IAM identity-based policies for S3 Express One Zone
Before you can create directory buckets or use Amazon S3 Express One Zone storage class, you must grant the
necessary permissions to your Amazon Identity and Access Management (IAM) role or users. This example policy allows
access to the CreateSession
API operation (for use with Zonal endpoint [object
level] API operations) and all of the Regional endpoint (bucket-level) API operations. This
policy allows the CreateSession
API operation for use with all directory
buckets, but the Regional endpoint API operations are allowed only for use with the
specified directory bucket. To use this example policy, replace the
with your own information.user
input placeholders
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessRegionalEndpointAPIs", "Effect": "Allow", "Action": [ "s3express:DeleteBucket", "s3express:DeleteBucketPolicy", "s3express:CreateBucket", "s3express:PutBucketPolicy", "s3express:GetBucketPolicy", "s3express:ListAllMyDirectoryBuckets" ], "Resource": "arn:aws-cn:s3express:
region
:account_id
:bucket/bucket-base-name
--azid
--x-s3/*" }, { "Sid": "AllowCreateSession", "Effect": "Allow", "Action": "s3express:CreateSession", "Resource": "*" } ] }