Creating an S3 Batch Operations IAM role Attaching permissions policies

Granting permissions for Batch Operations

Before creating and running S3 Batch Operations jobs, you must grant required permissions. To create an Amazon S3 Batch Operations job, the s3:CreateJob user permission is required. The same entity that creates the job must also have the iam:PassRole permission to pass the Amazon Identity and Access Management (IAM) role that's specified for the job to Batch Operations.

The following sections provide information about creating an IAM role and attaching policies. For general information about specifying IAM resources, see IAM JSON policy elements: Resource in the IAM User Guide.

Creating an S3 Batch Operations IAM role

Amazon S3 must have permissions to perform S3 Batch Operations on your behalf. You grant these permissions through an Amazon Identity and Access Management (IAM) role. When you create an S3 Batch Operations job, you specify the IAM role that you want the job to use. This can be an existing IAM role. Or, if you use the Amazon S3 console to create the job, it can be an IAM role that Amazon S3 creates for you.

If you choose to let Amazon S3 create the IAM role for you, it automatically creates and attaches trust and permissions policies to the role. The trust policy allows the S3 Batch Operations service principal (batchoperations.s3.amazonaws.com) to assume the role. The permissions policy is an Amazon managed policy that includes all the requisite actions for running the job, based on the settings that you specify for the job. For example, if you configure a job to copy objects from one bucket to another bucket in your Amazon Web Services account, the permissions policy allows actions such as s3:GetObject and s3:PutObject. You can review the trust and permissions policies for the role before you submit the job. This option is available only if you use the Amazon S3 console to create a job. After you submit the job, the IAM role persists in your account. You can then use it again for subsequent jobs that perform the same operation, or delete it when the job finishes running.

Note

You can choose to let Amazon S3 create the IAM role for you for jobs that use an S3 generated object list with filters, or jobs that use an object list based on a replication configuration.

If you prefer to create the IAM role manually, the policy examples in this section can help you create the role. For more information about creating and configuring roles, see IAM roles in the IAM User Guide. For additional examples, see Controlling permissions for Batch Operations using job tags and Copying objects using S3 Batch Operations.

In your IAM policies, you can also use condition keys to filter access permissions for S3 Batch Operations jobs. For more information and a complete list of condition keys that are specific to Amazon S3, see Actions, resources, and condition keys for Amazon S3 in the Service Authorization Reference.

For more information about permissions for S3 API operations by S3 resource type, see Required permissions for Amazon S3 API operations.

Trust policy

To allow the S3 Batch Operations service principal to assume the IAM role, attach the following trust policy to the role.

Attaching permissions policies

Depending on the type of operations, you can attach one of the following policies.

Before you configure permissions, note the following:

Regardless of the operation, Amazon S3 needs permissions to read your manifest object from your S3 bucket and optionally write a report to your bucket. Therefore, all of the following policies include these permissions.
For Amazon S3 Inventory report manifests, S3 Batch Operations requires permission to read the manifest.json object and all associated CSV data files.
Version-specific permissions such as s3:GetObjectVersion are only required when you are specifying the version ID of the objects.
If you are running S3 Batch Operations on encrypted objects, the IAM role must also have access to the Amazon KMS keys used to encrypt them.
If you submit an inventory report manifest that's encrypted with Amazon KMS, your IAM policy must include the permissions "kms:Decrypt" and "kms:GenerateDataKey" for the manifest.json object and all associated CSV data files.
If the Batch Operations job generates a manifest in a bucket that has access control lists (ACLs) enabled and is in a different Amazon Web Services account, you must grant the s3:PutObjectAcl permission in the IAM policy of the IAM role configured for the batch job. If you don't include this permission, the batch job fails with the error Error occurred when preparing manifest: Failed to write manifest.

Copy objects: PutObject

Replace object tagging: PutObjectTagging

Delete object tagging: DeleteObjectTagging

Replace access control list: PutObjectAcl

Restore objects: RestoreObject

Apply Object Lock retention: PutObjectRetention

Apply Object Lock legal hold: PutObjectLegalHold

Replicate existing objects: InitiateReplication with an S3 generated manifest

Use this policy if you're using and storing an S3 generated manifest. For more information about using Batch Operations to replicate existing objects, see Replicating existing objects with Batch Replication.

Replicate existing objects: InitiateReplication with a user manifest

Use this policy if you're using a user supplied manifest. For more information about using Batch Operations to replicate existing objects, see Replicating existing objects with Batch Replication.

Compute checksum: Allow `GetObject`, `GetObjectVersion`, `RestoreObject`, and `PutObject`

Use this policy if you're trying to use the Compute checksum operation with S3 Batch Operations. Permissions for GetObject, GetObjectVersion, and RestoreObject are required to obtain and read the bytes of stored data. Replace the user input placeholders with your own information. For more information about Compute checksum, see Checking object integrity for data at rest in Amazon S3.


{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:RestoreObject"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket1/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket2/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket3/*"
      ]
    }
  ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Performing object operations in bulk

Creating a job