Permissions to work with Amazon managed table buckets and to query tables Querying tables in Amazon managed table buckets Encryption for Amazon managed table buckets

Working with Amazon managed table buckets

Amazon managed table buckets are specialized Amazon S3 table buckets designed to store Amazon managed tables, such as S3 Metadata journal and live inventory tables. Unlike customer-managed table buckets that you create and manage directly, Amazon managed table buckets are automatically provisioned by Amazon when you configure features that require Amazon managed tables. When managed tables are created, they belong to a predefined namespace that's based on the name of the source bucket. This predefined namespace can't be modified.

Each Amazon Web Services account has one Amazon managed table bucket per Region, following the naming convention aws-s3. This bucket serves as a centralized location for all managed tables associated with your account's resources in that Region.

The following table compares Amazon managed table buckets with customer-managed table buckets.

Feature	Amazon managed table buckets	Customer-managed table buckets
Creation	Automatically created by Amazon Web Services services	You create these manually
Naming	Use a standard naming convention (`aws-s3`)	You define your own names
Table creation	Only Amazon Web Services services can create tables	You can create tables
Namespace control	You can't create or delete namespaces (all tables belong to a fixed namespace)	You can create and delete namespaces
Access	Read-only access	Full access
Encryption	You can change the default encryption (SSE-S3) settings only if you encrypted the initial table with a customer managed Amazon Key Management Service (Amazon KMS) key	You can set bucket-level default encryption and modify it anytime
Maintenance	Managed by Amazon Web Services services	You can customize automated maintenance at the bucket level

Permissions to work with Amazon managed table buckets and to query tables

To work with Amazon managed table buckets, you need permissions to create Amazon managed table buckets and tables and to specify encryption settings for Amazon managed tables. You also need permissions to query the tables in your Amazon managed table buckets.

The following example policy allows you to create an Amazon managed table bucket through an S3 Metadata configuration:


{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
         "Sid":"PermissionsToWorkWithMetadataTables",
         "Effect":"Allow",
         "Action":[
             "s3:CreateBucketMetadataTableConfiguration",
             "s3tables:CreateTableBucket",
             "s3tables:CreateNamespace",
             "s3tables:CreateTable",
             "s3tables:GetTable",
             "s3tables:PutTablePolicy"
             "s3tables:PutTableEncryption",
             "kms:DescribeKey"
         ],
         "Resource":[
            "arn:aws-cn:s3:::bucket/amzn-s3-demo-source-bucket",
            "arn:aws-cn:s3tables:us-east-1:111122223333:bucket/aws-s3",
            "arn:aws-cn:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*",
            "arn:aws-cn:kms:us-east-1:111122223333:key/01234567-89ab-cdef-0123-456789abcdef"
         ]
       }
    ]
}

The following example policy allows you to query tables in Amazon managed table buckets:


{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
         "Sid":"PermissionsToQueryMetadataTables",
         "Effect":"Allow",
         "Action":[
             "s3tables:GetTable",
             "s3tables:GetTableData",
             "s3tables:GetTableMetadataLocation",
             "kms:Decrypt"
         ],
         "Resource":[
            "arn:aws-cn:s3tables:us-east-1:111122223333:bucket/aws-s3",
            "arn:aws-cn:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*",
            "arn:aws-cn:kms:us-east-1:111122223333:key/01234567-89ab-cdef-0123-456789abcdef"
         ]
       }
    ]
}

Querying tables in Amazon managed table buckets

You can query Amazon managed tables in Amazon managed table buckets using access methods and engines supported by S3 Tables. The following are some example queries.

Encryption for Amazon managed table buckets

By default, Amazon managed table buckets are encrypted with server-side encryption using Amazon S3 managed keys (SSE-S3). After your Amazon managed table bucket is created, you can use PutTableBucketEncryption to set the bucket's default encryption setting to use server-side encryption with Amazon Key Management Service (Amazon KMS) keys (SSE-KMS).

During creation of your Amazon managed tables, you can choose to encrypt them with SSE-KMS. If you choose to use SSE-KMS, you must provide a customer managed KMS key in the same Region as your Amazon managed table bucket. You can set the encryption type for your Amazon managed tables only during table creation. After an Amazon managed table is created, you can't change its encryption setting.

If you want the Amazon managed table bucket and the tables stored in it to use the same KMS key, make sure to use the same KMS key that you used to encrypt your tables to encrypt your table bucket after it's been created. After you've changed the default encryption settings for your table bucket to use SSE-KMS, those encryption settings are used for any future tables that are created in the bucket.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Managing policies

Tagging table buckets