Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Amazon S3 (service prefix:
s3
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
Learn how to configure this service .
View a list of the API operations available for this service .
Learn how to secure this service and its resources by using IAM permission policies.
You can specify the following actions in the
Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The
Resource
column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table .
Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
---|---|---|---|---|---|
AbortMultipartUpload | Aborts a multipart upload. | Write | |||
BypassGovernanceRetention | Allows circumvention of governance-mode object retention settings | Permissions management | |||
s3:x-amz-server-side-encryption s3:x-amz-server-side-encryption-aws-kms-key-id s3:x-amz-website-redirect-location s3:object-lock-retain-until-date |
|||||
CreateAccessPoint | Creates a new access point. | Write | |||
CreateBucket | Creates a new bucket. | Write | |||
CreateJob | Creates a new Amazon S3 Batch Operations job. | Write | |||
DeleteAccessPoint | Deletes the access point named in the URI | Write | |||
DeleteAccessPointPolicy | Delete the policy on a specified access point | Permissions management | |||
DeleteBucket | Deletes the bucket named in the URI | Write | |||
DeleteBucketPolicy | Delete the policy on a specified bucket | Permissions management | |||
DeleteBucketWebsite | Removes the website configuration for a bucket. | Write | |||
DeleteObject | Removes the null version (if there is one) of an object and inserts a delete marker, which becomes the current version of the object. | Write | |||
DeleteObjectTagging | This implementation of the DELETE operation uses the tagging subresource to remove the entire tag set from the specified object. | Tagging | |||
DeleteObjectVersion | To remove a specific version of a object, you must be the bucket owner and you must use the versionId subresource. | Write | |||
DeleteObjectVersionTagging | DELETE Object tagging (for a Specific Version of the Object) | Tagging | |||
DescribeJob | Retrieves the configuration parameters and status for an Amazon S3 batch operations job. | Read | |||
GetAccelerateConfiguration | This implementation of the GET operation uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended. | Read | |||
GetAccessPoint | Retrieve access point metadata | Read | |||
GetAccessPointPolicy | Return the policy of a specified access point. | Read | |||
GetAccessPointPolicyStatus | Retrieve the policy status for an specific access point's policy | Read | |||
GetAccountPublicAccessBlock | Retrieve the PublicAccessBlock configuration for an AWS account | Read | |||
GetAnalyticsConfiguration | This implementation of the GET operation returns an analytics configuration (identified by the analytics configuration ID) from the bucket. | Read | |||
GetBucketAcl | Return the access control list (ACL) of a bucket. | Read | |||
GetBucketCORS | Returns the CORS configuration information set for the bucket. | Read | |||
GetBucketLocation | Return a bucket's region. | Read | |||
GetBucketLogging | Return the logging status of a bucket and the permissions users have to view and modify that status. | Read | |||
GetBucketNotification | Return the notification configuration of a bucket. | Read | |||
GetBucketObjectLockConfiguration | GET Object Lock configuration for a specific bucket | Read | |||
GetBucketPolicy | Return the policy of a specified bucket. | Read | |||
GetBucketPolicyStatus | Retrieve the policy status for an specific S3 bucket, indicating whether the bucket is public. | Read | |||
GetBucketPublicAccessBlock | Retrieve the PublicAccessBlock configuration for a specific S3 bucket. | Read | |||
GetBucketRequestPayment | Return the request payment configuration of a bucket. | Read | |||
GetBucketTagging | Return the tag set associated with the bucket. | Read | |||
GetBucketVersioning | Return the versioning state of a bucket. | Read | |||
GetBucketWebsite | Returns the website configuration associated with a bucket. | Read | |||
GetEncryptionConfiguration | Returns the encryption configuration information set on the bucket. | Read | |||
GetInventoryConfiguration | This implementation of the GET operation returns an inventory configuration (identified by the inventory configuration ID) from the bucket. | Read | |||
GetLifecycleConfiguration | Returns the lifecycle configuration information set on the bucket. | Read | |||
GetMetricsConfiguration | Gets a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from the bucket. Note that this doesn't include the daily storage metrics. | Read | |||
GetObject | Retrieves objects from Amazon S3. | Read | |||
GetObjectAcl | Return the access control list (ACL) of an object. | Read | |||
GetObjectLegalHold | GET Object Legal Hold for a specific object | Read | |||
GetObjectRetention | GET Object Legal Hold for a specific object | Read | |||
GetObjectTagging | This implementation of the GET operation returns the tags associated with an object. You send the GET request against the tagging subresource associated with the object. | Read | |||
GetObjectTorrent | return torrent files from a bucket. | Read | |||
