Amazon S3 的操作、资源和条件键 - 服务授权参考
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon S3 的操作、资源和条件键

Amazon S3(服务前缀:s3)提供以下特定于服务的资源、操作和条件上下文密钥,供在IAM权限策略中使用。

参考:

Amazon S3 定义的操作

您可以在IAM策略声明的Action元素中指定以下操作。可以使用策略授予在 Amazon中执行操作的权限。当您在策略中使用操作时,通常会允许或拒绝访问具有相同名称的API操作或CLI命令。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。

操作表的资源类型列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 Resource 元素中指定策略应用的所有资源(“*”)。如果该列包含资源类型,则可以在带有该操作ARN的语句中指定该类型的资源类型。如果操作具有一个或多个必需资源,则调用方必须具有使用这些资源来使用该操作的权限。必需资源在表中以星号 (*) 表示。如果您使用IAM策略中的Resource元素限制资源访问权限,则必须为每种必需的资源类型包含ARN或模式。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种可选资源类型。

操作表的条件键列包括可以在策略语句的 Condition 元素中指定的键。有关与服务资源关联的条件键的更多信息,请参阅资源类型表的条件键列。

注意

资源条件键在资源类型表中列出。您可以在操作表的资源类型(* 为必需)列中找到应用于某项操作的资源类型的链接。资源类型表中的资源类型包括条件密钥列,这是应用于操作表中操作的资源条件键。

有关下表中各列的详细信息,请参阅操作表

操作 描述 访问级别 资源类型(* 为必需) 条件键 相关操作
AbortMultipartUpload 授予权限以中止分段上传 写入

object*

s3:DataAccessPointArn

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

AssociateAccessGrantsIdentityCenter 授予关联 Access Grants 身份中心的权限 写入

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

BypassGovernanceRetention 授予权限以允许绕过监管模式对象保留设置 权限管理

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-server-side-encryption-customer-algorithm

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

CreateAccessGrant 授予创建访问授权的权限 写入

accessgrantslocation*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAccessGrantsInstance 授予创建 Access Grants 实例的权限 写入

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

CreateAccessGrantsLocation 授予创建 Access Grants 位置的权限 写入

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAccessPoint 授予权限以创建新的访问点 写入

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:locationconstraint

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

CreateAccessPointForObjectLambda 授予权限以创建对象 lambda 接入点 写入

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

CreateBucket 授予权限以创建新的存储桶 写入

bucket*

s3:authType

s3:locationconstraint

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-object-ownership

CreateJob 授予权限以创建新的 Amazon S3 批量操作作业 写入

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:RequestJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

iam:PassRole

CreateMultiRegionAccessPoint 授予权限以创建新的多区域访问点 写入

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

CreateStorageLensGroup 授予创建 Amazon S3 Storage Lens 存储统计管理工具组的权限 写入

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAccessGrant 授予删除访问授权的权限 写入

accessgrant*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

DeleteAccessGrantsInstance 授予删除 Access Grants 实例的权限 写入

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

DeleteAccessGrantsInstanceResourcePolicy 授予读取 Access Grants 实例资源策略的权限 写入

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

DeleteAccessGrantsLocation 授予删除 Access Grants 位置的权限 写入

accessgrantslocation*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

DeleteAccessPoint 授予删除中命名的接入点的权限 URI 写入

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteAccessPointForObjectLambda 授予删除对象中名为 lambda 的已启用 lambda 的接入点的权限 URI 写入

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteAccessPointPolicy 授予权限以删除指定接入点上的策略 权限管理

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteAccessPointPolicyForObjectLambda 授予权限以删除指定对象 lambda 接入点上的策略 权限管理

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteBucket 授予删除中名为的存储桶的权限 URI 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteBucketPolicy 授予权限以删除指定存储桶上的策略 权限管理

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteBucketWebsite 授予权限以删除存储桶的网站配置 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteJobTagging 授予权限以从现有 Amazon S3 批量操作作业中删除标签 Tagging

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

DeleteMultiRegionAccessPoint 授予删除中命名的多区域接入点的权限 URI 写入

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

DeleteObject 授予权限以删除对象的空版本并插入删除标记,此版本成为对象的当前版本 写入

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteObjectTagging 授予权限以使用标记子资源从指定的对象中删除整个标记集 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteObjectVersion 授予权限以删除特定版本的对象 写入

