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.DisplayName == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.EmailAddress == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.ID == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.xsi:type == enum_Type[_]
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.URI == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Permission == enum_Permission[_]
    input.Body.AccessControlPolicy.Owner.DisplayName == STRING
    input.Body.AccessControlPolicy.Owner.ID == STRING
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketAnalyticsConfiguration

enum_AnalyticsS3ExportFileFormat := [ "CSV" ]
enum_StorageClassAnalysisSchemaVersion := [ "V_1" ]

valid {
    input.Body.AnalyticsConfiguration.Id == STRING
    input.Body.AnalyticsConfiguration.Filter.Prefix == STRING
    input.Body.AnalyticsConfiguration.Filter.Tag.Key == STRING
    input.Body.AnalyticsConfiguration.Filter.Tag.Value == STRING
    input.Body.AnalyticsConfiguration.Filter.And.Prefix == STRING
    input.Body.AnalyticsConfiguration.Filter.And.Tag[_].Key == STRING
    input.Body.AnalyticsConfiguration.Filter.And.Tag[_].Value == STRING
    input.Body.AnalyticsConfiguration.StorageClassAnalysis.DataExport.OutputSchemaVersion == enum_StorageClassAnalysisSchemaVersion[_]
    input.Body.AnalyticsConfiguration.StorageClassAnalysis.DataExport.Destination.S3BucketDestination.Format == enum_AnalyticsS3ExportFileFormat[_]
    input.Body.AnalyticsConfiguration.StorageClassAnalysis.DataExport.Destination.S3BucketDestination.BucketAccountId == STRING
    input.Body.AnalyticsConfiguration.StorageClassAnalysis.DataExport.Destination.S3BucketDestination.Bucket == STRING
    input.Body.AnalyticsConfiguration.StorageClassAnalysis.DataExport.Destination.S3BucketDestination.Prefix == STRING
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketCors

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]

valid {
    input.Body.CORSConfiguration.CORSRule[_].ID == STRING
    input.Body.CORSConfiguration.CORSRule[_].AllowedHeader[_] == STRING
    input.Body.CORSConfiguration.CORSRule[_].AllowedMethod[_] == STRING
    input.Body.CORSConfiguration.CORSRule[_].AllowedOrigin[_] == STRING
    input.Body.CORSConfiguration.CORSRule[_].ExposeHeader[_] == STRING
    input.Body.CORSConfiguration.CORSRule[_].MaxAgeSeconds == INTEGER
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketEncryption

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ServerSideEncryption := [ "AES256", "aws:kms", "aws:kms:dsse" ]

valid {
    input.Body.ServerSideEncryptionConfiguration.Rule[_].ApplyServerSideEncryptionByDefault.SSEAlgorithm == enum_ServerSideEncryption[_]
    input.Body.ServerSideEncryptionConfiguration.Rule[_].ApplyServerSideEncryptionByDefault.KMSMasterKeyID == STRING
    input.Body.ServerSideEncryptionConfiguration.Rule[_].BucketKeyEnabled == BOOLEAN
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketIntelligentTieringConfiguration

enum_IntelligentTieringAccessTier := [ "ARCHIVE_ACCESS", "DEEP_ARCHIVE_ACCESS" ]
enum_IntelligentTieringStatus := [ "Enabled", "Disabled" ]

valid {
    input.Body.IntelligentTieringConfiguration.Id == STRING
    input.Body.IntelligentTieringConfiguration.Filter.Prefix == STRING
    input.Body.IntelligentTieringConfiguration.Filter.Tag.Key == STRING
    input.Body.IntelligentTieringConfiguration.Filter.Tag.Value == STRING
    input.Body.IntelligentTieringConfiguration.Filter.And.Prefix == STRING
    input.Body.IntelligentTieringConfiguration.Filter.And.Tag[_].Key == STRING
    input.Body.IntelligentTieringConfiguration.Filter.And.Tag[_].Value == STRING
    input.Body.IntelligentTieringConfiguration.Status == enum_IntelligentTieringStatus[_]
    input.Body.IntelligentTieringConfiguration.Tiering[_].Days == INTEGER
    input.Body.IntelligentTieringConfiguration.Tiering[_].AccessTier == enum_IntelligentTieringAccessTier[_]
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketInventoryConfiguration

enum_InventoryFormat := [ "CSV", "ORC", "Parquet" ]
enum_InventoryFrequency := [ "Daily", "Weekly" ]
enum_InventoryIncludedObjectVersions := [ "All", "Current" ]
enum_InventoryOptionalField := [ "Size", "LastModifiedDate", "StorageClass", "ETag", "IsMultipartUploaded", "ReplicationStatus", "EncryptionStatus", "ObjectLockRetainUntilDate", "ObjectLockMode", "ObjectLockLegalHoldStatus", "IntelligentTieringAccessTier", "BucketKeyStatus", "ChecksumAlgorithm", "ObjectAccessControlList", "ObjectOwner" ]

valid {
    input.Body.InventoryConfiguration.Destination.S3BucketDestination.AccountId == STRING
    input.Body.InventoryConfiguration.Destination.S3BucketDestination.Bucket == STRING
    input.Body.InventoryConfiguration.Destination.S3BucketDestination.Format == enum_InventoryFormat[_]
    input.Body.InventoryConfiguration.Destination.S3BucketDestination.Prefix == STRING
    input.Body.InventoryConfiguration.Destination.S3BucketDestination.Encryption.SSE-S3 == {}
    input.Body.InventoryConfiguration.Destination.S3BucketDestination.Encryption.SSE-KMS.KeyId == STRING
    input.Body.InventoryConfiguration.IsEnabled == BOOLEAN
    input.Body.InventoryConfiguration.Filter.Prefix == STRING
    input.Body.InventoryConfiguration.Id == STRING
    input.Body.InventoryConfiguration.IncludedObjectVersions == enum_InventoryIncludedObjectVersions[_]
    input.Body.InventoryConfiguration.OptionalFields[_] == enum_InventoryOptionalField[_]
    input.Body.InventoryConfiguration.Schedule.Frequency == enum_InventoryFrequency[_]
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketLifecycleConfiguration

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ExpirationStatus := [ "Enabled", "Disabled" ]
enum_TransitionDefaultMinimumObjectSize := [ "varies_by_storage_class", "all_storage_classes_128K" ]
enum_TransitionStorageClass := [ "GLACIER", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "DEEP_ARCHIVE", "GLACIER_IR" ]

