Bucket operations Object operations Access point operations Object Lambda Access Point operations Multi-Region Access Point operations Batch job operations S3 Storage Lens configuration operations Account operations

Amazon S3 policy actions

Note

This page is about Amazon S3 policy actions for general purpose buckets. To learn more about Amazon S3 policy actions for directory buckets, see Actions for S3 Express One Zone.

Amazon S3 defines a set of permissions that you can specify in a policy. To grant permissions to perform an S3 API operation, you must compose a valid policy (such as an S3 bucket policy or IAM identity-based policy), and specify corresponding actions in the Action element of the policy. These actions are called policy actions. The following shows different types of mapping relationship between S3 API operations and the required policy actions.

One-to-one mapping with the same name. For example, to use the PutBucketPolicy API operation, the s3:PutBucketPolicy policy action is required.
One-to-one mapping with different names. For example, to use the ListObjectsV2 API operation, the s3:ListBucket policy action is required.
One-to-many mapping. For example, to use the HeadObject API operation, the s3:GetObject is required. Also, when you use S3 Object Lock and want to get an object's Legal Hold status or retention settings, the corresponding s3:GetObjectLegalHold or s3:GetObjectRetention policy actions are also required before you can use the HeadObject API operation.
Many-to-one mapping. For example, to use the ListObjectsV2 or HeadBucket API operations, the s3:ListBucket policy action is required.

To compose a valid S3 bucket policy, apart from the Action element, you must also specify Effect, Principal, and Resource elements. In addition, to have more granular control of S3 API operations, you can specify the Condition element.

To compose a valid IAM identity-based policy, apart from the Action element, you must also specify Effect and Resource elements. A valid IAM identity-based policy doesn't include the Principal element.

For a full list of Amazon S3 policy actions, resources, and condition keys for use in policies, see Actions, resources, and condition keys for Amazon S3 in the Service Authorization Reference.

When you compose policies, you must specify the Resource element based on the correct resource type required by the corresponding Amazon S3 policy actions. This page categorizes permissions to S3 API operations by the resource types. For more information about the resource types, see Resource types defined by Amazon S3 in the Service Authorization Reference. For a complete list of Amazon S3 API operations, see Amazon S3 API Actions in the Amazon Simple Storage Service API Reference.

Bucket operations are S3 API operations that operate on the bucket resource type. For example, CreateBucket, ListObjectsV2, and PutBucketPolicy. S3 policy actions for bucket operations require the Resource element in bucket policies or IAM identity-based policies to be the S3 bucket type Amazon Resource Name (ARN) identifier in the following example format.


"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"

The following bucket policy grants the user Akua with account 12345678901 the s3:ListBucket permission to perform the ListObjectsV2 API operation and list objects in an S3 bucket.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Akua to list objects in the bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345678901:user/Akua"
            },
            "Action": [
            "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
        }
    ]
}

Bucket operations in access point policies

Permissions granted in an access point policy are effective only if the underlying bucket allows the same permissions. When you use S3 Access Points, you must delegate access control from the bucket to the access point or add the same permissions in the access point policies to the underlying bucket's policy. For more information, see Configuring IAM policies for using access points. In access point policies, S3 policy actions for bucket operations require you to use the accesspoint ARN for the Resource element in the following format.


"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/DOC-EXAMPLE-ACCESS-POINT"

The following access point policy grants the user Akua with account 12345678901 the s3:ListBucket permission to perform the ListObjectsV2 API operation through the S3 access point DOC-EXAMPLE-ACCESS-POINT to list objects in the access point’s associated bucket.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Akua to list objects in the bucket through access point",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345678901:user/Akua"
            },
            "Action": [
            "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/DOC-EXAMPLE-ACCESS-POINT"
        }
    ]
}

Note

Not all bucket operations are supported by S3 Access Point. For more information, see Access point compatibility with S3 operations.

Object operations are S3 API operations that act upon the object resource type. For example, GetObject, PutObject, and DeleteObject. S3 policy actions for object operations require the Resource element in policies to be the S3 object ARN in the following example formats.


"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"


"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/prefix/*"

Note

The object ARN must contain a forward slash after the bucket name, as seen in the previous examples.

