Principals Resources Actions for directory buckets Condition keys for directory buckets

Authorizing Regional endpoint API operations with IAM

Amazon Identity and Access Management (IAM) is an Amazon Web Services service that helps administrators securely control access to Amazon resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in S3 Express One Zone. You can use IAM for no additional charge.

By default, users don't have permissions for directory buckets and S3 Express One Zone operations. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see Security best practices in IAM in the IAM User Guide.

To provide access, you can add permissions to your users, groups, or roles through the following means:

Users and groups in Amazon IAM Identity Center – Create a permission set. Follow the instructions in Create a permission set in the Amazon IAM Identity Center User Guide.
Users managed in IAM through an identity provider – Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
IAM roles and users – Create a role that your user can assume. Follow the instructions in Creating a role to delegate permissions to an IAM user in the IAM User Guide.

For more information about IAM for S3 Express One Zone, see the following topics.

Topics

Principals

When you create a resource-based policy to grant access to your buckets, you must use the Principal element to specify the person or application that can make a request for an action or operation on that resource. For directory bucket policies, you can use the following principals:

An Amazon account
An IAM user
An IAM role
A federated user

For more information, see Principal in the IAM User Guide.

Resources

Amazon Resource Names (ARNs) for directory buckets contain the s3express namespace, the Amazon Web Services Region, the Amazon account ID, and the directory bucket name, which includes the Availability Zone ID. To access and perform actions on your directory bucket, you must use the following ARN format:


arn:aws-cn:s3express:region:account-id:bucket/base-bucket-name--zone-id--x-s3

For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide. For more information about resources, see IAM JSON Policy Elements: Resource in the IAM User Guide.

Actions for directory buckets

In an IAM identity-based policy or resource-based policy, you define which S3 actions are allowed or denied. Actions correspond to specific API operations. When using directory buckets, you can use the S3 Express One Zone namespace to grant permissions. This namespace is s3express.

When you allow the s3express:CreateSession permission, this enables the CreateSession API operation to retrieve session tokens when accessing Zonal endpoint API (or object level) operations. These session tokens return credentials that are used to grant access to all of the other Zonal endpoint API operations. As a result, you don't have to grant access permissions to Zonal API operations by using IAM policies. Instead, the session token enables access. For the list of Zonal endpoint API operations and permissions, see Authenticating and authorizing requests.

For more information about Zonal and Regional endpoint API operations, see Networking for directory buckets. To learn more about the CreateSession API operation, see CreateSession in the Amazon Simple Storage Service API Reference.

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation with the same name. However, in some cases, a single action controls access to more than one API operation. Access to bucket-level actions can be granted in only IAM identity-based policies (user or role) and not bucket policies.

Note

If you want to use access points for directory buckets to control access to bucket or object operations, note the following:

For using access points to control access to bucket operations, see Bucket operations in policies for access points for directory buckets.
For using access points to control access to object operations, see Object operations in policies for access points for directory buckets.
For more information about how to configure access point policies, see Configuring IAM policies for using access points for directory buckets.

The following table shows actions and condition keys.

Action	API	Description	Access level	Condition keys
`s3express:CreateBucket`	`CreateBucket`	Grants permission to create a new bucket.	Write	`s3express:authType` `s3express:LocationName` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:CreateSession`	Zonal endpoint API operations	Grants permission to create a session token, which is used for granting access to all Zonal (object-level) API operations, such as `CopyObject`,`PutObject`, `GetObject`, `HeadBucket` and so on.	Write	`s3express:authType` `s3express:SessionMode` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:signatureAge` `s3express:TlsVersion` `s3express:x-amz-content-sha256` `s3express:x-amz-server-side-encryption` `s3express:x-amz-server-side-encryption-aws-kms-key-id`
`s3express:DeleteBucket`	`DeleteBucket`	Grants permission to delete the bucket named in the URI.	Write	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:DeleteBucketPolicy`	`DeleteBucketPolicy`	Grants permission to delete the policy on a specified bucket.	Permissions management	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:GetBucketPolicy`	`GetBucketPolicy`	Grants permission to return the policy of the specified bucket.	Read	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:GetEncryptionConfiguration`	`GetBucketEncryption`	Grants permission to return the default encryption configuration of a directory bucket.	Read	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:ListAllMyDirectoryBuckets`	`ListDirectoryBuckets`	Grants permission to list all directory buckets owned by the authenticated sender of the request.	List	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:PutBucketPolicy`	`PutBucketPolicy`	Grants permission to add or replace a bucket policy on a bucket.	Permissions management	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:PutBucketPolicy`	`PutBucketPolicy`	Grants permission to add or replace a bucket policy on a bucket.	Permissions management	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:PutEncryptionConfiguration`	`PutBucketEncryption` or `DeleteBucketEncryption`	Grants permission to set the encryption configuration for a directory bucket	Write	`s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256`
`s3express:CreateAccessPoint`	`CreateAccessPoint`	Grants permission to create an access point associated with an directory bucket.	Write	s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:LocationName s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:ListAccessPointsForDirectoryBuckets`	`ListAccessPointsForDirectoryBuckets`	Grants permission to list access points.	List	s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:GetAccessPoint`	`GetAccessPoint`	Grants permission to return configuration information about the specified access point.	Read	s3express:DataAccessPointAccount s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:DeleteAccessPoint`	`DeleteAccessPoint`	Grants permission to delete the access point named in the URI.	Write	s3express:DataAccessPointAccount s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:DeleteAccessPointPolicy`	`DeleteAccessPointPolicy`	Grants access to delete the policy on a specified access point.	Permissions management	s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:GetAccessPointPolicy`	`GetAccessPointPolicy`	Grants permission to return the access point policy associated with the specified access point.	Read	s3express:DataAccessPointAccount s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:PutAccessPointPolicy`	`PutAccessPointPolicy`	Grants permission to associate an access point policy with a specified access point.	Permissions management	s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:DeleteAccessPointScope`	`DeleteAccessPointScope`	Grants permission to delete the scope configuration on a specified access point.	Permissions management	s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:GetAccessPointScope`	`GetAccessPointScope`	Grants permission to return the scope configuration associated with the specified access point.	Read	s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256
`s3express:PutAccessPointScope`	`PutAccessPointScope`	Grants permission to associate an access point with a specified access point scope configuration.	Permissions management	s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256

