Amazon Identity and Access Management (IAM) for S3 Express One Zone
Amazon Identity and Access Management (IAM) is an Amazon Web Service that helps administrators securely control access to Amazon resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in S3 Express One Zone. You can use IAM for no additional charge.
By default, users don't have permissions for directory buckets and S3 Express One Zone operations. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see Security best practices in IAM in the IAM User Guide.
To provide access, you can add permissions to your users, groups, or roles through the following means:
-
Users and groups in Amazon IAM Identity Center – Create a permission set. Follow the instructions in Create a permission set in the Amazon IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider – Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM roles and users – Create a role that your user can assume. Follow the instructions in Creating a role to delegate permissions to an IAM user in the IAM User Guide.
By default, directory buckets are private and can be accessed only by users who are explicitly granted access. The access control boundary for directory buckets is set only at the bucket level. In contrast, the access control boundary for general purpose buckets can be set at the bucket, prefix, or object tag level. This difference means that directory buckets are the only resource that you can include in bucket policies or IAM identity policies for S3 Express One Zone access.
With S3 Express One Zone, in addition to IAM authorization, you authenticate and authorize
requests through a new session-based mechanism that's handled by the
CreateSession
API operation. You can use CreateSession
to
request temporary credentials that provide low-latency access to your bucket. These
temporary credentials are scoped to a specific directory bucket.
To work with CreateSession
, we recommend using the latest version of the
Amazon SDKs or using the Amazon Command Line Interface (Amazon CLI). The supported Amazon SDKs and the Amazon CLI handle
session establishment, refreshment, and termination on your behalf.
You use session tokens with only Zonal (object-level) operations (except for
CopyObject
and HeadBucket
) to distribute the latency that’s
associated with authorization over a number of requests in a session. For Regional endpoint
API operations (bucket-level operations), you use IAM authorization, which doesn’t involve
managing a session. For more information, see Amazon Identity and Access Management (IAM) for S3 Express One Zone and CreateSession authorization.
For more information about IAM for S3 Express One Zone, see the following topics.
Topics
Principals
When you create a resource-based policy to grant access to your buckets, you must use
the Principal
element to specify the person or application that can make a
request for an action or operation on that resource. For directory bucket policies, you
can use the following principals:
-
An Amazon account
-
An IAM user
-
An IAM role
-
A federated user
For more information, see Principal
Resources
Amazon Resource Names (ARNs) for directory buckets contain the s3express
namespace, the Amazon Web Services Region, the Amazon account ID, and the directory bucket name,
which includes the Availability Zone ID. To access and perform actions on your
directory bucket, you must use the following ARN format:
arn:aws-cn:s3express:
region
:account-id
:bucket/base-bucket-name
--azid
--x-s3
For more information about ARNs, see Amazon Resource Names (ARNs)
Actions for S3 Express One Zone
In an IAM identity-based policy or resource-based policy, you define which S3
actions are allowed or denied. S3 Express One Zone actions correspond to specific API
operations. S3 Express One Zone has a unique IAM namespace that is distinct from the standard
namespace for Amazon S3. This namespace is s3express
.
When you allow the s3express:CreateSession
permission, this enables the
CreateSession
API operation to retrieve session tokens when accessing
Zonal endpoint API (or object level) operations . These session tokens return
credentials that are used to grant access to all of the other Zonal endpoint API
operations. As a result, you don't have to grant access permissions to Zonal API
operations by using IAM policies. Instead, the session token enables access.
For more information about Zonal and Regional endpoint API operations, see
Networking for S3 Express One Zone. To learn more
about the CreateSession
API operation, see CreateSession
You can specify the following actions in the Action
element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon.
When you use an action in a policy, you usually allow or deny access to the API
operation with the same name. However, in some cases, a single action controls access to
more than one API operation. Access to bucket-level actions can be granted in only IAM
identity-based policies (user or role) and not bucket policies.