valid {
    input.Body.LifecycleConfiguration.Rule[_].Expiration.Date == TIMESTAMP
    input.Body.LifecycleConfiguration.Rule[_].Expiration.Days == INTEGER
    input.Body.LifecycleConfiguration.Rule[_].Expiration.ExpiredObjectDeleteMarker == BOOLEAN
    input.Body.LifecycleConfiguration.Rule[_].ID == STRING
    input.Body.LifecycleConfiguration.Rule[_].Prefix == STRING
    input.Body.LifecycleConfiguration.Rule[_].Filter.Prefix == STRING
    input.Body.LifecycleConfiguration.Rule[_].Filter.Tag.Key == STRING
    input.Body.LifecycleConfiguration.Rule[_].Filter.Tag.Value == STRING
    input.Body.LifecycleConfiguration.Rule[_].Filter.ObjectSizeGreaterThan == LONG
    input.Body.LifecycleConfiguration.Rule[_].Filter.ObjectSizeLessThan == LONG
    input.Body.LifecycleConfiguration.Rule[_].Filter.And.Prefix == STRING
    input.Body.LifecycleConfiguration.Rule[_].Filter.And.Tag[_].Key == STRING
    input.Body.LifecycleConfiguration.Rule[_].Filter.And.Tag[_].Value == STRING
    input.Body.LifecycleConfiguration.Rule[_].Filter.And.ObjectSizeGreaterThan == LONG
    input.Body.LifecycleConfiguration.Rule[_].Filter.And.ObjectSizeLessThan == LONG
    input.Body.LifecycleConfiguration.Rule[_].Status == enum_ExpirationStatus[_]
    input.Body.LifecycleConfiguration.Rule[_].Transition[_].Date == TIMESTAMP
    input.Body.LifecycleConfiguration.Rule[_].Transition[_].Days == INTEGER
    input.Body.LifecycleConfiguration.Rule[_].Transition[_].StorageClass == enum_TransitionStorageClass[_]
    input.Body.LifecycleConfiguration.Rule[_].NoncurrentVersionTransition[_].NoncurrentDays == INTEGER
    input.Body.LifecycleConfiguration.Rule[_].NoncurrentVersionTransition[_].StorageClass == enum_TransitionStorageClass[_]
    input.Body.LifecycleConfiguration.Rule[_].NoncurrentVersionTransition[_].NewerNoncurrentVersions == INTEGER
    input.Body.LifecycleConfiguration.Rule[_].NoncurrentVersionExpiration.NoncurrentDays == INTEGER
    input.Body.LifecycleConfiguration.Rule[_].NoncurrentVersionExpiration.NewerNoncurrentVersions == INTEGER
    input.Body.LifecycleConfiguration.Rule[_].AbortIncompleteMultipartUpload.DaysAfterInitiation == INTEGER
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketLogging

enum_BucketLogsPermission := [ "FULL_CONTROL", "READ", "WRITE" ]
enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_PartitionDateSource := [ "EventTime", "DeliveryTime" ]
enum_Type := [ "CanonicalUser", "AmazonCustomerByEmail", "Group" ]

valid {
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetBucket == STRING
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetGrants[_].Grantee.DisplayName == STRING
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetGrants[_].Grantee.EmailAddress == STRING
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetGrants[_].Grantee.ID == STRING
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetGrants[_].Grantee.xsi:type == enum_Type[_]
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetGrants[_].Grantee.URI == STRING
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetGrants[_].Permission == enum_BucketLogsPermission[_]
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetPrefix == STRING
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetObjectKeyFormat.SimplePrefix == {}
    input.Body.BucketLoggingStatus.LoggingEnabled.TargetObjectKeyFormat.PartitionedPrefix.PartitionDateSource == enum_PartitionDateSource[_]
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketMetricsConfiguration

valid {
    input.Body.MetricsConfiguration.Id == STRING
    input.Body.MetricsConfiguration.Filter.Prefix == STRING
    input.Body.MetricsConfiguration.Filter.Tag.Key == STRING
    input.Body.MetricsConfiguration.Filter.Tag.Value == STRING
    input.Body.MetricsConfiguration.Filter.AccessPointArn == STRING
    input.Body.MetricsConfiguration.Filter.And.Prefix == STRING
    input.Body.MetricsConfiguration.Filter.And.Tag[_].Key == STRING
    input.Body.MetricsConfiguration.Filter.And.Tag[_].Value == STRING
    input.Body.MetricsConfiguration.Filter.And.AccessPointArn == STRING
    input.ReqMap.Bucket == STRING
    input.Qs.id == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketNotificationConfiguration

enum_Event := [ "s3:ReducedRedundancyLostObject", "s3:ObjectCreated:*", "s3:ObjectCreated:Put", "s3:ObjectCreated:Post", "s3:ObjectCreated:Copy", "s3:ObjectCreated:CompleteMultipartUpload", "s3:ObjectRemoved:*", "s3:ObjectRemoved:Delete", "s3:ObjectRemoved:DeleteMarkerCreated", "s3:ObjectRestore:*", "s3:ObjectRestore:Post", "s3:ObjectRestore:Completed", "s3:Replication:*", "s3:Replication:OperationFailedReplication", "s3:Replication:OperationNotTracked", "s3:Replication:OperationMissedThreshold", "s3:Replication:OperationReplicatedAfterThreshold", "s3:ObjectRestore:Delete", "s3:LifecycleTransition", "s3:IntelligentTiering", "s3:ObjectAcl:Put", "s3:LifecycleExpiration:*", "s3:LifecycleExpiration:Delete", "s3:LifecycleExpiration:DeleteMarkerCreated", "s3:ObjectTagging:*", "s3:ObjectTagging:Put", "s3:ObjectTagging:Delete" ]
enum_FilterRuleName := [ "prefix", "suffix" ]

