Amazon S3 的操作、资源和条件键 - Amazon Simple Storage Service
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

如果我们为英文版本指南提供翻译,那么如果存在任何冲突,将以英文版本指南为准。在提供翻译时使用机器翻译。

Amazon S3 的操作、资源和条件键

Amazon S3(服务前缀:s3)提供以下服务特定的资源、操作和条件上下文键以在 IAM 权限策略中使用。

参考:

Amazon S3 定义的操作

您可以在 Action 策略语句的 IAM 元素中指定以下操作。可以使用策略授予在 AWS 中执行操作的权限。您在策略中使用一项操作时,通常使用相同的名称允许或拒绝对 API 操作或 CLI 命令的访问。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。

Resource Types (资源类型) 列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 Resource 元素中指定所有资源(“*”)。如果该列包含一种资源类型,则可以在含有该操作的语句中指定该类型的 ARN。必需资源在表中以星号 (*) 表示。如果在使用该操作的语句中指定资源级权限 ARN,则它必须属于该类型。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种类型而不使用其他类型。

操作: Description 访问级别 资源类型(* 为必需) 条件键 相关操作
AbortMultipartUpload 授予中止多成分上传的权限 写入

object*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

BypassGovernanceRetention 授予允许规避管理模式对象保留设置的权限 权限管理

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

CreateAccessPoint 授予创建新接入点的权限 写入

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:locationconstraint

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

CreateBucket 授予创建新存储桶的权限 写入

bucket*

s3:authType

s3:locationconstraint

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

CreateJob 授予创建新AmazonS3批量操作作业的权限 写入

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:RequestJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

DeleteAccessPoint 授予删除URI中命名的接入点的权限 写入

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteAccessPointPolicy 授予在指定接入点上删除策略的权限 权限管理

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucket 授予删除URI中命名的存储桶的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucketPolicy 授予在指定存储桶上删除策略的权限 权限管理

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucketWebsite 授予删除bucket网站配置的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteJobTagging 授予从现有AmazonS3批量操作作业中删除标记的权限 标记

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

DeleteObject 授予删除对象空版本并插入删除标记的权限,该标记将成为对象的当前版本 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteObjectTagging 授予使用标记子资源从指定对象中删除整个标记集的权限 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteObjectVersion 授予删除特定版本对象的权限 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

DeleteObjectVersionTagging 授予删除特定版本对象的整个标记集的权限 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

DescribeJob 授予检索批处理操作作业的配置参数和状态的权限。 Read

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccelerateConfiguration 授予使用加速子资源返回存储桶的转移加速状态(已启用或已暂停)的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccessPoint 授予返回有关指定接入点的配置信息的权限 Read

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccessPointPolicy 授予返回与指定接入点关联的接入点策略的权限 Read

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccessPointPolicyStatus 授予返回特定接入点策略的策略状态的权限 Read

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccountPublicAccessBlock 授予检索AWS帐户的PublicAccessBlock配置的权限 Read

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAnalyticsConfiguration 授予从AmazonS3bucket获取分析配置的权限,由分析配置ID标识 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketAcl 授予使用acl子资源返回AmazonS3bucket访问控制列表(ACL)的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketCORS 授予返回为AmazonS3bucket设置的CORS配置信息的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketLocation 授予返回AmazonS3bucket所在区域的权限 Read

bucket*

GetBucketLogging 授予返回AmazonS3bucket的日志记录状态的权限,以及用户必须查看或修改该状态的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketNotification 授予获取AmazonS3bucket通知配置的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketObjectLockConfiguration 授予获取AmazonS3bucket的对象锁定配置的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

GetBucketPolicy 授予返回指定存储桶的策略的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketPolicyStatus 授予检索特定AmazonS3bucket的策略状态的权限,表明bucket是否是公共的 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketPublicAccessBlock 授予为AmazonS3bucket检索PublicAccessBlock配置的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketRequestPayment 授予为AmazonS3bucket返回请求支付配置的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketTagging 授予返回与AmazonS3bucket关联的标记集的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketVersioning 授予返回AmazonS3bucket的版本状态的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketWebsite 授予为AmazonS3bucket返回网站配置的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetEncryptionConfiguration 授予返回AmazonS3bucket的默认加密配置的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetInventoryConfiguration 授予从AmazonS3bucket返回库存配置的权限,由库存配置ID标识 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetJobTagging 授予返回现有AmazonS3批处理作业的标记集的权限 Read

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetLifecycleConfiguration 授予返回在AmazonS3bucket上设置的生命周期配置信息的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetMetricsConfiguration 授予从AmazonS3bucket获取指标配置的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObject 授予从AmazonS3检索对象的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectAcl 授予返回对象访问控制列表(ACL)的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectLegalHold 授予获取对象当前法律保留状态的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectRetention 授予检索对象保留设置的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectTagging 授予返回对象标记集的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectTorrent 授予从AmazonS3bucket返回租用文件的权限 Read