GetObjectVersion | To return a different version, use the versionId subresource. | Read | |||
GetObjectVersionAcl | To return ACL information about a different version, use the versionId subresource. | Read | |||
GetObjectVersionForReplication | Permission exercised by S3 replication | Read | |||
GetObjectVersionTagging | GET Object tagging (for a Specific Version of the Object) | Read | |||
GetObjectVersionTorrent | To return Torrent files about a different version, use the versionId subresource. | Read | |||
GetReplicationConfiguration | Returns the replication configuration information set on the bucket. | Read | |||
ListAccessPoints | Lists access points. | Read | |||
ListAllMyBuckets | Returns a list of all buckets owned by the authenticated sender of the request. | List | |||
ListBucket | Returns some or all (up to 1000) of the objects in a bucket. | List | |||
ListBucketMultipartUploads | Lists in-progress multipart uploads. | Read | |||
ListBucketVersions | Use the versions subresource to list metadata about all of the versions of objects in a bucket. | Read | |||
ListJobs | Lists current jobs and jobs that have ended recently. | Read | |||
ListMultipartUploadParts | Lists the parts that have been uploaded for a specific multipart upload. | Read | |||
ObjectOwnerOverrideToBucketOwner | Permission exercised by S3 replication | Permissions management | |||
PutAccelerateConfiguration | This implementation of the PUT operation uses the accelerate subresource to set the Transfer Acceleration state of an existing bucket. | Write | |||
PutAccessPointPolicy | Add to or replace a data policy on a access point. | Permissions management | |||
PutAccountPublicAccessBlock | Create or modify the PublicAccessBlock configuration for an AWS account. | Permissions management | |||
PutAnalyticsConfiguration | This implementation of the PUT operation adds an analytics configuration (identified by the analytics ID) to the bucket. You can have up to 1,000 analytics configurations per bucket. | Write | |||
PutBucketAcl | Set the permissions on an existing bucket using access control lists (ACL). | Permissions management | |||
PutBucketCORS | Sets the CORS configuration for your bucket. | Write | |||
PutBucketLogging | Set the logging parameters for a bucket. | Write | |||
PutBucketNotification | Enables you to receive notifications when certain events happen in your bucket. | Write | |||
PutBucketObjectLockConfiguration | PUT Object Lock configuration on a specific bucket | Write | |||
PutBucketPolicy | Add to or replace a policy on a bucket. | Permissions management | |||
PutBucketPublicAccessBlock | Create or modify the PublicAccessBlock configuration for an specific S3 bucket. | Permissions management | |||
PutBucketRequestPayment | Set the request payment configuration of a bucket. | Write | |||
PutBucketTagging | Add a set of tags to an existing bucket. | Tagging | |||
PutBucketVersioning | Set the versioning state of an existing bucket. | Write | |||
PutBucketWebsite | Sets the configuration of the website that is specified in the website subresource. | Write | |||
PutEncryptionConfiguration | Sets the encryption configuration for the bucket. | Write | |||
PutInventoryConfiguration | This implementation of the PUT operation adds an inventory configuration (identified by the inventory ID) to the bucket. You can have up to 1,000 inventory configurations per bucket. | Write | |||
PutLifecycleConfiguration | Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration. | Write | |||
PutMetricsConfiguration | Sets or updates a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from the bucket. | Write | |||
PutObject | Adds an object to a bucket. | Write | |||
s3:x-amz-server-side-encryption s3:x-amz-server-side-encryption-aws-kms-key-id s3:x-amz-website-redirect-location s3:object-lock-retain-until-date |
|||||
PutObjectAcl | Set the access control list (ACL) permissions for an object that already exists in a bucket. | Permissions management | |||
PutObjectLegalHold | PUT Object Legal Hold on a specific object | Write | |||
PutObjectRetention | PUT Object Retention on a specific object | Write | |||
PutObjectTagging | This implementation of the PUT operation uses the tagging subresource to add a set of tags to an existing object. | Tagging | |||
PutObjectVersionAcl | The ACL of an object is set at the object version level. | Permissions management | |||
PutObjectVersionTagging | PUT Object tagging (for a Specific Version of the Object) | Tagging | |||
PutReplicationConfiguration | In a versioning-enabled bucket, this operation creates a new replication configuration (or replaces an existing one, if present). | Write | |||
ReplicateDelete | Permission exercised by S3 replication | Write | |||
ReplicateObject | Permission exercised by S3 replication | Write | |||
ReplicateTags | Permission exercised by S3 replication | Tagging | |||
RestoreObject | Restores a temporary copy of an archived object. | Write | |||
UpdateJobPriority | Updates an existing job's priority. | Write | |||
UpdateJobStatus | Updates the status for the specified job. | Write | |||
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the
Actions table
identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see
The Resource Types Table
.