Actions and condition keys for S3 Express One Zone | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Action | API | Description | Access level | Condition keys | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
CreateBucket |
Grants permission to create a new bucket. |
Write |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:CreateSession |
CreateSession |
Grants permission to create a session token, which is used for
granting access to all Zonal (object-level) API operations, such as
|
Write |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:DeleteBucket |
DeleteBucket |
Grants permission to delete the bucket named in the URI. |
Write |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:DeleteBucketPolicy |
DeleteBucketPolicy |
Grants permission to delete the policy on a specified bucket. |
Permissions management |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:GetBucketPolicy |
GetBucketPolicy |
Grants permission to return the policy of the specified bucket. |
Read |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:ListAllMyDirectoryBuckets |
ListDirectoryBuckets |
Grants permission to list all directory buckets owned by the authenticated sender of the request. |
List |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:PutBucketPolicy |
PutBucketPolicy |
Grants permission to add or replace a bucket policy on a bucket. |
Permissions management |
|
Condition keys for S3 Express One Zone
S3 Express One Zone defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further
refine the conditions under which the policy statement applies.
Condition key | Description | Type |
---|---|---|
s3express:authType |
Filters access by authentication method. To restrict incoming requests to
use a specific authentication method, you can use this optional condition
key. For example, you can use this condition key to allow only the HTTP
Valid values:
|
String |
s3express:LocationName |
Filters access to the Example value:
|
String |
s3express:ResourceAccount |
Filters access by the resource owner's Amazon Web Services account ID. To restrict user, role, or application access to the directory buckets
that are owned by a specific Amazon Web Services account ID, you can use either the
Example value:
|
String |
s3express:SessionMode |
Filters access by the permission requested by the
Valid values:
|
String |
s3express:signatureAge |
Filters access by the age in milliseconds of the request signature. This condition works only for presigned URLs. In Amazon Signature Version 4, the signing key is valid for up to seven days. Therefore, the signatures are also valid for up to seven days. For more information, see Introduction to signing requests in the Amazon Simple Storage Service API Reference. You can use this condition to further limit the signature age. Example
value:
|
Numeric |
s3express:signatureversion |
Identifies the version of Amazon Signature that you want to support for authenticated requests. For authenticated requests, S3 Express One Zone supports Signature Version 4. Valid
value:
|
String |
s3express:TlsVersion |
Filters access by the TLS version that's used by the client. You can use the Example
value:
|
Numeric |
s3express:x-amz-content-sha256 |
Filters access by unsigned content in your bucket. You can use this condition key to disallow unsigned content in your bucket. When you use Signature Version 4 for requests that use the
You can use this condition key in your bucket policy to deny any uploads where the payloads aren't signed. For example:
Valid value:
|
String |
How API operations are authorized and authenticated
The following table lists authorization and authentication information for S3 Express One Zone API operations. For each API operation, the table shows the API operation name, IAM action, endpoint type (Regional or Zonal), and authorization mechanism (IAM or session-based). This table also indicates where cross-account access is supported. Access to bucket-level actions can be granted only in IAM identity-based policies (user or role), not bucket policies.
API | Endpoint type | IAM action | Cross-account access |
---|---|---|---|
CreateBucket |
Regional | s3express:CreateBucket |
No |
DeleteBucket |
Regional | s3express:DeleteBucket |
No |
ListDirectoryBuckets |
Regional | s3express:ListAllMyDirectoryBuckets |
No |
PutBucketPolicy |
Regional | s3express:PutBucketPolicy |
No |
GetBucketPolicy |
Regional | s3express:GetBucketPolicy |
No |
DeleteBucketPolicy |
Regional | s3express:DeleteBucketPolicy |
No |
CreateSession |
Zonal | s3express:CreateSession |
Yes |
CopyObject |
Zonal | s3express:CreateSession |
Yes |
DeleteObject |
Zonal | s3express:CreateSession |
Yes |
DeleteObjects |
Zonal | s3express:CreateSession |
Yes |
HeadObject |
Zonal | s3express:CreateSession |
Yes |
PutObject |
Zonal | s3express:CreateSession |
Yes |
GetObjectAttributes |
Zonal | s3express:CreateSession |
Yes |
ListObjectsV2 |
Zonal | s3express:CreateSession |
Yes |
HeadBucket |
Zonal | s3express:CreateSession |
Yes |
CreateMultipartUpload |
Zonal | s3express:CreateSession |
Yes |
UploadPart |
Zonal | s3express:CreateSession |
Yes |
UploadPartCopy |
Zonal | s3express:CreateSession |
Yes |
CompleteMultipartUpload |
Zonal | s3express:CreateSession |
Yes |
AbortMultipartUpload |
Zonal | s3express:CreateSession |
Yes |
ListParts |
Zonal | s3express:CreateSession |
Yes |
ListMultipartUploads |
Zonal | s3express:CreateSession |
Yes |