Amazon S3 的操作、资源和条件键 - Amazon Simple Storage Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

Amazon S3 的操作、资源和条件键

Amazon S3(服务前缀:s3)提供以下服务特定的资源、操作和条件上下文键以在 IAM 权限策略中使用。

参考:

Amazon S3 定义的操作

您可以在 Action 策略语句的 IAM 元素中指定以下操作。可以使用策略授予在 Amazon 中执行操作的权限。您在策略中使用一项操作时,通常使用相同的名称允许或拒绝对 API 操作或 CLI 命令的访问。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。

资源类型列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 Resource 元素中指定所有资源(“*”)。如果该列包含一种资源类型,则可以在含有该操作的语句中指定该类型的 ARN。必需资源在表中以星号 (*) 表示。如果在使用该操作的语句中指定资源级权限 ARN,则它必须属于该类型。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种类型而不使用其他类型。

操作 说明 访问级别 资源类型(* 为必需) 条件键 相关操作
AbortMultipartUpload 授予权限以中止分段上传 Write

object*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

BypassGovernanceRetention 授予权限以允许绕过监管模式对象保留设置 Permissions management

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

CreateAccessPoint 授予权限以创建新的访问点 Write

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:locationconstraint

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

CreateAccessPointForObjectLambda 授予权限以创建对象 lambda 访问点 Write

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

CreateBucket 授予权限以创建新的存储桶 Write

bucket*

s3:authType

s3:locationconstraint

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

CreateJob 授予权限以创建新的 Amazon S3 批处理操作作业 Write

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:RequestJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

iam:PassRole

DeleteAccessPoint 授予权限以删除在 URI 中指定的访问点 Write

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteAccessPointForObjectLambda 授予权限以删除在 URI 中指定的对象 lambda 访问点 Write

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteAccessPointPolicy 授予权限以删除指定访问点上的策略 Permissions management

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteAccessPointPolicyForObjectLambda 授予权限以删除指定对象 lambda 访问点上的策略 Permissions management

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteBucket 授予权限以删除在 URI 中指定的存储桶 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteBucketOwnershipControls 授予权限以删除存储桶上的所有权控制 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteBucketPolicy 授予权限以删除指定存储桶上的策略 Permissions management

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteBucketWebsite 授予权限以删除存储桶的网站配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteJobTagging 授予权限以从现有 Amazon S3 批处理操作作业中删除标签 Tagging

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

DeleteObject 授予权限以删除对象的空版本并插入删除标记,此版本成为对象的当前版本 Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteObjectTagging 授予权限以使用标记子资源从指定的对象中删除整个标记集 Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteObjectVersion 授予权限以删除特定版本的对象 Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

DeleteObjectVersionTagging 授予权限以删除特定版本对象的整个标记集 Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

DeleteStorageLensConfiguration 授予删除现有 Amazon S3 Storage Lens 配置的权限 Write

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteStorageLensConfigurationTagging 授予从现有 Amazon S3 Storage Lens 配置中删除标签的权限 Tagging

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DescribeJob 授予权限以检索批处理操作作业的配置参数和状态 Read

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccelerateConfiguration 授予权限以使用加速子资源返回存储桶的 Transfer Acceleration(传输加速)状态(已启用或已暂停) Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPoint 授予权限以返回有关指定访问点的配置信息 Read

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointConfigurationForObjectLambda 授予权限以检索对象 lambda 访问点的配置 Read

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointForObjectLambda 授予权限以创建对象 lambda 访问点 Read

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicy 授予权限以返回与指定访问点关联的访问点策略 Read

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicyForObjectLambda 授予权限以返回与指定对象 lambda 访问点关联的访问点策略 Read

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicyStatus 授予权限以返回特定访问点策略的策略状态 Read

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicyStatusForObjectLambda 授予权限以返回对象 lambda 访问点策略的策略状态 Read

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccountPublicAccessBlock 授予权限以检索 Amazon Web Services 账户 的 PublicAccessBlock 配置 Read

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAnalyticsConfiguration 授予权限以从 Amazon S3 存储桶获取分析配置,该存储桶由分析配置 ID 标识 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketAcl 授予权限以使用 acl 子资源返回 Amazon S3 存储桶的访问控制列表 (ACL) Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketCORS 授予权限以返回 Amazon S3 存储桶的 CORS 配置信息集 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketLocation 授予权限以返回 Amazon S3 存储桶所在的区域 Read

bucket*

GetBucketLogging 授予权限以返回 Amazon S3 存储桶的日志记录状态以及用户拥有的查看或修改该状态的权限 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketNotification 授予权限以获取 Amazon S3 存储桶的通知配置 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketObjectLockConfiguration 授予权限以获取 Amazon S3 存储桶的对象锁定配置 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:signatureversion