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

DeleteObjectVersionTagging 授予权限以删除特定版本对象的整个标记集 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

DeleteStorageLensConfiguration 授予删除现有 Amazon S3 Storage Lens 存储统计管理工具配置的权限 写入

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteStorageLensConfigurationTagging 授予从现有 Amazon S3 Storage Lens 存储统计管理工具配置中删除标签的权限 标记

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DeleteStorageLensGroup 授予删除现有 S3 Storage Lens 存储统计管理工具组的权限 写入

storagelensgroup*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DescribeJob 授予权限以检索批量操作作业的配置参数和状态 读取

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

DescribeMultiRegionAccessPointOperation 授予权限以检索多区域接入点的配置 读取

multiregionaccesspointrequestarn*

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

DissociateAccessGrantsIdentityCenter 授予取消关联 Access Grants 身份中心的权限 写入

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

GetAccelerateConfiguration 授予权限以使用加速子资源返回存储桶的 Transfer Acceleration(传输加速)状态(已启用或已暂停) 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessGrant 授予读取访问授权的权限 读取

accessgrant*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

GetAccessGrantsInstance 授予读取 Access Grants 实例的权限 读取

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

GetAccessGrantsInstanceForPrefix 授予按前缀读取 Access Grants 实例的权限 读取

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

GetAccessGrantsInstanceResourcePolicy 授予读取 Access Grants 实例资源策略的权限 读取

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

GetAccessGrantsLocation 授予读取 Access Grants 位置的权限 读取

accessgrantslocation*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

GetAccessPoint 授予权限以返回有关指定接入点的配置信息 读取

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointConfigurationForObjectLambda 授予权限以检索对象 lambda 接入点的配置 读取

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointForObjectLambda 授予权限以创建对象 lambda 接入点 读取

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicy 授予权限以返回与指定接入点关联的接入点策略 读取

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicyForObjectLambda 授予权限以返回与指定对象 lambda 接入点关联的接入点策略 读取

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicyStatus 授予权限以返回特定接入点策略的策略状态 读取

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccessPointPolicyStatusForObjectLambda 授予权限以返回对象 lambda 接入点策略的策略状态 读取

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAccountPublicAccessBlock 授予检索 PublicAccessBlock 配置的权限 Amazon Web Services 账户 读取

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetAnalyticsConfiguration 授予权限以从 Amazon S3 存储桶获取分析配置,该存储桶由分析配置 ID 标识 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketAcl 授予使用 acl 子资源返回 Amazon S3 存储桶的访问控制列表 (ACL) 的权限 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketCORS 授予返回为 Amazon S3 存储桶设置的CORS配置信息的权限 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketLocation 授予权限以返回 Amazon S3 存储桶所在的区域 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketLogging 授予权限以返回 Amazon S3 存储桶的日志记录状态以及用户拥有的查看或修改该状态的权限 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketNotification 授予权限以获取 Amazon S3 存储桶的通知配置 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketObjectLockConfiguration 授予权限以获取 Amazon S3 存储桶的对象锁定配置 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:signatureversion

GetBucketOwnershipControls 授予权限以检索存储桶上的所有权控制 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketPolicy 授予权限以返回指定存储桶的策略 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketPolicyStatus 授予权限以检索特定 Amazon S3 存储桶的策略状态,该状态指示存储桶是否为公有的 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketPublicAccessBlock 授予检索 Amazon S3 存储桶 PublicAccessBlock 配置的权限 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketRequestPayment 授予权限以返回 Amazon S3 存储桶的请求付款配置 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketTagging 授予权限以返回与 Amazon S3 存储桶关联的标签集 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketVersioning 授予权限以返回 Amazon S3 存储桶的版本控制状态 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetBucketWebsite 授予权限以返回 Amazon S3 存储桶的网站配置 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetDataAccess 授予获取访问的权限 读取

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

GetEncryptionConfiguration 授予权限以返回 Amazon S3 存储桶的默认加密配置 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetIntelligentTieringConfiguration 授予获取或列出 S3 存储桶中所有 Amazon S3 Intelligent Tiering 配置的权限 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetInventoryConfiguration 授予权限以从 Amazon S3 存储桶返回清单配置(由清单配置 ID 标识) 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetJobTagging 授予权限以返回现有 Amazon S3 批量操作作业的标签集 读取

