Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
AWS Documentation » Amazon Simple Storage Service (S3) » Developer Guide » Access Control » Using Bucket Policies » How to Use Resources, Principals, Operations, and Conditions in Bucket Policies
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

How to Use Resources, Principals, Operations, and Conditions in Bucket Policies

Topics

Specifying Amazon S3 Resources in Bucket Policies

You can refer to buckets and objects in bucket policies. Amazon S3 policies use the Amazon Resource Name (ARN) format for specifying them, as follows:

arn:aws:s3:::[resourcename]

The resource name is the fully qualified name of a bucket or object that the user is requesting access to. For buckets, the resource name is bucketname, where bucketname is the name of the bucket. For objects, the format for the resource’s name is bucketname/keyname, where bucketname is the name of the bucket and keyname is the full name of the object. For example, if you have a bucket called “Ooyala” and an object with the name shared/developer/settings.conf, the resource name for the bucket would be Ooyala; for the object it would be Ooyala/shared/developer/settings.conf.

Specifying Principals in Bucket Policies

The Principal is one or more people who receive or are denied permission according to the policy. You must specify the principal by using the principal's AWS account ID (e.g., 1234-5678-9012, with or without the hyphens). The AWS account ID can belong to either an AWS Account or an IAM User. You can specify multiple principals, or a wildcard (*) to indicate all possible users. You can view your account ID by logging in to your AWS account at http://aws.amazon.com and clicking Account Activity in the Accounts tab.

Instead of specifying an AWS account ID you can specify a Canonical User ID when granting permission to an AWS Account. You can view your Canonical User ID by logging in to your AWS account at http://aws.amazon.com and, clicking Security Credentials in the Accounts tab. You can also grant a CloudFront Origin Access Identify using the Canonical User ID associated with that identify. To learn more about CloudFront's support for serving private content, go to Serving Private Content topic in Amazon CloudFront Developer Guide. You must specify the Canonical User ID for your CloudFront distribution's origin identity, not your AWS Account.

In JSON, you use "AWS": as a prefix for the principal's AWS account ID and the "CanonicalUser": prefix for the principal’s AWS Canonical User ID.

Note

When you grant other AWS accounts access to your AWS resources, be aware that the AWS accounts can delegate their permissions to users under their accounts. This is known as cross-account access. For information about using cross-account access, go to Enabling Cross-Account Access in Using Identity and Access Management.

Amazon S3 Actions

The following list shows the format for the Amazon S3 actions that you can reference in a policy.

Actions Related to Objects

  • s3:GetObject (covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAP GetObject, and SOAP GetObjectExtended)

  • s3:GetObjectVersion (covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAP GetObject, and SOAP GetObjectExtended)

  • s3:PutObject (covers the REST PUT Object, REST POST Object, REST Initiate Multipart Upload, REST Upload Part, REST Complete Multipart Upload, SOAP PutObject, and SOAP PutObjectInline)

  • s3:GetObjectAcl

  • s3:GetObjectVersionAcl

  • s3:PutObjectAcl

  • s3:PutObjectVersionAcl

  • s3:DeleteObject

  • s3:DeleteObjectVersion

  • s3:ListMultipartUploadParts

  • s3:AbortMultipartUpload

  • s3:GetObjectTorrent

  • s3:GetObjectVersionTorrent

  • s3:RestoreObject

Actions Related to Buckets

  • s3:CreateBucket

  • s3:DeleteBucket

  • s3:ListBucket

  • s3:ListBucketVersions

  • s3:ListAllMyBuckets (covers REST GET Service and SOAP ListAllMyBuckets)

  • s3:ListBucketMultipartUploads

Actions Related to Bucket Sub-Resources

  • s3:GetBucketAcl

  • s3:PutBucketAcl

  • s3:GetBucketCORS

  • s3:PutBucketCORS

  • s3:GetBucketVersioning

  • s3:PutBucketVersioning

  • s3:GetBucketRequesterPays

  • s3:PutBucketRequesterPays

  • s3:GetBucketLocation

  • s3:PutBucketPolicy

  • s3:GetBucketPolicy

  • s3:PutBucketNotification

  • s3:GetBucketNotification

  • s3:GetBucketLogging

  • s3:PutBucketLogging

  • s3:GetLifecycleConfiguration

  • s3:PutLifecycleConfiguration

You can delete objects by explicitly calling the DELETE Object API or configure its lifecycle (see Object Expiration) to enable Amazon S3 to remove them for you. If you want to block users or accounts from removing or deleting objects from your bucket you must deny them s3:DeleteObject, s3:DeleteObjectVersion and s3:PutLifecycleConfiguration actions.

