Authorizing Regional endpoint API operations with IAM
Amazon Identity and Access Management (IAM) is an Amazon Web Services service that helps administrators securely control access to Amazon resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in directory buckets and S3 Express One Zone operations. You can use IAM for no additional charge.
By default, users don't have permissions for directory buckets. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see Security best practices in IAM in the IAM User Guide.
To provide access, you can add permissions to your users, groups, or roles through the following means:
-
Users and groups in Amazon IAM Identity Center – Create a permission set. Follow the instructions in Create a permission set in the Amazon IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider – Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM roles and users – Create a role that your user can assume. Follow the instructions in Creating a role to delegate permissions to an IAM user in the IAM User Guide.
For more information about IAM for S3 Express One Zone, see the following topics.
Topics
Principals
When you create a resource-based policy to grant access to your buckets, you must use
the Principal
element to specify the person or application that can make a
request for an action or operation on that resource. For directory bucket policies, you
can use the following principals:
-
An Amazon account
-
An IAM user
-
An IAM role
-
A federated user
For more information, see Principal
Resources
Amazon Resource Names (ARNs) for directory buckets contain the s3express
namespace, the Amazon Web Services Region, the Amazon account ID, and the directory bucket name,
which includes the Amazon Zone ID. (an Availability Zone or Local Zone ID).
To access and perform actions on your directory bucket, you must use the following ARN format:
arn:aws-cn:s3express:
region
:account-id
:bucket/base-bucket-name
--zone-id
--x-s3
To access and perform actions on your access point for a directory bucket, you must use the following ARN format:
arn:aws-cn::s3express:
region
:account-id
:accesspoint/accesspoint-basename
--zone-id
--xa-s3
For more information about ARNs, see Amazon Resource Names (ARNs)
Actions for directory buckets
In an IAM identity-based policy or resource-based policy, you define which S3
actions are allowed or denied. Actions correspond to specific API
operations. With directory buckets, you must use the S3 Express One Zone namespace to grant permissions, called s3express
.
When you allow the s3express:CreateSession
permission, the
CreateSession
API operation retrieves a temporary session token for all
Zonal endpoint API (object level) operations. The session token returns
credentials that are used for all other Zonal endpoint API
operations. As a result, you don't grant access permissions to Zonal API
operations with IAM policies. Instead, CreateSession
enables access for all object level operations.
For the list of Zonal API operations and permissions, see
Authenticating and authorizing requests.
To learn more
about the CreateSession
API operation, see CreateSession
You can specify the following actions in the Action
element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon.
When you use an action in a policy, you usually allow or deny access to the API
operation with the same name. However, in some cases, a single action controls access to
more than one API operation. Access to bucket-level actions can be granted in only IAM
identity-based policies (user or role) and not bucket policies.
For more information about how to configure access point policies, see Configuring IAM policies for using access points for directory buckets.
For more information, see Actions, resources, and condition keys for Amazon S3 Express.