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetLifecycleConfiguration 授予权限以返回 Amazon S3 存储桶上的生命周期配置信息集 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetMetricsConfiguration 授予权限以从 Amazon S3 存储桶获取指标配置 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetMultiRegionAccessPoint 授予权限以返回有关指定多区域访问点的配置信息 读取

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

GetMultiRegionAccessPointPolicy 授予权限以返回与指定多区域访问点关联的访问点策略 读取

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

GetMultiRegionAccessPointPolicyStatus 授予权限以返回特定多区域访问点策略的策略状态 读取

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

GetMultiRegionAccessPointRoutes 授予权限以返回多区域访问点的路由配置 读取

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

GetObject 授予权限以从 Amazon S3 检索对象 读取

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectAcl 授予返回对象访问控制列表 (ACL) 的权限 读取

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectAttributes 授予权限以检索与特定对象相关的属性 读取

accesspoint*

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectLegalHold 授予权限以获取对象的当前依法保留状态 读取

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectRetention 授予权限以检索对象的保留设置 读取

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectTagging 授予权限以返回对象的标签集 读取

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectTorrent 授予权限以从 Amazon S3 存储桶返回 Torrent 文件 读取

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectVersion 授予权限以检索对象的特定版本 读取

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionAcl 授予返回特定对象版本的访问控制列表 (ACL) 的权限 读取

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionAttributes 授予权限以检索与对象特定版本相关的属性 读取

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionForReplication 授予复制未加密对象和使用 SSE-S3 或-加密的对象的权限 SSE KMS 读取

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetObjectVersionTagging 授予权限以返回特定版本对象的标签集 读取

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionTorrent 授予使用子资源获取有关不同版本的 Torrent 文件的权限 versionId 读取

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

GetReplicationConfiguration 授予权限以获取 Amazon S3 存储桶上的复制配置信息集 读取

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetStorageLensConfiguration 授予获取 Amazon S3 Storage Lens 存储统计管理工具配置的权限 读取

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetStorageLensConfigurationTagging 授予获取现有 Amazon S3 Storage Lens 存储统计管理工具配置的标签集的权限 读取

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetStorageLensDashboard 授予获取 Amazon S3 Storage Lens 存储统计管理工具控制面板的权限 读取

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

GetStorageLensGroup 授予获取 Amazon S3 Storage Lens 存储统计管理工具组的权限 读取

storagelensgroup*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

InitiateReplication[仅权限] 授予通过将对象的复制状态设置为待处理来启动复制进程的权限 写入

object*

s3:ResourceAccount

ListAccessGrants 授予列出访问授权的权限 列出

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

ListAccessGrantsInstances 授予列出 Access Grants 实例的权限 列出

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListAccessGrantsLocations 授予列出 Access Grants 位置的权限 列出

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

ListAccessPoints 授予权限以列出接入点 列出

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListAccessPointsForObjectLambda 授予权限以列出对象 lambda 接入点 列出

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListAllMyBuckets 授予权限以列出该请求的经身份验证的发件人拥有的所有存储桶 列出

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListBucket 授予权限以列出 Amazon S3 存储桶中的部分或全部对象(最多 1000 个) 列出

bucket*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListBucketMultipartUploads 授予权限以列出正在进行的分段上传 列出

bucket*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListBucketVersions 授予权限以列出有关 Amazon S3 存储桶中所有对象版本的元数据 列出

bucket*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListCallerAccessGrants 授予列出来电者访问权限的权限 列出

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

ListJobs 授予权限以列出当前作业和最近结束的作业 列出

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListMultiRegionAccessPoints 授予权限以列出多区域访问点 列出

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

ListMultipartUploadParts 授予权限以列出为特定分段上传而上传的部分 列出

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListStorageLensConfigurations 授予列出 Amazon S3 Storage Lens 存储统计管理工具配置的权限 列出

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListStorageLensGroups 授予列出 S3 Storage Lens 组的权限 列出

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ListTagsForResource 授予列出附加到指定资源的标签的权限 列出

accessgrant

accessgrantsinstance

accessgrantslocation

storagelensgroup

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ObjectOwnerOverrideToBucketOwner 授予权限以更改副本所有权 权限管理