valid {
    input.Body.NotificationConfiguration.TopicConfiguration[_].Id == STRING
    input.Body.NotificationConfiguration.TopicConfiguration[_].Topic == STRING
    input.Body.NotificationConfiguration.TopicConfiguration[_].Event[_] == enum_Event[_]
    input.Body.NotificationConfiguration.TopicConfiguration[_].Filter.S3Key.FilterRule[_].Name == enum_FilterRuleName[_]
    input.Body.NotificationConfiguration.TopicConfiguration[_].Filter.S3Key.FilterRule[_].Value == STRING
    input.Body.NotificationConfiguration.QueueConfiguration[_].Id == STRING
    input.Body.NotificationConfiguration.QueueConfiguration[_].Queue == STRING
    input.Body.NotificationConfiguration.QueueConfiguration[_].Event[_] == enum_Event[_]
    input.Body.NotificationConfiguration.QueueConfiguration[_].Filter.S3Key.FilterRule[_].Name == enum_FilterRuleName[_]
    input.Body.NotificationConfiguration.QueueConfiguration[_].Filter.S3Key.FilterRule[_].Value == STRING
    input.Body.NotificationConfiguration.CloudFunctionConfiguration[_].Id == STRING
    input.Body.NotificationConfiguration.CloudFunctionConfiguration[_].CloudFunction == STRING
    input.Body.NotificationConfiguration.CloudFunctionConfiguration[_].Event[_] == enum_Event[_]
    input.Body.NotificationConfiguration.CloudFunctionConfiguration[_].Filter.S3Key.FilterRule[_].Name == enum_FilterRuleName[_]
    input.Body.NotificationConfiguration.CloudFunctionConfiguration[_].Filter.S3Key.FilterRule[_].Value == STRING
    input.Body.NotificationConfiguration.EventBridgeConfiguration == {}
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketOwnershipControls

enum_ObjectOwnership := [ "BucketOwnerPreferred", "ObjectWriter", "BucketOwnerEnforced" ]

valid {
    input.Body.OwnershipControls.Rule[_].ObjectOwnership == enum_ObjectOwnership[_]
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketPolicy

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]

valid {
    input.Body.Policy == STRING
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketReplication

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_DeleteMarkerReplicationStatus := [ "Enabled", "Disabled" ]
enum_ExistingObjectReplicationStatus := [ "Enabled", "Disabled" ]
enum_MetricsStatus := [ "Enabled", "Disabled" ]
enum_OwnerOverride := [ "Destination" ]
enum_ReplicaModificationsStatus := [ "Enabled", "Disabled" ]
enum_ReplicationRuleStatus := [ "Enabled", "Disabled" ]
enum_ReplicationTimeStatus := [ "Enabled", "Disabled" ]
enum_SseKmsEncryptedObjectsStatus := [ "Enabled", "Disabled" ]
enum_StorageClass := [ "STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS", "GLACIER_IR", "SNOW", "EXPRESS_ONEZONE" ]