GetBucketOwnershipControls 授予权限以检索存储桶上的所有权控制 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketPolicy 授予权限以返回指定存储桶的策略 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketPolicyStatus 授予权限以检索特定 Amazon S3 存储桶的策略状态,该状态指示存储桶是否为公有的 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketPublicAccessBlock 授予权限以检索 Amazon S3 存储桶的 PublicAccessBlock 配置 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketRequestPayment 授予权限以返回 Amazon S3 存储桶的请求付款配置 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketTagging 授予权限以返回与 Amazon S3 存储桶关联的标签集 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketVersioning 授予权限以返回 Amazon S3 存储桶的版本控制状态 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketWebsite 授予权限以返回 Amazon S3 存储桶的网站配置 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetEncryptionConfiguration 授予权限以返回 Amazon S3 存储桶的默认加密配置 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetIntelligentTieringConfiguration 授予获取或列出 S3 存储桶中所有 Amazon S3 Intelligent Tiering 配置的权限 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetInventoryConfiguration 授予权限以从 Amazon S3 存储桶返回清单配置(由清单配置 ID 标识) Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetJobTagging 授予权限以返回现有 Amazon S3 批处理操作作业的标签集 Read

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetLifecycleConfiguration 授予权限以返回 Amazon S3 存储桶上的生命周期配置信息集 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetMetricsConfiguration 授予权限以从 Amazon S3 存储桶获取指标配置 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObject 授予权限以从 Amazon S3 检索对象 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectAcl 授予权限以返回对象的访问控制列表 (ACL) Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectLegalHold 授予权限以获取对象的当前依法保留状态 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectRetention 授予权限以检索对象的保留设置 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectTagging 授予权限以返回对象的标签集 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectVersion 授予权限以检索对象的特定版本 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionAcl 授予权限以返回特定对象版本的访问控制列表 (ACL) Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionForReplication 授予权限以复制未加密的对象以及使用 SSE-S3 或 SSE-KMS 加密的对象 Read

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectVersionTagging 授予权限以返回特定版本对象的标签集 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetReplicationConfiguration 授予权限以获取 Amazon S3 存储桶上的复制配置信息集 Read

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetStorageLensConfiguration 授予获取 Amazon S3 Storage Lens 配置的权限 Read

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetStorageLensConfigurationTagging 授予获取现有 Amazon S3 Storage Lens 配置的标签集的权限 Read

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetStorageLensDashboard 授予获取 Amazon S3 Storage Lens 控制面板的权限 Read

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListAccessPoints 授予权限以列出访问点 Read

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListAccessPointsForObjectLambda 授予权限以列出对象 lambda 访问点 Read

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListAllMyBuckets 授予权限以列出该请求的经身份验证的发件人拥有的所有存储桶 List

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListBucket 授予权限以列出 Amazon S3 存储桶中的部分或全部对象(最多 1000 个) List

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListBucketMultipartUploads 授予权限以列出正在进行的分段上传 List

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListBucketVersions 授予权限以列出有关 Amazon S3 存储桶中所有对象版本的元数据 List

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListJobs 授予权限以列出当前作业和最近结束的作业 List

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListMultipartUploadParts 授予权限以列出为特定分段上传而上传的部分 List

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListStorageLensConfigurations 授予列出 Amazon S3 Storage Lens 配置的权限 List

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ObjectOwnerOverrideToBucketOwner 授予权限以更改副本所有权 Permissions management

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccelerateConfiguration 授予权限以使用加速子资源设置现有 S3 存储桶的 Transfer Acceleration(传输加速)状态 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccessPointConfigurationForObjectLambda 授予权限以配置对象 lambda 访问点 Write

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccessPointPolicy 授予权限以将访问策略与指定访问点关联 Permissions management

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccessPointPolicyForObjectLambda 授予权限以将访问策略与指定对象 lambda 访问点关联 Permissions management

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccountPublicAccessBlock 授予权限以便为 Amazon Web Services 账户 创建或修改 PublicAccessBlock 配置 Permissions management

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAnalyticsConfiguration 授予权限以便为存储桶设置分析配置(由分析配置 ID 指定) Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketAcl 授予权限以使用访问控制列表 (ACL) 设置对现有存储桶的权限 Permissions management

