IAM identity-based policies for S3 Express One Zone - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM identity-based policies for S3 Express One Zone

Before you can create directory buckets or use Amazon S3 Express One Zone storage class, you must grant the necessary permissions to your Amazon Identity and Access Management (IAM) role or users. This example policy allows access to the CreateSession API operation (for use with Zonal endpoint [object level] API operations) and all of the Regional endpoint (bucket-level) API operations. This policy allows the CreateSession API operation for use with all directory buckets, but the Regional endpoint API operations are allowed only for use with the specified directory bucket. To use this example policy, replace the user input placeholders with your own information.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessRegionalEndpointAPIs", "Effect": "Allow", "Action": [ "s3express:DeleteBucket", "s3express:DeleteBucketPolicy", "s3express:CreateBucket", "s3express:PutBucketPolicy", "s3express:GetBucketPolicy", "s3express:ListAllMyDirectoryBuckets" ], "Resource": "arn:aws-cn:s3express:region:account_id:bucket/bucket-base-name--azid--x-s3/*" }, { "Sid": "AllowCreateSession", "Effect": "Allow", "Action": "s3express:CreateSession", "Resource": "*" } ] }