Condition keys for directory buckets

The following are condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies.

Condition key	Description	Typs
`s3express:authType`	Filters access by authentication method. To restrict incoming requests to use a specific authentication method, you can use this optional condition key. For example, you can use this condition key to allow only the HTTP `Authorization` header to be used in request authentication. Valid values: `REST-HEADER`, `REST-QUERY-STRING`	String
`s3express:LocationName`	Filters access to the `CreateBucket` API operation by a specific Availability Zone ID (AZ ID), for example, `usw2-az1`. Example value: `usw2-az1`	String
`s3express:ResourceAccount`	Filters access by the resource owner's Amazon Web Services account ID. To restrict user, role, or application access to the directory buckets that are owned by a specific Amazon Web Services account ID, you can use either the `aws:ResourceAccount` or `s3express:ResourceAccount` condition key. You can use this condition key in either Amazon Identity and Access Management (IAM) identity policies or virtual private cloud (VPC) endpoint policies. For example, you can use this condition key to restrict clients within your VPC from accessing buckets that you don't own. Example value: `111122223333`	String
`s3express:SessionMode`	Filters access by the permission requested by the `CreateSession` API operation. By default, the session is `ReadWrite`. You can use this condition key to limit access to `ReadOnly` or to explicitly deny `ReadWrite` access. For more information, see Example bucket policies for directory buckets and CreateSession in the Amazon Simple Storage Service API Reference. Valid values: `ReadWrite`, `ReadOnly`	String
`s3express:signatureAge`	Filters access by the age in milliseconds of the request signature. This condition works only for presigned URLs. In Amazon Signature Version 4, the signing key is valid for up to seven days. Therefore, the signatures are also valid for up to seven days. For more information, see Introduction to signing requests in the Amazon Simple Storage Service API Reference. You can use this condition to further limit the signature age. Example value: `600000`	Numeric
`s3express:signatureversion`	Identifies the version of Amazon Signature that you want to support for authenticated requests. For authenticated requests, Signature Version 4 is supported. Valid value: `"AWS4-HMAC-SHA256"` (identifies Signature Version 4)	String
`s3express:TlsVersion`	Filters access by the TLS version that's used by the client. You can use the `s3:TlsVersion` condition key to write IAM, virtual private cloud endpoint (VPCE), or bucket policies that restrict user or application access to directory buckets based on the TLS version that's used by the client. You can also use this condition key to write policies that require a minimum TLS version. Example value: `1.3`	Numeric
`s3express:x-amz-content-sha256`	Filters access by unsigned content in your bucket. You can use this condition key to disallow unsigned content in your bucket. When you use Signature Version 4 for requests that use the `Authorization` header, you add the `x-amz-content-sha256` header in the signature calculation and then set its value to the hash payload. You can use this condition key in your bucket policy to deny any uploads where the payloads aren't signed. For example: Deny uploads that use the `Authorization` header to authenticate requests but don't sign the payload. For more information, see Transferring payload in a single chunk in the Amazon Simple Storage Service API Reference. Deny uploads that use presigned URLs. Presigned URLs always have an `UNSIGNED_PAYLOAD`. For more information, see Authenticating requests and Authentication methods in the Amazon Simple Storage Service API Reference. Valid value: `UNSIGNED-PAYLOAD`	String
`s3express:x-amz-server-side-encryption`	Filters access by server-side encryption Valid values: `"AES256"`, `aws:kms`	String
`s3express:x-amz-server-side-encryption-aws-kms-key-id`	Filters access by Amazon KMS customer managed key for server-side encryption Example value: `"arn:aws:kms:region:acct-id:key/key-id"`	ARN

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Authenticating and authorizing requests

Identity-based policies