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectVersion 授予检索特定版本对象的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionAcl 授予返回特定对象版本的访问控制列表(ACL)的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionForReplication 授予复制未加密对象和使用SSE-S3或SSE-KMS加密的对象的权限 Read

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectVersionTagging 授予返回特定版本对象的标记集的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionTorrent 授予使用versionId子资源获取不同版本的Torrent文件的权限 Read

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetReplicationConfiguration 授予在AmazonS3bucket上设置复制配置信息的权限 Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListAccessPoints 授予列出接入点的权限 Read

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListAllMyBuckets 授予列出请求经验证发件人拥有的所有存储桶的权限 List

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListBucket 授予列出AmazonS3bucket中部分或全部对象的权限(最多1000个) List

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListBucketMultipartUploads 授予列出进行中的多部分上传的权限 Read

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListBucketVersions 授予在AmazonS3bucket中列出所有版本对象的元数据的权限 Read

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListJobs 授予列出当前作业和最近结束的作业的权限 Read

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListMultipartUploadParts 授予列出已为特定多部件上传上传的部件的权限 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ObjectOwnerOverrideToBucketOwner 授予更改副本所有权的权限 权限管理

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAccelerateConfiguration 授予使用加速子资源设置现有S3bucket的传输加速状态的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAccessPointPolicy 授予将访问策略与指定访问点关联的权限 权限管理

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAccountPublicAccessBlock 授予创建或修改AWS帐户的PublicAccessBlock配置的权限 权限管理

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAnalyticsConfiguration 授予权限以设置由分析配置ID指定的存储桶的分析配置 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketAcl 授予使用访问控制列表(ACL)在现有存储桶上设置权限的权限 权限管理

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

PutBucketCORS 授予为AmazonS3bucket设置CORS配置的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketLogging 授予为AmazonS3bucket设置日志记录参数的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketNotification 授予在AmazonS3存储桶中发生某些事件时接收通知的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketObjectLockConfiguration 授予将对象锁定配置置于特定存储桶中的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

PutBucketPolicy 授予在存储桶中添加或更换存储桶策略的权限 权限管理

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketPublicAccessBlock 授予创建或修改特定AmazonS3bucket的PublicAccessBlock配置的权限 权限管理

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketRequestPayment 授予权限以设置bucket的请求支付配置 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketTagging 授予将一组标记添加到现有AmazonS3bucket的权限 标记

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketVersioning 授予设置现有AmazonS3bucket的版本状态的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketWebsite 授予权限以设置网站子资源中指定的网站配置 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutEncryptionConfiguration 授予为AmazonS3bucket设置加密配置的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutInventoryConfiguration 授予将库存配置添加到存储桶的权限,由库存ID标识 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutJobTagging 授予替换现有AmazonS3批处理作业上的标记的权限 标记

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

PutLifecycleConfiguration 授予为存储桶创建新的生命周期配置或替换现有生命周期配置的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutMetricsConfiguration 授予从AmazonS3bucket为CloudWatch请求度量标准设置或更新度量标准配置的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutObject 授予添加对象到存储桶的权限 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

PutObjectAcl 授予为已存在于存储桶中的对象设置访问控制列表(ACL)权限的权限 权限管理

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectLegalHold 授予对指定对象应用LegalHold配置的权限 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:object-lock-legal-hold

PutObjectRetention 授予对对象设置对象保留配置的权限 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

PutObjectTagging 授予将提供的标签集设置为桶中已存在的对象的权限 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutObjectVersionAcl 授予使用acl子资源为已存在于存储桶中的对象设置访问控制列表(ACL)权限的权限 权限管理

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectVersionTagging 授予为特定版本的对象设置提供的标记集的权限 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

PutReplicationConfiguration 授予创建新复制配置或替换现有复制配置的权限 写入

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ReplicateDelete 授予将删除标记复制到目标存储桶的权限 写入

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ReplicateObject 授予复制对象和对象标记到目标存储桶的权限 写入

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

ReplicateTags 授予复制对象标签到目标存储桶的权限 标记

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

RestoreObject 授予将对象的存档副本恢复为AmazonS3的权限 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

UpdateJobPriority 授予更新现有作业优先级的权限 写入

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:ExistingJobPriority

s3:ExistingJobOperation

UpdateJobStatus 授予更新指定作业状态的权限 写入

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

s3:JobSuspendedCause

Amazon S3 定义的资源类型

以下资源类型是由该服务定义的,可以在 IAM 权限策略语句的 Resource 元素中使用这些资源类型。操作表中的每个操作标识了可以使用该操作指定的资源类型。您也可以在策略中包含条件键,从而定义资源类型。这些键显示在表的最后一列。

