Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Identity and Access Management (IAM) for S3 Express One Zone

Amazon Identity and Access Management (IAM) is an Amazon Web Service that helps administrators securely control access to Amazon resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in S3 Express One Zone. You can use IAM for no additional charge.

By default, users don't have permissions for directory buckets and S3 Express One Zone operations. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see Security best practices in IAM in the IAM User Guide.

To provide access, you can add permissions to your users, groups, or roles through the following means:

By default, directory buckets are private and can be accessed only by users who are explicitly granted access. The access control boundary for directory buckets is set only at the bucket level. In contrast, the access control boundary for general purpose buckets can be set at the bucket, prefix, or object tag level. This difference means that directory buckets are the only resource that you can include in bucket policies or IAM identity policies for S3 Express One Zone access.

With S3 Express One Zone, in addition to IAM authorization, you authenticate and authorize requests through a new session-based mechanism that's handled by the CreateSession API operation. You can use CreateSession to request temporary credentials that provide low-latency access to your bucket. These temporary credentials are scoped to a specific directory bucket.

To work with CreateSession, we recommend using the latest version of the Amazon SDKs or using the Amazon Command Line Interface (Amazon CLI). The supported Amazon SDKs and the Amazon CLI handle session establishment, refreshment, and termination on your behalf.

You use session tokens with only Zonal (object-level) operations (except for CopyObject and HeadBucket) to distribute the latency that’s associated with authorization over a number of requests in a session. For Regional endpoint API operations (bucket-level operations), you use IAM authorization, which doesn’t involve managing a session. For more information, see Amazon Identity and Access Management (IAM) for S3 Express One Zone and CreateSession authorization.

For more information about IAM for S3 Express One Zone, see the following topics.

Principals

When you create a resource-based policy to grant access to your buckets, you must use the Principal element to specify the person or application that can make a request for an action or operation on that resource. For directory bucket policies, you can use the following principals:

For more information, see Principal in the IAM User Guide.

Resources

Amazon Resource Names (ARNs) for directory buckets contain the s3express namespace, the Amazon Web Services Region, the Amazon account ID, and the directory bucket name, which includes the Availability Zone ID. To access and perform actions on your directory bucket, you must use the following ARN format:

arn:aws-cn:s3express:region:account-id:bucket/base-bucket-name--azid--x-s3

For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide. For more information about resources, see IAM JSON Policy Elements: Resource in the IAM User Guide.

Actions for S3 Express One Zone

In an IAM identity-based policy or resource-based policy, you define which S3 actions are allowed or denied. S3 Express One Zone actions correspond to specific API operations. S3 Express One Zone has a unique IAM namespace that is distinct from the standard namespace for Amazon S3. This namespace is s3express.

When you allow the s3express:CreateSession permission, this enables the CreateSession API operation to retrieve session tokens when accessing Zonal endpoint API (or object level) operations . These session tokens return credentials that are used to grant access to all of the other Zonal endpoint API operations. As a result, you don't have to grant access permissions to Zonal API operations by using IAM policies. Instead, the session token enables access.

For more information about Zonal and Regional endpoint API operations, see Networking for S3 Express One Zone. To learn more about the CreateSession API operation, see CreateSession in the Amazon Simple Storage Service API Reference.

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation with the same name. However, in some cases, a single action controls access to more than one API operation. Access to bucket-level actions can be granted in only IAM identity-based policies (user or role) and not bucket policies.

Condition keys for S3 Express One Zone

S3 Express One Zone defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies.

How API operations are authorized and authenticated

The following table lists authorization and authentication information for S3 Express One Zone API operations. For each API operation, the table shows the API operation name, IAM action, endpoint type (Regional or Zonal), and authorization mechanism (IAM or session-based). This table also indicates where cross-account access is supported. Access to bucket-level actions can be granted only in IAM identity-based policies (user or role), not bucket policies.