Available AWS Keys in Amazon S3 Policies

AWS provides a set of common keys. These keys are supported by all AWS products that adopt the access policy language.. For a list of these keys, go to Available Keys in the AWS Identity and Access Management Using IAM guide.

Amazon S3 also has action-specific keys. In the following tables, these keys are grouped by resource type and applicable action. Some keys are applicable to more than one resource type or action.

Important

IAM cannot evaluate a policy for validity within Amazon S3. If you specify an invalid key/action combination, IAM doesn't throw an exception when you upload the policy to IAM. Also, you will not receive an error message from Amazon S3. Amazon S3 can determine only that the policy doesn't apply because it cannot fulfill the conditions. However, if you use a policy condition in an unexpected way (for example, you use a string field as a numeric comparison), Amazon S3 will throw an exception on the request and access will be denied.

Unless otherwise noted, each key is for use with the access policy language's string conditions. For more information, go to Condition in the AWS Identity and Access Management Using IAM guide.

Bucket Keys in Amazon S3 Policies

The following table shows the keys related to buckets that can be in Amazon S3 policies.

ActionApplicable KeysDescription

s3:CreateBucket

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the bucket. A canned ACL represents a predefined permission that can be applied to the bucket being created.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:LocationConstraint

Specifies the Region where the bucket will be created.

Valid values are us-west-1 (for Northern California) or EU (for Ireland). Do not specify a value for US Standard.

Example value: us-west-1

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Bucket.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .

s3:ListBucket

s3:prefix

Limits the response to objects that begin with the specified prefix. Use this to allow or deny access to objects that begin with the prefix.

Example value: home

s3:delimiter

The character you use to group objects.

Example value: /

s3:max-keys

The number of objects to return from the call. The maximum allowed value (and default) is 1000.

For use with access policy language numeric conditions (for more information, see Numeric Conditions).

Example value: 100

s3:ListBucketVersions

s3:prefix

Header that lets you limit the response to include only keys that begin with the specified prefix.

Example value: home

s3:delimiter

The character you use to group objects.

Example value: /

s3:max-keys

The number of objects to return from the call. The maximum allowed value (and default) is 1000.

For use with access policy language numeric conditions (for more information, see Numeric Conditions).

Example value: 100

s3:PutBucketAcl

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the bucket. A canned ACL represents a predefined permission that can be applied to the bucket being created.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Bucket acl.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .


Object Keys in Amazon S3 Policies

The following list shows the keys related to objects that can be in Amazon S3 policies.

ActionApplicable KeysDescription

s3:PutObject

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:x-amz-copy-source

The header that specifies the name of the source bucket and key name of the source object, separated by a slash (/). Used when copying an object.

Example value: /bucketname/keyname

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .

s3:x-amz-server-side-encryption

Allow the specific action only if x-amz-server-side-encryption header is present in the request and its value matches the specified condition. with

Valid values: AES256

Example value: AES256

s3:x-amz-metadata-directive

The header that specifies whether the metadata is copied from the source object or replaced with metadata provided in the request. If copied, the metadata, except for the version ID, remains unchanged. Otherwise, all original metadata is replaced by the metadata you specify. Used when copying an object.

Valid values: COPY | REPLACE. The default is COPY.

Example value: REPLACE

s3:PutObjectAcl

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .

s3:GetObjectVersion

s3:VersionId

The version ID of the object being retrieved.

Example value: Upfdndhfd8438MNFDN93jdnJFkdmqnh893

s3:GetObjectVersionAcl

s3:VersionId

The version ID of the object ACL being retrieved.

Example value: Upfdndhfd8438MNFDN93jdnJFkdmqnh893

s3:PutObjectVersionAcl

s3:VersionId

The version ID of the object ACL being PUT.

Example value: Upfdndhfd8438MNFDN93jdnJFkdmqnh893

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .

s3:DeleteObjectVersion

s3:VersionId

The version ID of the object being deleted.

Example value: Upfdndhfd8438MNFDN93jdnJFkdmqnh893


Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...