This guide is no longer being updated. For current information and instructions, see the new Amazon S3 User Guide.
Granting permissions for Amazon S3 Batch Operations
This section describes how to grant the necessary permissions required for creating and performing S3 Batch Operations jobs.
Topics
Required permissions for creating an S3 Batch Operations job
To create an Amazon S3 Batch Operations job, the s3:CreateJob
permission is
required. The same entity creating the job must also have the
iam:PassRole
permission to pass the AWS Identity and Access Management (IAM) role
specified for the job to Amazon S3 Batch Operations. For information about creating
this IAM
role, see the next topic Creating an S3 Batch Operations IAM role.
Creating an S3 Batch Operations IAM role
Amazon S3 must have your permissions to perform S3 Batch Operations on your behalf. You grant these permissions through an AWS Identity and Access Management (IAM) role. This section provides examples of the trust and permissions policies you use when creating an IAM role. For more information, see IAM Roles. For examples, see Example: Using job tags to control permissions for S3 Batch Operations and Example: Copying objects across AWS accounts using S3 Batch Operations.
In your IAM policies, you can also use condition keys to filter access permissions for S3 Batch Operations jobs. For more information and a complete list of Amazon S3‐specific condition keys, see Actions, resources, and condition keys for Amazon S3.
The following video shows how to set up IAM permissions for Batch Operations jobs using the AWS Management Console.
Trust policy
To allow the S3 Batch Operations service principal to assume the IAM role, attach the following trust policy to the role.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
Permissions policies
Depending on the type of operations, you can attach one of the following policies.
-
Regardless of the operation, Amazon S3 needs permissions to read your manifest object from your S3 bucket and optionally write a report to your bucket. Therefore, all of the following policies include these permissions.
-
For Amazon S3 inventory report manifests, S3 Batch Operations require permission to read the manifest.json object and all associated CSV data files.
-
Version-specific permissions such as
s3:GetObjectVersion
are only required when you are specifying the version ID of the objects. -
If you are running S3 Batch Operations on encrypted objects, the IAM role must also have access to the AWS KMS keys used to encrypt them.
-
Put copy object
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::{{
DestinationBucket
}}/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::{{SourceBucket
}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket
}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ReportBucket
}}/*" ] } ] } -
Put object tagging
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::{{
TargetResource
}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket
}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket
}}/*" ] } ] } -
Put object ACL
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::{{
TargetResource
}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket
}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket
}}/*" ] } ] } -
Initiate S3 Glacier restore
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::{{
TargetResource
}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket
}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket
}}/*" ] } ] } -
Put S3 Object Lock retention
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{
TargetResource
}}" ] }, { "Effect": "Allow", "Action": [ "s3:PutObjectRetention", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::{{TargetResource
}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket
}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ReportBucket
}}/*" ] } ] } -
Put S3 Object Lock legal hold
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{
TargetResource
}}" ] }, { "Effect": "Allow", "Action": "s3:PutObjectLegalHold", "Resource": [ "arn:aws:s3:::{{TargetResource
}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket
}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ReportBucket
}}/*" ] } ] }
For more information, see the Batch Ops basics, Operations, and Managing S3 Batch Operations jobs sections in this document.