Actions, resources, and condition keys for Amazon S3 Express
Amazon S3 Express (service prefix: s3express) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
Actions defined by Amazon S3 Express
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to create a new access point |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Write |
||
Grants permission to create a new bucket |
Write |
|||
Grants permission to Create Session token which is used for object APIs such as PutObject, GetObject, etc |
s3express:AccessPointTag/${TagKey} s3express:AllAccessRestrictedToLocalZoneGroup s3express:x-amz-content-sha256 |
Write |
||
|
s3express:AllAccessRestrictedToLocalZoneGroup s3express:x-amz-content-sha256 |
||||
Grants permission to delete the access point named in the URI |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Write |
||
Grants permission to delete the policy on a specified access point |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Permissions management, Write |
||
Grants permission to delete the scope configuration on a specified access point |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Permissions management, Write |
||
Grants permission to delete the bucket named in the URI |
Write |
|||
Grants permission to delete the policy on a specified bucket |
Permissions management, Write |
|||
Grants permission to return configuration information about the specified access point |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Read |
||
Grants permission to return the access point policy associated with the specified access point |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Read |
||
Grants permission to return the scope configuration associated with the specified access point |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Read |
||
Grants permission to return the policy of the specified bucket |
Read |
|||
Grants permission to return the default encryption configuration for a directory bucket |
Read |
|||
Grants permission to return an inventory configuration identified by the inventory configuration ID for a S3 directory bucket |
Read |
|||
Grants permission to return the lifecycle configuration information set on a directory bucket |
Read |
|||
Grants permission to get a metrics configuration of a directory bucket |
Read |
|||
Grants permission to list access points |
List |
|||
Grants permission to list all directory buckets owned by the authenticated sender of the request |
List |
|||
Grants permission to lists all of the tags for a specified resource |
List |
|||
Grants permission to associate an access policy with a specified access point |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Permissions management, Write |
||
Grants permission to associate an access point with a specified access point scope configuration |
s3express:AccessPointNetworkOrigin s3express:AccessPointTag/${TagKey} |
Permissions management, Write |
||
Grants permission to add or replace a bucket policy on a bucket |
Permissions management, Write |
|||
Grants permission to set the encryption configuration for a directory bucket |
Write |
|||
Grants permission to add an inventory configuration to the bucket, identified by the inventory ID |
Write |
|||
Grants permission to create a new lifecycle configuration for the directory bucket or replace an existing lifecycle configuration |
Write |
|||
Grants permission to set or update a metrics configuration for the CloudWatch request metrics of a directory bucket |
Write |
|||
Grants permission to create a new user-defined tag or update an existing tag |
Tagging, Write |
|||
Grants permission to remove the specified user-defined tags from an S3 resource |
Tagging, Write |
|||
Resource types defined by Amazon S3 Express
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:s3express:${Region}:${Account}:accesspoint/${AccessPointName} |
||
arn:${Partition}:s3express:${Region}:${Account}:bucket/${BucketName} |
Condition keys for Amazon S3 Express
Amazon S3 Express defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the tags that are passed in the request |
String |
|
Filters access by the tags associated with the resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |
|
Filters access by the network origin (Internet or VPC) |
String |
|
Filters access by tag key-value pairs attached to the access point |
String |
|
Filters access by Amazon Local Zone network border group(s) provided in this condition key |
String |
|
Filters access by tag key-value pairs attached to the bucket |
String |
|
Filters access by the Amazon Account ID that owns the access point |
String |
|
Filters access by an access point Amazon Resource Name (ARN) |
ARN |
|
Filters access by restricting which optional metadata fields a user can add when configuring S3 Inventory reports |
ArrayOfString |
|
Filters access by a specific Availability Zone or Local Zone ID |
String |
|
Filters access by the permission requested by Access Point Scope configuration, such as GetObject, PutObject |
ArrayOfString |
|
Filters access by the resource owner Amazon Web Services account ID |
String |
|
Filters access by the permission requested by CreateSession API, such as ReadOnly and ReadWrite |
String |
|
Filters access by the TLS version used by the client |
Numeric |
|
Filters access by authentication method |
String |
|
Filters access by the age in milliseconds of the request signature |
Numeric |
|
Filters access by the Amazon Signature Version used on the request |
String |
|
Filters access by unsigned content in your bucket |
String |
|
Filters access by server-side encryption |
String |
|
Filters access by Amazon KMS customer managed key for server-side encryption |
ARN |