The following bucket policy grants the user Akua with account 12345678901 the s3:PutObject permission to perform the PutObject API operation to upload objects to an S3 bucket.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Akua to upload objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345678901:user/Akua"
            },
            "Action": [
            "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
        }
    ]
}

Object operations in access point policies

When you use S3 Access Points to control access to object operations, you can use access point policies. When you use access point policies, S3 policy actions for object operations require you to use the accesspoint ARN for the Resource element in the following format: arn:aws:s3:region:account-id:accesspoint/access-point-name/object/resource. For object operations that use access point, you must include the /object/ value after the whole access point ARN in the Resource element. Here are some examples.


"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/DOC-EXAMPLE-ACCESS-POINT/object/*"


"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/DOC-EXAMPLE-ACCESS-POINT/object/prefix/*"

The following access point policy grants the user Akua with account 12345678901 the s3:GetObject permission to perform the GetObject API operation through the access point DOC-EXAMPLE-ACCESS-POINT on all objects in the access point’s associated bucket.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Akua to get objects through access point",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345678901:user/Akua"
            },
            "Action": [
            "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/DOC-EXAMPLE-ACCESS-POINT/object/*"
        }
    ]
}

Note

Not all object operations are supported by S3 Access Point. For more information, see Access point compatibility with S3 operations.

Access point operations are S3 API operations that operate on the accesspoint resource type. For example, CreateAccessPoint, DeleteAccessPoint, and GetAccessPointPolicy. S3 policy actions for access point operations can only be used in IAM identity-based policies, not in bucket policies or access point policies. Access points operations require the Resource element to be the accesspoint ARN in the following example format.


"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/DOC-EXAMPLE-ACCESS-POINT"

The following IAM identity-based policy grants the s3:GetAccessPointPolicy permission to perform the GetAccessPointPolicy API operation on S3 access point DOC-EXAMPLE-ACCESS-POINT.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Grant permission to retrieve the access point policy of access point DOC-EXAMPLE-ACCESS-POINT",
            "Effect": "Allow",
            "Action": [
            "s3:GetAccessPointPolicy"
            ],
            "Resource": "arn:aws:s3:*:123456789012:access point/DOC-EXAMPLE-ACCESS-POINT"
        }
    ]
}

When you use Access Points, to control access to bucket operations, see Bucket operations in access point policies; to control access to object operations, see Object operations in access point policies. For more information about how to configure access point policies, see Configuring IAM policies for using access points.

For more information about how to configure policies for Object Lambda Access Point operations, see Configuring IAM policies for Object Lambda Access Points.

For more information about how to configure policies for Multi-Region Access Point operations, see Multi-Region Access Point policy examples.

(Batch Operations) job operations are S3 API operations that operate on the job resource type. For example, DescribeJob and CreateJob. S3 policy actions for job operations can only be used in IAM identity-based policies, not in bucket policies. Also, job operations require the Resource element in IAM identity-based policies to be the job ARN in the following example format.


"Resource": "arn:aws:s3:*:123456789012:job/*"

The following IAM identity-based policy grants the s3:DescribeJob permission to perform the DescribeJob API operation on S3 Batch Operations Job DOC-EXAMPLE-JOB.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow describing the Batch operation job DOC-EXAMPLE-JOB",
            "Effect": "Allow",
            "Action": [
            "s3:DescribeJob"
            ],
            "Resource": "arn:aws:s3:*:123456789012:job/DOC-EXAMPLE-JOB"
        }
    ]
}

For more information about how to configure S3 Storage Lens configuration operations, see Amazon S3 Storage Lens permissions.

Account operations are S3 API operations that operate on the account level. For example, GetPublicAccessBlock (for account). Account isn't a resource type defined by Amazon S3. S3 policy actions for account operations can only be used in IAM identity-based policies, not in bucket policies. Also, account operations require the Resource element in IAM identity-based policies to be "*".

The following IAM identity-based policy grants the s3:GetAccountPublicAccessBlock permission to perform the account-level GetPublicAccessBlock API operation and retrieve the account-level Public Access Block settings.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"Allow retrieving the account-level Public Access Block settings",
         "Effect":"Allow",
         "Action":[
            "s3:GetAccountPublicAccessBlock" 
         ],
         "Resource":[
            "*"
         ]
       }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Principals

Conditions