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

PutBucketCORS 授予权限以便为 Amazon S3 存储桶设置 CORS 配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketLogging 授予权限以设置 Amazon S3 存储桶的日志记录参数 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketNotification 授予权限以在 Amazon S3 存储桶中发生某些事件时接收通知 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketObjectLockConfiguration 授予权限以在特定存储桶上放置对象锁定配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:TlsVersion

s3:signatureversion

PutBucketOwnershipControls 授予权限以添加或替换存储桶上的所有权控制 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketPolicy 授予权限以在存储桶上添加或替换存储桶策略 Permissions management

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketPublicAccessBlock 授予权限以创建或修改特定 Amazon S3 存储桶的 PublicAccessBlock 配置 Permissions management

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketRequestPayment 授予权限以设置存储桶的请求付款配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketTagging 授予权限以向现有 Amazon S3 存储桶添加一组标签 Tagging

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketVersioning 授予权限以设置现有 Amazon S3 存储桶的版本控制状态 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketWebsite 授予权限以设置在网站子资源中指定的网站的配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutEncryptionConfiguration 授予权限以设置 Amazon S3 存储桶的加密配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutIntelligentTieringConfiguration 授予创建新的 Amazon S3 Intelligent Tiering 配置、更新或删除现有 Amazon S3 Intelligent Tiering 配置的权限 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutInventoryConfiguration 授予权限以向存储桶添加清单配置(由清单 ID 标识) Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutJobTagging 授予权限以替换现有 Amazon S3 批处理操作作业上的标签 Tagging

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

PutLifecycleConfiguration 授予权限以便为存储桶创建新的生命周期配置或替换现有生命周期配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutMetricsConfiguration 授予权限以从 Amazon S3 存储桶设置或更新 CloudWatch 请求指标的指标配置 Write

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutObject 授予权限以将对象添加到存储桶 Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

PutObjectAcl 授予权限以便为 S3 存储桶中的新对象或现有对象设置访问控制列表 (ACL) 权限。 Permissions management

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectLegalHold 授予权限以将依法保留配置应用于指定的对象 Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:object-lock-legal-hold

PutObjectRetention 授予权限以在对象上放置对象保留配置 Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

PutObjectTagging 授予权限以将提供的标签集设置为存储桶中已存在的对象 Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutObjectVersionAcl 授予权限以使用 acl 子资源为存储桶中已存在的对象设置访问控制列表 (ACL) 权限 Permissions management

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectVersionTagging 授予权限以便为对象的特定版本设置提供的标签集 Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

PutReplicationConfiguration 授予权限以创建新的复制配置或替换现有复制配置 Write

bucket*

iam:PassRole

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutStorageLensConfiguration 授予创建或更新 Amazon S3 Storage Lens 配置的权限 Write

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:TagKeys

aws:RequestTag/${TagKey}

PutStorageLensConfigurationTagging 授予在现有 Amazon S3 Storage Lens 配置上放置或替换标签的权限 Tagging

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:TagKeys

aws:RequestTag/${TagKey}

ReplicateDelete 授予权限以将删除标记复制到目标存储桶 Write

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ReplicateObject 授予权限以将对象和对象标签复制到目标存储桶 Write

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

ReplicateTags 授予权限以将对象标签复制到目标存储桶 Tagging

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

RestoreObject 授予权限以将对象的存档副本恢复到 Amazon S3 Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

UpdateJobPriority 授予权限以更新现有作业的优先级 Write

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:ExistingJobPriority

s3:ExistingJobOperation

UpdateJobStatus 授予权限以更新指定作业的状态 Write

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

s3:JobSuspendedCause

Amazon S3 定义的资源类型

以下资源类型是由该服务定义的,可以在 IAM 权限策略语句的 Resource 元素中使用这些资源类型。操作表中的每个操作指定了可以使用该操作指定的资源类型。您也可以在策略中包含条件键,从而定义资源类型。这些键显示在表的最后一列。

资源类型 ARN 条件键
accesspoint arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}
bucket arn:${Partition}:s3:::${BucketName}
object arn:${Partition}:s3:::${BucketName}/${ObjectName}
job arn:${Partition}:s3:${Region}:${Account}:job/${JobId}
storagelensconfiguration arn:${Partition}:s3:${Region}:${Account}:storage-lens/${ConfigId}

aws:ResourceTag/${TagKey}

objectlambdaaccesspoint arn:${Partition}:s3-object-lambda:${Region}:${Account}:accesspoint/${AccessPointName}