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PauseReplication[仅权限] 授予暂停从目标源存储桶到目标存储桶的 S3 复制的权限 写入

bucket*

S3:GetReplicationConfiguration

S3:PutReplicationConfiguration

s3:destinationRegion

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccelerateConfiguration 授予权限以使用加速子资源设置现有 S3 存储桶的 Transfer Acceleration(传输加速)状态 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccessGrantsInstanceResourcePolicy 授予放置 Access Grants 实例资源策略的权限 写入

accessgrantsinstance*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

PutAccessPointConfigurationForObjectLambda 授予权限以配置对象 lambda 接入点 写入

objectlambdaaccesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccessPointPolicy 授予权限以将访问策略与指定接入点关联 权限管理

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccessPointPolicyForObjectLambda 授予权限以将访问策略与指定对象 lambda 接入点关联 Permissions management

objectlambdaaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAccessPointPublicAccessBlock 授予权限以在创建接入点时将公有访问块配置与指定接入点关联 权限管理
PutAccountPublicAccessBlock 授予创建或修改 PublicAccessBlock 配置的权限 Amazon Web Services 账户 权限管理

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutAnalyticsConfiguration 授予权限以便为存储桶设置分析配置(由分析配置 ID 指定) 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketAcl 授予使用访问控制列表对现有存储桶设置权限的权限 (ACLs) 权限管理

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

PutBucketCORS 授予为 Amazon S3 存储桶设置CORS配置的权限 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketLogging 授予权限以设置 Amazon S3 存储桶的日志记录参数 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketNotification 授予权限以在 Amazon S3 存储桶中发生某些事件时接收通知 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketObjectLockConfiguration 授予权限以在特定存储桶上放置对象锁定配置 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:TlsVersion

s3:signatureversion

PutBucketOwnershipControls 授予权限以添加、替换或删除存储桶上的所有权控制 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketPolicy 授予权限以在存储桶上添加或替换存储桶策略 权限管理

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketPublicAccessBlock 授予创建或修改特定 Amazon S3 存储桶 PublicAccessBlock 配置的权限 权限管理

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketRequestPayment 授予权限以设置存储桶的请求付款配置 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketTagging 授予权限以向现有 Amazon S3 存储桶添加一组标签 标记

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketVersioning 授予权限以设置现有 Amazon S3 存储桶的版本控制状态 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutBucketWebsite 授予权限以设置在网站子资源中指定的网站的配置 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutEncryptionConfiguration 授予权限以设置 Amazon S3 存储桶的加密配置 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutIntelligentTieringConfiguration 授予创建新的 Amazon S3 Intelligent Tiering 配置、更新或删除现有 Amazon S3 Intelligent Tiering 配置的权限 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutInventoryConfiguration 授予权限以向存储桶添加清单配置(由清单 ID 标识) 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:InventoryAccessibleOptionalFields

PutJobTagging 授予权限以替换现有 Amazon S3 批量操作作业上的标签 标记

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

PutLifecycleConfiguration 授予权限以便为存储桶创建新的生命周期配置或替换现有生命周期配置 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutMetricsConfiguration 授予权限以设置或更新来自 Amazon S3 存储桶的 CloudWatch 请求指标的指标配置 写入

bucket*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutMultiRegionAccessPointPolicy 授予权限以将访问策略与指定多区域访问点关联 权限管理

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

PutObject 授予权限以将对象添加到存储桶 写入

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-server-side-encryption-customer-algorithm

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

PutObjectAcl 授予对 S3 存储桶中的新对象或现有对象设置访问控制列表 (ACL) 权限的权限 权限管理

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectLegalHold 授予权限以将依法保留配置应用于指定的对象 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:object-lock-legal-hold

PutObjectRetention 授予权限以在对象上放置对象保留配置 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

PutObjectTagging 授予权限以将提供的标签集设置为存储桶中已存在的对象 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

PutObjectVersionAcl 授予使用 acl 子资源为存储桶中已存在的对象设置访问控制列表 (ACL) 权限的权限 权限管理

object*

s3:AccessGrantsInstanceArn

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectVersionTagging 授予权限以便为对象的特定版本设置提供的标签集 标记

