Amazon S3 actions - Amazon Simple Storage Service
Example — Object operationsExample — Bucket operationsExample — Bucket subresource operationsExample — Account operations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3 actions

Amazon S3 defines a set of permissions that you can specify in a policy. These are keywords, each of which maps to a specific Amazon S3 operation. For more information about Amazon S3 operations, see Actions in the Amazon Simple Storage Service API Reference.

To see how to specify permissions in an Amazon S3 policy, review the following example policies. For a list of Amazon S3 actions, resources, and condition keys for use in policies, see Actions, resources, and condition keys for Amazon S3. For a complete list of Amazon S3 actions, see Actions.

The following example bucket policy grants the s3:PutObject and the s3:PutObjectAcl permissions to a user (Dave). If you remove the Principal element, you can attach the policy to a user. These are object operations. Accordingly, the relative-id portion of the Resource ARN identifies objects (awsexamplebucket1/*). For more information, see Amazon S3 resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-cn:iam::12345678901:user/Dave"
            },
            "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws-cn:s3:::awsexamplebucket1/*"
        }
    ]
}
Permissions for All Amazon S3 Actions

You can use a wildcard to grant permission for all Amazon S3 actions.

"Action":   "*"

The following example user policy grants the s3:CreateBucket, s3:ListAllMyBuckets, and the s3:GetBucketLocation permissions to a user. For all these permissions, you set the relative-id part of the Resource ARN to "*". For all other bucket actions, you must specify a bucket name. For more information, see Amazon S3 resources.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"statement1",
         "Effect":"Allow",
         "Action":[
            "s3:CreateBucket", 
            "s3:ListAllMyBuckets", 
            "s3:GetBucketLocation"  
         ],
         "Resource":[
            "arn:aws-cn:s3:::*"
         ]
       }
    ]
}
Policy for console access

If a user wants to use the Amazon Web Services Management Console to view buckets and the contents of any of those buckets, the user must have the s3:ListAllMyBuckets and s3:GetBucketLocation permissions. For an example, see Policy for Console Access in the blog post Writing IAM Policies: How to Grant Access to an S3 Bucket.

The following user policy grants the s3:GetBucketAcl permission on the DOC-EXAMPLE-BUCKET1 bucket to user Dave.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws-cn:iam::123456789012:user/Dave"
      },
      "Action": [
        "s3:GetBucketAcl"
      ],
      "Resource": [
        "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1"
      ]
    }
  ]
}
DELETE Object permissions

You can delete objects either by explicitly calling the DELETE Object API or by configuring its lifecycle (see Managing your storage lifecycle) so that Amazon S3 can remove the objects when their lifetime expires. To explicitly block users or accounts from deleting objects, you must explicitly deny them s3:DeleteObject, s3:DeleteObjectVersion, and s3:PutLifecycleConfiguration permissions.

Explicit deny

By default, users have no permissions. But as you create users, add users to groups, and grant them permissions, they might get certain permissions that you didn't intend to grant. To avoid such permission loopholes, you can write a stricter access policy by adding explicit deny.

The preceding bucket policy grants the s3:GetBucketAcl permission DOC-EXAMPLE-BUCKET1 bucket to user Dave. In this example, you explicitly deny the user Dave DELETE Object permissions. Explicit deny always supersedes any other permission granted. The following is the revised access policy example with explicit deny added.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws-cn:iam::123456789012:user/Dave"
      },
      "Action": [
        "s3:GetObjectVersion",
        "s3:GetBucketAcl"
      ],
      "Resource": [
        "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1",
	 	"arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1/*"
      ]
    },
    {
      "Sid": "statement2",
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws-cn:iam::123456789012:user/Dave"
      },
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": [
        "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1",
	    "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1/*"
      ]
    }
  ]
}

The following example user policy grants the s3:GetAccountPublicAccessBlock permission to a user. For these permissions, you set the Resource value to "*". For more information, see Amazon S3 resources.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"statement1",
         "Effect":"Allow",
         "Action":[
            "s3:GetAccountPublicAccessBlock" 
         ],
         "Resource":[
            "*"
         ]
       }
    ]
}