valid {
    input.Body.ReplicationConfiguration.Role == STRING
    input.Body.ReplicationConfiguration.Rule[_].ID == STRING
    input.Body.ReplicationConfiguration.Rule[_].Priority == INTEGER
    input.Body.ReplicationConfiguration.Rule[_].Prefix == STRING
    input.Body.ReplicationConfiguration.Rule[_].Filter.Prefix == STRING
    input.Body.ReplicationConfiguration.Rule[_].Filter.Tag.Key == STRING
    input.Body.ReplicationConfiguration.Rule[_].Filter.Tag.Value == STRING
    input.Body.ReplicationConfiguration.Rule[_].Filter.And.Prefix == STRING
    input.Body.ReplicationConfiguration.Rule[_].Filter.And.Tag[_].Key == STRING
    input.Body.ReplicationConfiguration.Rule[_].Filter.And.Tag[_].Value == STRING
    input.Body.ReplicationConfiguration.Rule[_].Status == enum_ReplicationRuleStatus[_]
    input.Body.ReplicationConfiguration.Rule[_].SourceSelectionCriteria.SseKmsEncryptedObjects.Status == enum_SseKmsEncryptedObjectsStatus[_]
    input.Body.ReplicationConfiguration.Rule[_].SourceSelectionCriteria.ReplicaModifications.Status == enum_ReplicaModificationsStatus[_]
    input.Body.ReplicationConfiguration.Rule[_].ExistingObjectReplication.Status == enum_ExistingObjectReplicationStatus[_]
    input.Body.ReplicationConfiguration.Rule[_].Destination.Bucket == STRING
    input.Body.ReplicationConfiguration.Rule[_].Destination.Account == STRING
    input.Body.ReplicationConfiguration.Rule[_].Destination.StorageClass == enum_StorageClass[_]
    input.Body.ReplicationConfiguration.Rule[_].Destination.AccessControlTranslation.Owner == enum_OwnerOverride[_]
    input.Body.ReplicationConfiguration.Rule[_].Destination.EncryptionConfiguration.ReplicaKmsKeyID == STRING
    input.Body.ReplicationConfiguration.Rule[_].Destination.ReplicationTime.Status == enum_ReplicationTimeStatus[_]
    input.Body.ReplicationConfiguration.Rule[_].Destination.ReplicationTime.Time.Minutes == INTEGER
    input.Body.ReplicationConfiguration.Rule[_].Destination.Metrics.Status == enum_MetricsStatus[_]
    input.Body.ReplicationConfiguration.Rule[_].Destination.Metrics.EventThreshold.Minutes == INTEGER
    input.Body.ReplicationConfiguration.Rule[_].DeleteMarkerReplication.Status == enum_DeleteMarkerReplicationStatus[_]
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketRequestPayment

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_Payer := [ "Requester", "BucketOwner" ]

valid {
    input.Body.RequestPaymentConfiguration.Payer == enum_Payer[_]
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketTagging

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]

valid {
    input.Body.Tagging.TagSet[_].Key == STRING
    input.Body.Tagging.TagSet[_].Value == STRING
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketVersioning

enum_BucketVersioningStatus := [ "Enabled", "Suspended" ]
enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_MFADelete := [ "Enabled", "Disabled" ]

valid {
    input.Body.VersioningConfiguration.MfaDelete == enum_MFADelete[_]
    input.Body.VersioningConfiguration.Status == enum_BucketVersioningStatus[_]
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutBucketWebsite

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_Protocol := [ "http", "https" ]

valid {
    input.Body.WebsiteConfiguration.ErrorDocument.Key == STRING
    input.Body.WebsiteConfiguration.IndexDocument.Suffix == STRING
    input.Body.WebsiteConfiguration.RedirectAllRequestsTo.HostName == STRING
    input.Body.WebsiteConfiguration.RedirectAllRequestsTo.Protocol == enum_Protocol[_]
    input.Body.WebsiteConfiguration.RoutingRules[_].Condition.HttpErrorCodeReturnedEquals == STRING
    input.Body.WebsiteConfiguration.RoutingRules[_].Condition.KeyPrefixEquals == STRING
    input.Body.WebsiteConfiguration.RoutingRules[_].Redirect.HostName == STRING
    input.Body.WebsiteConfiguration.RoutingRules[_].Redirect.HttpRedirectCode == STRING
    input.Body.WebsiteConfiguration.RoutingRules[_].Redirect.Protocol == enum_Protocol[_]
    input.Body.WebsiteConfiguration.RoutingRules[_].Redirect.ReplaceKeyPrefixWith == STRING
    input.Body.WebsiteConfiguration.RoutingRules[_].Redirect.ReplaceKeyWith == STRING
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutObject

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ObjectCannedACL := [ "private", "public-read", "public-read-write", "authenticated-read", "aws-exec-read", "bucket-owner-read", "bucket-owner-full-control" ]
enum_ObjectLockLegalHoldStatus := [ "ON", "OFF" ]
enum_ObjectLockMode := [ "GOVERNANCE", "COMPLIANCE" ]
enum_RequestPayer := [ "requester" ]
enum_ServerSideEncryption := [ "AES256", "aws:kms", "aws:kms:dsse" ]
enum_StorageClass := [ "STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS", "GLACIER_IR", "SNOW", "EXPRESS_ONEZONE" ]

valid {
    input.Body.Body == BLOB
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutObjectAcl

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ObjectCannedACL := [ "private", "public-read", "public-read-write", "authenticated-read", "aws-exec-read", "bucket-owner-read", "bucket-owner-full-control" ]
enum_Permission := [ "FULL_CONTROL", "WRITE", "WRITE_ACP", "READ", "READ_ACP" ]
enum_RequestPayer := [ "requester" ]
enum_Type := [ "CanonicalUser", "AmazonCustomerByEmail", "Group" ]

valid {
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.DisplayName == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.EmailAddress == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.ID == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.xsi:type == enum_Type[_]
    input.Body.AccessControlPolicy.AccessControlList[_].Grantee.URI == STRING
    input.Body.AccessControlPolicy.AccessControlList[_].Permission == enum_Permission[_]
    input.Body.AccessControlPolicy.Owner.DisplayName == STRING
    input.Body.AccessControlPolicy.Owner.ID == STRING
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutObjectLegalHold

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ObjectLockLegalHoldStatus := [ "ON", "OFF" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.Body.LegalHold.Status == enum_ObjectLockLegalHoldStatus[_]
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutObjectLockConfiguration

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ObjectLockEnabled := [ "Enabled" ]
enum_ObjectLockRetentionMode := [ "GOVERNANCE", "COMPLIANCE" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.Body.ObjectLockConfiguration.ObjectLockEnabled == enum_ObjectLockEnabled[_]
    input.Body.ObjectLockConfiguration.Rule.DefaultRetention.Mode == enum_ObjectLockRetentionMode[_]
    input.Body.ObjectLockConfiguration.Rule.DefaultRetention.Days == INTEGER
    input.Body.ObjectLockConfiguration.Rule.DefaultRetention.Years == INTEGER
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutObjectRetention

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_ObjectLockRetentionMode := [ "GOVERNANCE", "COMPLIANCE" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.Body.Retention.Mode == enum_ObjectLockRetentionMode[_]
    input.Body.Retention.RetainUntilDate == TIMESTAMP
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutObjectTagging

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.Body.Tagging.TagSet[_].Key == STRING
    input.Body.Tagging.TagSet[_].Value == STRING
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutPublicAccessBlock

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]

valid {
    input.Body.PublicAccessBlockConfiguration.BlockPublicAcls == BOOLEAN
    input.Body.PublicAccessBlockConfiguration.IgnorePublicAcls == BOOLEAN
    input.Body.PublicAccessBlockConfiguration.BlockPublicPolicy == BOOLEAN
    input.Body.PublicAccessBlockConfiguration.RestrictPublicBuckets == BOOLEAN
    input.ReqMap.Bucket == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RestoreObject