Resource Types | ARN | Condition Keys |
---|---|---|
accesspoint |
arn:$
{
Partition}:s3:$
{
Region}:$
{
Account}:accesspoint/$
{
AccessPointName}
|
|
bucket |
arn:$
{
Partition}:s3:::$
{
BucketName}
|
|
object |
arn:$
{
Partition}:s3:::$
{
BucketName}/$
{
ObjectName}
|
|
job |
arn:$
{
Partition}:s3:$
{
Region}:$
{
Account}:job/$
{
JobId}
|
Amazon S3 defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see
The Condition Keys Table
.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference .
Condition Keys | Description | Type |
---|---|---|
s3:AccessPointNetworkOrigin | The network type from which traffic may be received by the access point involved in the request | String |
s3:DataAccessPointAccount | The AWS Account ID of the account that owns the data operations access point involved in the request | String |
s3:DataAccessPointArn | The ARN of the data operations access point involved in the request | String |
s3:ExistingJobOperation | String | |
s3:ExistingJobPriority | Numeric | |
s3:ExistingObjectTag/<key> | Enables you to verify that an existing object tag has the specific tag key and value. | String |
s3:JobSuspendedCause | String | |
s3:LocationConstraint | Enables you to restrict users to creating buckets in only a specific region. | String |
s3:RequestJobOperation | String | |
s3:RequestJobPriority | Numeric | |
s3:RequestObjectTag/<key> | Restrict the tag keys and values that you want to allow on objects. | String |
s3:RequestObjectTagKeys | restrict the tag keys that you want to allow on objects. | String |
s3:VersionId | Enables you to limit the permission for the s3:PutObjectVersionTagging action to a specific object version. | String |
s3:authtype | String | |
s3:delimiter | Enables you to require the user to specify the delimiter parameter in the GET Bucket Object versions request. | String |
s3:locationconstraint | Enables you to restrict the user to creating a bucket in only a specific region. | String |
s3:max-keys | Enables you to limit the number of keys Amazon S3 returns in response to ListBucket requests by requiring the user to specify the max-keys parameter. | Numeric |
s3:object-lock-legal-hold | Enables enforcement of the specified object legal hold status | String |
s3:object-lock-mode | Enables enforcement of the specified object retention mode | String |
s3:object-lock-remaining-retention-days | Enables enforcement of an object relative to the remaining retention days | String |
s3:object-lock-retain-until-date | Enables enforcement of a specific retain-until-date | String |
s3:prefix | Enables you to limit the response of the ListBucket API to key names with specific prefix. | String |
s3:signatureage | Numeric | |
s3:signatureversion | String | |
s3:versionid | String | |
s3:x-amz-acl | Enables you to require specific access permissions when uploading an object. | String |
s3:x-amz-content-sha256 | String | |
s3:x-amz-copy-source | Enables you to restrict the copy source to a specific bucket, a specific folder in the bucket, or a specific object in a bucket. | String |
s3:x-amz-grant-full-control | String | |
s3:x-amz-grant-read | String | |
s3:x-amz-grant-read-acp | String | |
s3:x-amz-grant-write | String | |
s3:x-amz-grant-write-acp | String | |
s3:x-amz-metadata-directive | Enables you to enforce certain behavior (COPY vs. REPLACE) when objects are uploaded. | String |
s3:x-amz-server-side-encryption | Enables you to require the user to specify this header in the request to ensure that objects the user uploads are encrypted when they are saved. | String |
s3:x-amz-server-side-encryption-aws-kms-key-id | String | |
s3:x-amz-storage-class | String | |
s3:x-amz-website-redirect-location | String |