Example directory bucket policies for S3 Express One Zone - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Example directory bucket policies for S3 Express One Zone

This section provides example directory bucket policies for use with the Amazon S3 Express One Zone storage class. To use these policies, replace the user input placeholders with your own information.

The following example bucket policy allows Amazon Web Services account ID 111122223333 to use the CreateSession API operation with the default ReadWrite session for the specified directory bucket. This policy grants access to the Zonal endpoint (object level) API operations.

Example – Bucket policy to allow CreateSession calls with the default ReadWrite session

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteAccess",
            "Effect": "Allow",
            "Resource": "arn:aws-cn:s3express:us-west-2:account-id:bucket/bucket-base-name--azid--x-s3",
            "Principal": {
                "AWS": [
                    "111122223333"
                ]
            },
            "Action": [
                "s3express:CreateSession"
            ]
        }
    ]
}
Example – Bucket policy to allow CreateSession calls with a ReadOnly session

The following example bucket policy allows Amazon Web Services account ID 111122223333 to use the CreateSession API operation. This policy uses the s3express:SessionMode condition key with the ReadOnly value to set a read-only session. 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadOnlyAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "111122223333"
            },
            "Action": "s3express:CreateSession",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3express:SessionMode": "ReadOnly"
                }
            }
        }
    ]
}
Example – Bucket policy to allow cross-account access for CreateSession calls

The following example bucket policy allows Amazon Web Services account ID 111122223333 to use the CreateSession API operation for the specified directory bucket that's owned by Amazon Web Services account ID 444455556666.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CrossAccount",
            "Effect": "Allow",
            "Principal": {
                "AWS": "111122223333"
            },
            "Action": [
                "s3express:CreateSession"
            ],
            "Resource": "arn:aws-cn:s3express:us-west-2:444455556666:bucket/bucket-base-name--azid--x-s3"

        }
    ]
}