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_CompressionType := [ "NONE", "GZIP", "BZIP2" ]
enum_ExpressionType := [ "SQL" ]
enum_FileHeaderInfo := [ "USE", "IGNORE", "NONE" ]
enum_JSONType := [ "DOCUMENT", "LINES" ]
enum_ObjectCannedACL := [ "private", "public-read", "public-read-write", "authenticated-read", "aws-exec-read", "bucket-owner-read", "bucket-owner-full-control" ]
enum_Permission := [ "FULL_CONTROL", "WRITE", "WRITE_ACP", "READ", "READ_ACP" ]
enum_QuoteFields := [ "ALWAYS", "ASNEEDED" ]
enum_RequestPayer := [ "requester" ]
enum_RestoreRequestType := [ "SELECT" ]
enum_ServerSideEncryption := [ "AES256", "aws:kms", "aws:kms:dsse" ]
enum_StorageClass := [ "STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS", "GLACIER_IR", "SNOW", "EXPRESS_ONEZONE" ]
enum_Tier := [ "Standard", "Bulk", "Expedited" ]
enum_Type := [ "CanonicalUser", "AmazonCustomerByEmail", "Group" ]

valid {
    input.Body.RestoreRequest.Days == INTEGER
    input.Body.RestoreRequest.GlacierJobParameters.Tier == enum_Tier[_]
    input.Body.RestoreRequest.Type == enum_RestoreRequestType[_]
    input.Body.RestoreRequest.Tier == enum_Tier[_]
    input.Body.RestoreRequest.Description == STRING
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CSV.FileHeaderInfo == enum_FileHeaderInfo[_]
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CSV.Comments == STRING
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CSV.QuoteEscapeCharacter == STRING
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CSV.RecordDelimiter == STRING
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CSV.FieldDelimiter == STRING
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CSV.QuoteCharacter == STRING
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CSV.AllowQuotedRecordDelimiter == BOOLEAN
    input.Body.RestoreRequest.SelectParameters.InputSerialization.CompressionType == enum_CompressionType[_]
    input.Body.RestoreRequest.SelectParameters.InputSerialization.JSON.Type == enum_JSONType[_]
    input.Body.RestoreRequest.SelectParameters.InputSerialization.Parquet == {}
    input.Body.RestoreRequest.SelectParameters.ExpressionType == enum_ExpressionType[_]
    input.Body.RestoreRequest.SelectParameters.Expression == STRING
    input.Body.RestoreRequest.SelectParameters.OutputSerialization.CSV.QuoteFields == enum_QuoteFields[_]
    input.Body.RestoreRequest.SelectParameters.OutputSerialization.CSV.QuoteEscapeCharacter == STRING
    input.Body.RestoreRequest.SelectParameters.OutputSerialization.CSV.RecordDelimiter == STRING
    input.Body.RestoreRequest.SelectParameters.OutputSerialization.CSV.FieldDelimiter == STRING
    input.Body.RestoreRequest.SelectParameters.OutputSerialization.CSV.QuoteCharacter == STRING
    input.Body.RestoreRequest.SelectParameters.OutputSerialization.JSON.RecordDelimiter == STRING
    input.Body.RestoreRequest.OutputLocation.S3.BucketName == STRING
    input.Body.RestoreRequest.OutputLocation.S3.Prefix == STRING
    input.Body.RestoreRequest.OutputLocation.S3.Encryption.EncryptionType == enum_ServerSideEncryption[_]
    input.Body.RestoreRequest.OutputLocation.S3.Encryption.KMSKeyId == STRING
    input.Body.RestoreRequest.OutputLocation.S3.Encryption.KMSContext == STRING
    input.Body.RestoreRequest.OutputLocation.S3.CannedACL == enum_ObjectCannedACL[_]
    input.Body.RestoreRequest.OutputLocation.S3.AccessControlList[_].Grantee.DisplayName == STRING
    input.Body.RestoreRequest.OutputLocation.S3.AccessControlList[_].Grantee.EmailAddress == STRING
    input.Body.RestoreRequest.OutputLocation.S3.AccessControlList[_].Grantee.ID == STRING
    input.Body.RestoreRequest.OutputLocation.S3.AccessControlList[_].Grantee.xsi:type == enum_Type[_]
    input.Body.RestoreRequest.OutputLocation.S3.AccessControlList[_].Grantee.URI == STRING
    input.Body.RestoreRequest.OutputLocation.S3.AccessControlList[_].Permission == enum_Permission[_]
    input.Body.RestoreRequest.OutputLocation.S3.Tagging.TagSet[_].Key == STRING
    input.Body.RestoreRequest.OutputLocation.S3.Tagging.TagSet[_].Value == STRING
    input.Body.RestoreRequest.OutputLocation.S3.UserMetadata[_].Name == STRING
    input.Body.RestoreRequest.OutputLocation.S3.UserMetadata[_].Value == STRING
    input.Body.RestoreRequest.OutputLocation.S3.StorageClass == enum_StorageClass[_]
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.versionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

