Amazon S3 policy actions
Note
This page is about Amazon S3 policy actions for general purpose buckets. To learn more about Amazon S3 policy actions for directory buckets, see Actions for S3 Express One Zone.
Amazon S3 defines a set of permissions that you can specify in a policy. To grant permissions to
perform an S3 API operation, you must compose a valid policy (such as an S3 bucket
policy or IAM identity-based policy), and specify corresponding actions in the
Action
element of the policy. These actions are called policy actions. The following
shows different types of mapping relationship between S3 API operations and the
required policy actions.
One-to-one mapping with the same name. For example, to use the
PutBucketPolicy
API operation, thes3:PutBucketPolicy
policy action is required.One-to-one mapping with different names. For example, to use the
ListObjectsV2
API operation, thes3:ListBucket
policy action is required.One-to-many mapping. For example, to use the
HeadObject
API operation, thes3:GetObject
is required. Also, when you use S3 Object Lock and want to get an object's Legal Hold status or retention settings, the correspondings3:GetObjectLegalHold
ors3:GetObjectRetention
policy actions are also required before you can use theHeadObject
API operation.Many-to-one mapping. For example, to use the
ListObjectsV2
orHeadBucket
API operations, thes3:ListBucket
policy action is required.
To compose a valid S3 bucket policy, apart from the Action
element, you must also specify Effect
, Principal
, and Resource
elements. In addition, to have more granular control of S3 API operations, you can specify the Condition
element.
To compose a valid IAM identity-based policy, apart from the Action
element, you must also specify Effect
and Resource
elements. A valid IAM identity-based policy doesn't include the Principal
element.
For a full list of Amazon S3 policy actions, resources, and condition keys for use in policies, see Actions, resources, and condition keys for Amazon S3 in the Service Authorization Reference.
When you compose policies, you must specify the Resource
element based on the correct resource type required by the corresponding Amazon S3 policy actions. This page categorizes permissions to S3 API operations by the resource types.
For more information about the resource types, see
Resource types defined by Amazon S3 in the Service Authorization
Reference. For a complete list of Amazon S3 API operations, see Amazon S3 API Actions in the Amazon Simple Storage Service API Reference.
Topics
Bucket operations
Bucket operations are S3 API operations that operate on the bucket resource type. For
example, CreateBucket
, ListObjectsV2
, and
PutBucketPolicy
. S3 policy actions for bucket operations
require the Resource
element in bucket policies or IAM
identity-based policies to be the S3 bucket type Amazon Resource Name (ARN) identifier in the following
example format.
"Resource": "arn:aws:s3:::
DOC-EXAMPLE-BUCKET
"
The following bucket policy grants the user Akua
with account
12345678901
the s3:ListBucket
permission to perform the ListObjectsV2 API
operation and list objects in an S3 bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Akua to list objects in the bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::
12345678901
:user/Akua" }, "Action": [ "s3:ListBucket" ], "Resource": "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET
" } ] }
Bucket operations in access point policies
Permissions granted in an access point policy are effective only if the underlying bucket allows
the same permissions. When you use S3 Access Points, you must delegate access
control from the bucket to the access point or add the same permissions in the access point
policies to the underlying bucket's policy. For more information, see Configuring IAM policies for using access points. In access point policies, S3 policy actions for bucket operations require you to
use the accesspoint
ARN for the Resource
element in the following format.
"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/
DOC-EXAMPLE-ACCESS-POINT
"
The following access point policy grants the user Akua
with account
12345678901
the s3:ListBucket
permission to perform the ListObjectsV2 API
operation through the S3 access point
DOC-EXAMPLE-ACCESS-POINT
to list objects in the
access point’s associated bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Akua to list objects in the bucket through access point", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::
12345678901
:user/Akua" }, "Action": [ "s3:ListBucket" ], "Resource": "arn:aws-cn:s3:us-west-2:123456789012
:accesspoint/DOC-EXAMPLE-ACCESS-POINT
" } ] }
Note
Not all bucket operations are supported by S3 Access Point. For more information, see Access point compatibility with S3 operations.
Object operations
Object operations are S3 API operations that act upon the object resource type. For
example, GetObject
, PutObject
, and
DeleteObject
. S3 policy actions for object operations require
the Resource
element in policies to be the S3 object ARN in the
following example formats.
"Resource": "arn:aws:s3:::
DOC-EXAMPLE-BUCKET
/*"
"Resource": "arn:aws:s3:::
DOC-EXAMPLE-BUCKET
/prefix
/*"
Note
The object ARN must contain a forward slash after the bucket name, as seen in the previous examples.