资源类型 ARN: 条件键
accesspoint arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}
bucket arn:${Partition}:s3:::${BucketName}
object arn:${Partition}:s3:::${BucketName}/${ObjectName}
job arn:${Partition}:s3:${Region}:${Account}:job/${JobId}

Amazon S3 的条件键

Amazon S3 定义以下可以在 IAM 策略的 Condition 元素中使用的条件键。您可以使用这些键进一步细化应用策略语句的条件。

要查看所有服务都可用的全局条件键,请参阅 https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys 策略参考中的IAM可用的全局条件键

条件键 Description Type
aws:RequestTag/${TagKey} 根据在请求中传递的标签筛选操作 :字符串
aws:ResourceTag/${TagKey} 根据与资源关联的标签筛选操作 :字符串
aws:TagKeys 根据在请求中传递的标签键筛选操作 :字符串
s3:AccessPointNetworkOrigin 通过网络源(Internet或VPC)过滤访问 :字符串
s3:DataAccessPointAccount 通过拥有接入点的AWS帐户ID过滤访问 :字符串
s3:DataAccessPointArn 按接入点Amazon资源名称(ARN)过滤访问 :字符串
s3:ExistingJobOperation 按操作筛选更新作业优先级的访问权限。 :字符串
s3:ExistingJobPriority 按优先级范围筛选取消现有作业的访问权限。 数值
s3:ExistingObjectTag/<key> 要求现有对象标签具有特定标签密钥和值。 :字符串
s3:JobSuspendedCause 按特定的作业暂停原因(例如,AWAITING_CONFIRMATION)筛选取消暂停的作业的访问权限。 :字符串
s3:LocationConstraint 按特定地区筛选访问 :字符串
s3:RequestJobOperation 按操作筛选创建作业的访问权限 :字符串
s3:RequestJobPriority 按优先级范围筛选创建新作业的访问权限。 数值
s3:RequestObjectTag/<key> 限制对象上允许的标记键和值 :字符串
s3:RequestObjectTagKeys 限制对象上允许的标记键 :字符串
s3:VersionId 按特定对象版本筛选访问权限。 :字符串
s3:authType 将传入请求限制为特定身份验证方法。 :字符串
s3:delimiter 需要分隔符参数 :字符串
s3:locationconstraint 按特定地区筛选访问 :字符串
s3:max-keys 限制ListBucket请求中返回的最大密钥数 数值
s3:object-lock-legal-hold 允许实施指定的对象依法保留状态 :字符串
s3:object-lock-mode 启用指定对象保留模式(合规或治理) :字符串
s3:object-lock-remaining-retention-days 允许相对于剩余保留天数实施对象 :字符串
s3:object-lock-retain-until-date 允许实施特定的保留截止日期 :字符串
s3:prefix 按密钥名称前缀访问过滤器 :字符串
s3:signatureAge 标识签名在经过身份验证的请求中有效的时间长度(以毫秒为单位)。 数值
s3:signatureversion 标识经过身份验证的请求支持的 AWS 签名版本。 :字符串
s3:versionid 按特定对象版本筛选访问权限。 :字符串
s3:x-amz-acl 要求在请求中具有特定固定ACL的x-amz-acl标头 :字符串
s3:x-amz-content-sha256 禁止存储桶中未签名的内容。 :字符串
s3:x-amz-copy-source 将复制源限制为特定的bucket、前缀或对象 :字符串
s3:x-amz-grant-full-control 要求请求中具有 x-amz-grant-full-control(完全控制)标头。 :字符串
s3:x-amz-grant-read 要求请求中具有 x-amz-grant-read(读取访问权限)标头。 :字符串
s3:x-amz-grant-read-acp 要求请求中具有 x-amz-grant-read-acp(ACL 的读取权限)标头。 :字符串
s3:x-amz-grant-write 要求请求中具有 x-amz-grant-write(写入访问权限)标头。 :字符串
s3:x-amz-grant-write-acp 要求请求中具有 x-amz-grant-write-acp(ACL 的写入权限)标头。 :字符串
s3:x-amz-metadata-directive 当复制对象时启用对象元数据行为(复制或替换) :字符串
s3:x-amz-server-side-encryption 需要服务器端加密 :字符串
s3:x-amz-server-side-encryption-aws-kms-key-id 需要特定的 AWS KMS 客户托管 CMK 用于服务器端加密。 :字符串
s3:x-amz-storage-class 按存储类别筛选访问权限。 :字符串
s3:x-amz-website-redirect-location 通过特定网站过滤访问,以重定向配置为静态网站的存储桶位置 :字符串