Amazon S3 的条件键

Amazon S3 定义以下可以在 IAM 策略的 Condition 元素中使用的条件键。您可以使用这些键进一步细化应用策略语句的条件。

要查看适用于所有服务的全局条件键,请参阅可用的全局条件键

条件键 说明 类型
aws:RequestTag/${TagKey} 根据在请求中传递的标签筛选操作 字符串
aws:ResourceTag/${TagKey} 根据与资源关联的标签筛选操作 字符串
aws:TagKeys 根据在请求中传递的标签键筛选操作 字符串
s3:AccessPointNetworkOrigin 按网络源(Internet 或 VPC)筛选访问 字符串
s3:DataAccessPointAccount 按拥有访问点的 Amazon Web Services 账户 ID 筛选访问 字符串
s3:DataAccessPointArn 按访问点 Amazon Resource Name (ARN) 筛选访问 字符串
s3:ExistingJobOperation 按操作筛选更新作业优先级的访问权限 字符串
s3:ExistingJobPriority 按优先级范围筛选取消现有作业的访问权限 数值
s3:ExistingObjectTag/<key> 按现有对象标签键和值筛选访问 字符串
s3:JobSuspendedCause 按特定的作业暂停原因(例如,AWAITING_CONFIRMATION)筛选取消暂停的作业的访问权限 字符串
s3:LocationConstraint 按特定区域筛选访问 字符串
s3:RequestJobOperation 按操作筛选对创建作业的访问 字符串
s3:RequestJobPriority 按优先级范围筛选创建新作业的访问权限 数值
s3:RequestObjectTag/<key> 按要添加到对象的标签键和值筛选访问 字符串
s3:RequestObjectTagKeys 按要添加到对象的标签键筛选访问 字符串
s3:ResourceAccount 按资源拥有者 Amazon Web Services 账户 ID 筛选访问 字符串
s3:TlsVersion 按客户端使用的 TLS 版本筛选访问 数值
s3:VersionId 按特定对象版本筛选访问权限 字符串
s3:authType 按身份验证方法筛选访问 字符串
s3:delimiter 按分隔符参数筛选访问 字符串
s3:locationconstraint 按特定区域筛选访问 字符串
s3:max-keys 通过限制 ListBucket 请求中返回的最大键数来筛选访问 数值
s3:object-lock-legal-hold 按对象合法保留状态筛选访问 字符串
s3:object-lock-mode 按对象保留模式(COMPLIANCE 或 GOVERNANCE)筛选访问 字符串
s3:object-lock-remaining-retention-days 按剩余对象保留天数筛选访问 字符串
s3:object-lock-retain-until-date 按对象保留截止日期筛选访问 字符串
s3:prefix 按键名称前缀筛选访问 字符串
s3:signatureAge 按请求签名的时间筛选访问(以毫秒为单位) 数值
s3:signatureversion 按请求中使用的 Amazon 签名版本筛选访问 字符串
s3:versionid 按特定对象版本筛选访问权限 字符串
s3:x-amz-acl 按请求的 x-amz-acl 标头中的标准 ACL 筛选访问 字符串
s3:x-amz-content-sha256 筛选对存储桶中未签名内容的访问 字符串
s3:x-amz-copy-source 筛选对以特定存储桶、前缀或对象作为副本源的请求的访问 字符串
s3:x-amz-grant-full-control 筛选对具有 x-amz-grant-full-control(完全控制)标头的请求的访问 字符串
s3:x-amz-grant-read 筛选对具有 x-amz-grant-read(读取访问权限)标头的请求的访问 字符串
s3:x-amz-grant-read-acp 筛选对具有 x-amz-grant-read-acp(对于 ACL 的读取权限)标头的请求的访问 字符串
s3:x-amz-grant-write 筛选对具有 x-amz-grant-write(写入访问权限)标头的请求的访问 字符串
s3:x-amz-grant-write-acp 筛选对使用 x-amz-grant-write-acp(对于 ACL 的写入权限)标头的请求的访问 字符串
s3:x-amz-metadata-directive 按复制对象时的对象元数据行为(COPY 或 REPLACE)来筛选访问 字符串
s3:x-amz-server-side-encryption 通过服务器端加密来筛选访问 字符串
s3:x-amz-server-side-encryption-aws-kms-key-id 通过将 Amazon KMS 客户托管 CMK 用于服务器端加密来筛选访问 字符串
s3:x-amz-storage-class 按存储类别筛选访问权限 字符串
s3:x-amz-website-redirect-location 针对配置为静态网站的存储桶,按特定网站重定向位置筛选访问 字符串