Amazon S3 Storage Lens permissions - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3 Storage Lens permissions

Amazon S3 Storage Lens requires new permissions in Amazon Identity and Access Management (IAM) to authorize access to S3 Storage Lens actions. To grant these permissions, you can use an identity-based IAM policy. You can attach this policy to IAM users, groups, or roles to grant them permissions. Such permissions can include the ability to enable or disable S3 Storage Lens, or to access any S3 Storage Lens dashboard or configuration.

The IAM user or role must belong to the account that created or owns the dashboard or configuration, unless both of the following conditions are true:

  • Your account is a member of Amazon Organizations.

  • You were given access to create organization-level dashboards by your management account as a delegated administrator.

Note
  • You can't use your account's root user credentials to view Amazon S3 Storage Lens dashboards. To access S3 Storage Lens dashboards, you must grant the required IAM permissions to a new or existing IAM user. Then, sign in with those user credentials to access S3 Storage Lens dashboards. For more information, see Security best practices in IAM in the IAM User Guide.

  • Using S3 Storage Lens on the Amazon S3 console can require multiple permissions. For example, to edit a dashboard on the console, you need the following permissions:

    • s3:ListStorageLensConfigurations

    • s3:GetStorageLensConfiguration

    • s3:PutStorageLensConfiguration

Setting account permissions to use S3 Storage Lens

To create and manage S3 Storage Lens dashboards and Storage Lens dashboard configurations, you must have the following permissions, depending on which actions you want to perform:

Amazon S3 Storage Lens related IAM permissions
Action IAM permissions
Create or update an S3 Storage Lens dashboard in the Amazon S3 console.

s3:ListStorageLensConfigurations

s3:GetStorageLensConfiguration

s3:GetStorageLensConfigurationTagging

s3:PutStorageLensConfiguration

s3:PutStorageLensConfigurationTagging

Get the tags of an S3 Storage Lens dashboard on the Amazon S3 console.

s3:ListStorageLensConfigurations

s3:GetStorageLensConfigurationTagging

View an S3 Storage Lens dashboard on the Amazon S3 console.

s3:ListStorageLensConfigurations

s3:GetStorageLensConfiguration

s3:GetStorageLensDashboard

Delete an S3 Storage Lens dashboard on Amazon S3 console.

s3:ListStorageLensConfigurations

s3:GetStorageLensConfiguration

s3:DeleteStorageLensConfiguration

Create or update an S3 Storage Lens configuration by using the Amazon CLI or an Amazon SDK.

s3:PutStorageLensConfiguration

s3:PutStorageLensConfigurationTagging

Get the tags of an S3 Storage Lens configuration by using the Amazon CLI or an Amazon SDK.

s3:GetStorageLensConfigurationTagging

View an S3 Storage Lens configuration by using the Amazon CLI or an Amazon SDK.

s3:GetStorageLensConfiguration

Delete an S3 Storage Lens configuration by using the Amazon CLI or Amazon SDK.

s3:DeleteStorageLensConfiguration

Note
  • S3 Storage Lens dashboard views are logged in CloudTrail with the event name GetStorageLensDashboardDataInternal.

  • You can use resource tags in an IAM policy to manage permissions.

  • An IAM user or role with these permissions can see metrics from buckets and prefixes that they might not have direct permission to read or list objects from.

  • For S3 Storage Lens dashboards with prefix-level metrics enabled, if a selected prefix path matches with an object key, the dashboard might display the object key as another prefix.

  • For metrics exports, which are stored in a bucket in your account, permissions are granted by using the existing s3:GetObject permission in the IAM policy. Similarly, for an Amazon Organizations entity, the organization's management account or delegated administrator accounts can use IAM policies to manage access permissions for organization-level dashboard and configurations.

Setting account permissions to use S3 Storage Lens groups

You can use S3 Storage Lens groups to understand the distribution of your storage within buckets based on prefix, suffix, object tag, object size, or object age. You can attach Storage Lens groups to your dashboards to view their aggregated metrics.

To work with Storage Lens groups, you need certain permissions. For more information, see Storage Lens groups permissions.

Setting permissions to use S3 Storage Lens with Amazon Organizations

You can use Amazon S3 Storage Lens to collect storage metrics and usage data for all accounts that are part of your Amazon Organizations hierarchy. The following are the actions and permissions related to using S3 Storage Lens with Organizations.

Amazon Organizations related IAM permissions for using S3 Storage Lens
Action IAM Permissions
Enable trusted access for S3 Storage Lens for your organization.

organizations:EnableAWSServiceAccess

Disable trusted access for S3 Storage Lens for your organization.

organizations:DisableAWSServiceAccess

Register a delegated administrator to create S3 Storage Lens dashboards or configurations for your organization.

organizations:RegisterDelegatedAdministrator

Deregister a delegated administrator so that they can no longer create S3 Storage Lens dashboards or configurations for your organization.

organizations:DeregisterDelegatedAdministrator

Additional permissions to create S3 Storage Lens organization-wide configurations.

organizations:DescribeOrganization

organizations:ListAccounts

organizations:ListAWSServiceAccessForOrganization

organizations:ListDelegatedAdministrators

iam:CreateServiceLinkedRole