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:versionid

s3:x-amz-content-sha256

PutReplicationConfiguration 授予权限以创建新的复制配置或替换现有复制配置 写入

bucket*

iam:PassRole

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:isReplicationPauseRequest

PutStorageLensConfiguration 授予创建或更新 Amazon S3 Storage Lens 存储统计管理工具配置的权限 写入

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:TagKeys

aws:RequestTag/${TagKey}

PutStorageLensConfigurationTagging 授予在现有 Amazon S3 Storage Lens 存储统计管理工具配置上放置或替换标签的权限 标记

storagelensconfiguration*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:TagKeys

aws:RequestTag/${TagKey}

ReplicateDelete 授予权限以将删除标记复制到目标存储桶 写入

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

ReplicateObject 授予权限以将对象和对象标签复制到目标存储桶 写入

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-server-side-encryption-customer-algorithm

ReplicateTags 授予权限以将对象标签复制到目标存储桶 标记

object*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

RestoreObject 授予权限以将对象的归档副本恢复到 Amazon S3 写入

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

SubmitMultiRegionAccessPointRoutes 授予权限以提交多区域访问点的路由配置更新 写入

multiregionaccesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:ResourceAccount

s3:signatureversion

s3:signatureAge

s3:TlsVersion

TagResource 授予为指定资源添加标签的权限 标记

accessgrant

accessgrantsinstance

accessgrantslocation

storagelensgroup

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource 授予从指定的资源中删除标签的权限 标记

accessgrant

accessgrantsinstance

accessgrantslocation

storagelensgroup

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:TagKeys

UpdateAccessGrantsLocation 授予更新 Access Grants 位置的权限 写入

accessgrantslocation*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

aws:ResourceTag/${TagKey}

UpdateJobPriority 授予权限以更新现有作业的优先级 写入

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:ExistingJobPriority

s3:ExistingJobOperation

UpdateJobStatus 授予权限以更新指定作业的状态 写入

job*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

s3:JobSuspendedCause

UpdateStorageLensGroup 授予更新现有 S3 Storage Lens 存储统计管理工具组的权限 写入

storagelensgroup*

s3:authType

s3:ResourceAccount

s3:signatureAge

s3:signatureversion

s3:TlsVersion

s3:x-amz-content-sha256

Amazon S3 定义的资源类型

以下资源类型由此服务定义,可以在IAM权限策略语句的Resource元素中使用。操作表中的每个操作指定了可以使用该操作指定的资源类型。您也可以在策略中包含条件键,从而定义资源类型。这些键显示在资源类型表的最后一列。有关下表中各列的详细信息,请参阅资源类型表

资源类型 ARN 条件键
accesspoint arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}
bucket arn:${Partition}:s3:::${BucketName}
object arn:${Partition}:s3:::${BucketName}/${ObjectName}
job arn:${Partition}:s3:${Region}:${Account}:job/${JobId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

storagelensconfiguration arn:${Partition}:s3:${Region}:${Account}:storage-lens/${ConfigId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

storagelensgroup arn:${Partition}:s3:${Region}:${Account}:storage-lens-group/${Name}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

objectlambdaaccesspoint arn:${Partition}:s3-object-lambda:${Region}:${Account}:accesspoint/${AccessPointName}
multiregionaccesspoint arn:${Partition}:s3::${Account}:accesspoint/${AccessPointAlias}
multiregionaccesspointrequestarn arn:${Partition}:s3:us-west-2:${Account}:async-request/mrap/${Operation}/${Token}
accessgrantsinstance arn:${Partition}:s3:${Region}:${Account}:access-grants/default

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

accessgrantslocation arn:${Partition}:s3:${Region}:${Account}:access-grants/default/location/${Token}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

accessgrant arn:${Partition}:s3:${Region}:${Account}:access-grants/default/grant/${Token}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Amazon S3 的条件键

Amazon S3 定义了可在IAM策略Condition元素中使用的以下条件键。您可以使用这些键进一步细化应用策略语句的条件。有关下表中各列的详细信息,请参阅条件键表