The following bucket policy grants the user Akua
with account
12345678901
the s3:PutObject
permission to perform the PutObject API
operation to upload objects to an S3 bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Akua to upload objects", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::
12345678901
:user/Akua" }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET
/*" } ] }
Object operations in access point policies
When you use S3 Access Points to control access to object operations, you can use access point
policies. When you use access point policies, S3 policy actions for object
operations require you to use the accesspoint
ARN for the
Resource
element in the following format:
arn:aws:s3:region:account-id:accesspoint/access-point-name/object/resource
.
For object operations that use access point, you must include the
/object/
value after the whole access point ARN in the
Resource
element. Here are some examples.
"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/
DOC-EXAMPLE-ACCESS-POINT
/object/*"
"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/
DOC-EXAMPLE-ACCESS-POINT
/object/prefix
/*"
The following access point policy grants the user Akua
with account
12345678901
the s3:GetObject
permission to perform the GetObject API
operation through the access point DOC-EXAMPLE-ACCESS-POINT
on all objects in the access point’s associated bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Akua to get objects through access point", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::
12345678901
:user/Akua" }, "Action": [ "s3:GetObject" ], "Resource": "arn:aws-cn:s3:us-west-2:123456789012:accesspoint/DOC-EXAMPLE-ACCESS-POINT
/object/*" } ] }
Note
Not all object operations are supported by S3 Access Point. For more information, see Access point compatibility with S3 operations.
Access point operations
Access point operations are S3 API operations that operate on the accesspoint
resource type. For example, CreateAccessPoint
,
DeleteAccessPoint
, and GetAccessPointPolicy
. S3
policy actions for access point operations can only be used in IAM identity-based
policies, not in bucket policies or access point policies. Access points operations require
the Resource
element to be the accesspoint
ARN in the
following example format.
"Resource": "arn:aws-cn:s3:us-west-2:
123456789012
:accesspoint/DOC-EXAMPLE-ACCESS-POINT
"
The following IAM identity-based policy grants the s3:GetAccessPointPolicy
permission to perform the
GetAccessPointPolicy API operation on S3 access point DOC-EXAMPLE-ACCESS-POINT
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Grant permission to retrieve the access point policy of access point
DOC-EXAMPLE-ACCESS-POINT
", "Effect": "Allow", "Action": [ "s3:GetAccessPointPolicy" ], "Resource": "arn:aws-cn:s3:*:123456789012
:access point/DOC-EXAMPLE-ACCESS-POINT
" } ] }
When you use Access Points, to control access to bucket operations, see Bucket operations in access point policies; to control access to object operations, see Object operations in access point policies. For more information about how to configure access point policies, see Configuring IAM policies for using access points.
Object Lambda Access Point operations
For more information about how to configure policies for Object Lambda Access Point operations, see Configuring IAM policies for Object Lambda Access Points.
Multi-Region Access Point operations
For more information about how to configure policies for Multi-Region Access Point operations, see Multi-Region Access Point policy examples.
Batch job operations
(Batch Operations) job operations are S3 API operations that operate on the job resource type.
For example, DescribeJob
and CreateJob
. S3 policy
actions for job operations can only be used in IAM identity-based policies,
not in bucket policies. Also, job operations require the Resource
element in IAM identity-based policies to be the job
ARN in the
following example format.
"Resource": "arn:aws:s3:*:
123456789012
:job/*"
The following IAM identity-based policy grants the s3:DescribeJob
permission to perform the
DescribeJob API operation on S3 Batch Operations Job DOC-EXAMPLE-JOB
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow describing the Batch operation job DOC-EXAMPLE-JOB", "Effect": "Allow", "Action": [ "s3:DescribeJob" ], "Resource": "arn:aws-cn:s3:*:
123456789012
:job/DOC-EXAMPLE-JOB
" } ] }
S3 Storage Lens configuration operations
For more information about how to configure S3 Storage Lens configuration operations, see Amazon S3 Storage Lens permissions.
Account operations
Account operations are S3 API operations that operate on the account level. For example, GetPublicAccessBlock
(for account). Account isn't a resource type defined by Amazon S3.
S3 policy actions for account operations can only be used in IAM identity-based policies, not in bucket policies. Also, account operations require the Resource
element in IAM identity-based policies to be "*"
.
The following IAM identity-based policy grants the
s3:GetAccountPublicAccessBlock
permission to perform the account-level GetPublicAccessBlock API operation and retrieve the account-level Public Access Block settings.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"Allow retrieving the account-level Public Access Block settings", "Effect":"Allow", "Action":[ "s3:GetAccountPublicAccessBlock" ], "Resource":[ "*" ] } ] }