SelectObjectContent

enum_CompressionType := [ "NONE", "GZIP", "BZIP2" ]
enum_ExpressionType := [ "SQL" ]
enum_FileHeaderInfo := [ "USE", "IGNORE", "NONE" ]
enum_JSONType := [ "DOCUMENT", "LINES" ]
enum_QuoteFields := [ "ALWAYS", "ASNEEDED" ]

valid {
    input.Body.Expression == STRING
    input.Body.ExpressionType == enum_ExpressionType[_]
    input.Body.RequestProgress.Enabled == BOOLEAN
    input.Body.InputSerialization.CSV.FileHeaderInfo == enum_FileHeaderInfo[_]
    input.Body.InputSerialization.CSV.Comments == STRING
    input.Body.InputSerialization.CSV.QuoteEscapeCharacter == STRING
    input.Body.InputSerialization.CSV.RecordDelimiter == STRING
    input.Body.InputSerialization.CSV.FieldDelimiter == STRING
    input.Body.InputSerialization.CSV.QuoteCharacter == STRING
    input.Body.InputSerialization.CSV.AllowQuotedRecordDelimiter == BOOLEAN
    input.Body.InputSerialization.CompressionType == enum_CompressionType[_]
    input.Body.InputSerialization.JSON.Type == enum_JSONType[_]
    input.Body.InputSerialization.Parquet == {}
    input.Body.OutputSerialization.CSV.QuoteFields == enum_QuoteFields[_]
    input.Body.OutputSerialization.CSV.QuoteEscapeCharacter == STRING
    input.Body.OutputSerialization.CSV.RecordDelimiter == STRING
    input.Body.OutputSerialization.CSV.FieldDelimiter == STRING
    input.Body.OutputSerialization.CSV.QuoteCharacter == STRING
    input.Body.OutputSerialization.JSON.RecordDelimiter == STRING
    input.Body.ScanRange.Start == LONG
    input.Body.ScanRange.End == LONG
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UploadPart

enum_ChecksumAlgorithm := [ "CRC32", "CRC32C", "SHA1", "SHA256" ]
enum_RequestPayer := [ "requester" ]

valid {
    input.Body.Body == BLOB
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.partNumber == INTEGER
    input.Qs.uploadId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UploadPartCopy

enum_RequestPayer := [ "requester" ]

valid {
    input.ReqMap.Bucket == STRING
    input.ReqMap.Key == STRING
    input.Qs.partNumber == INTEGER
    input.Qs.uploadId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

WriteGetObjectResponse

enum_ObjectLockLegalHoldStatus := [ "ON", "OFF" ]
enum_ObjectLockMode := [ "GOVERNANCE", "COMPLIANCE" ]
enum_ReplicationStatus := [ "COMPLETE", "PENDING", "FAILED", "REPLICA", "COMPLETED" ]
enum_RequestCharged := [ "requester" ]
enum_ServerSideEncryption := [ "AES256", "aws:kms", "aws:kms:dsse" ]
enum_StorageClass := [ "STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS", "GLACIER_IR", "SNOW", "EXPRESS_ONEZONE" ]

valid {
    input.Body.Body == BLOB
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}