要查看适用于所有服务的全局条件键,请参阅可用的全局条件键

条件键 描述 类型
aws:RequestTag/${TagKey} 按请求中传递的标签筛选访问权限 字符串
aws:ResourceTag/${TagKey} 按与资源关联的标签筛选访问权限 字符串
aws:TagKeys 按请求中传递的标签键筛选访问权限 ArrayOfString
s3:AccessGrantsInstanceArn 按访问权限授予实例筛选访问权限 ARN ARN
s3:AccessPointNetworkOrigin 按网络来源(互联网或VPC)过滤访问权限 String
s3:DataAccessPointAccount 按拥有接入点的 Amazon 账户 ID 筛选访问权限 String
s3:DataAccessPointArn 按接入点筛选访问权限 Amazon 资源名称 (ARN) ARN
s3:ExistingJobOperation 按操作筛选访问权限以更新任务优先级 String
s3:ExistingJobPriority 按优先级范围筛选访问权限以取消现有任务 数值
s3:ExistingObjectTag/<key> 按现有对象标签键和值筛选访问 String
s3:InventoryAccessibleOptionalFields 通过限制用户在配置 S3 清单报告时可以添加哪些可选元数据字段来筛选访问权限 ArrayOfString
s3:JobSuspendedCause 按特定任务暂停原因(例如 AWAITING _CONFIRMATION)筛选访问权限,以取消已暂停的作业 String
s3:RequestJobOperation 按操作筛选访问权限以创建任务 String
s3:RequestJobPriority 按优先级范围筛选访问权限以创建新任务 数值
s3:RequestObjectTag/<key> 按要添加到对象的标签键和值筛选访问 字符串
s3:RequestObjectTagKeys 按要添加到对象的标签键筛选访问 ArrayOfString
s3:ResourceAccount 按资源所有者 Amazon Web Services 账户 ID 筛选访问权限 String
s3:TlsVersion 按客户端使用的TLS版本筛选访问权限 数值
s3:authType 按身份验证方法筛选访问 字符串
s3:delimiter 按分隔符参数筛选访问 String
s3:destinationRegion 按特定复制目标区域筛选 Amazon FIS操作目标存储桶的访问权限 aws: s3: bucket-pause-replication String
s3:isReplicationPauseRequest 根据通过 Amazon FIS操作发出的请求筛选访问权限 aws: s3: bucket-pause-replication 布尔型
s3:locationconstraint 按特定区域筛选访问 String
s3:max-keys 按 ListBucket 请求中返回的最大密钥数筛选访问权限 数值
按对象合法保留状态筛选访问 String
s3:object-lock-mode 按对象保留模式(COMPLIANCE或GOVERNANCE)筛选访问权限 String
s3:object-lock-remaining-retention-days 按剩余对象保留天数筛选访问 数值
s3:object-lock-retain-until-date 按对象保留截止日期筛选访问 Date
s3:prefix 按键名称前缀筛选访问 字符串
s3:signatureAge 按请求签名的生存期(以毫秒为单位)筛选访问 数值
s3:signatureversion 根据请求中使用的 Amazon 签名版本筛选访问权限 String
s3:versionid 按特定对象版本筛选访问权限 String
s3:x-amz-acl 按请求 x-amz-acl标头ACL中的封装过滤访问权限 String
s3:x-amz-content-sha256 按存储桶中未签名内容筛选访问权限 String
s3:x-amz-copy-source 按复制对象请求中的复制源存储桶、前缀或对象筛选访问权限 String
s3:x-amz-grant-full-control 按 x-amz-grant-full-control(完全控制)标头筛选访问权限 String
s3:x-amz-grant-read 按 x-amz-grant-read(读取访问权限)标头筛选访问权限 String
s3:x-amz-grant-read-acp 按 x-amz-grant-read-acp(的读取权限)标头筛选访问权限 ACL String
s3:x-amz-grant-write 按 x-amz-grant-write(写入权限)标头筛选访问权限 String
s3:x-amz-grant-write-acp 按 x-amz-grant-write-acp(的写入权限)标头筛选访问权限 ACL String
s3:x-amz-metadata-directive 复制对象时按对象元数据行为(COPY或REPLACE)筛选访问权限 String
s3:x-amz-object-ownership 按对象所有权筛选访问权限 String
s3:x-amz-server-side-encryption 通过服务器端加密来筛选访问 String
s3:x-amz-server-side-encryption-aws-kms-key-id 筛选按 Amazon KMS客户管理的访问权限CMK进行服务器端加密 ARN
s3:x-amz-server-side-encryption-customer-algorithm 按客户指定的服务器端加密算法筛选访问权限 String
s3:x-amz-storage-class 按存储类筛选访问权限 字符串
s3:x-amz-website-redirect-location 针对配置为静态网站的存储桶,按特定网站重定向位置筛选访问 String