AWS Signature Version 4 (SigV4) authentication-specific policy keys
The following table shows the condition keys related to AWS Signature Version 4 (SigV4) authentication that you can use with Amazon S3 on Outposts. In a bucket policy, you can add these conditions to enforce specific behavior when requests are authenticated by using Signature Version 4. For example policies, see Bucket policy examples that use Signature Version 4-related condition keys. For more information about authenticating requests using Signature Version 4, see Authenticating requests (AWS Signature Version 4) in the Amazon Simple Storage Service API Reference
| Applicable keys | Description |
|---|---|
|
|
S3 on Outposts supports various methods of authentication. To restrict
incoming requests to use a specific authentication method, you can use
this optional condition key. For example, you can use this condition key
to allow only the HTTP Valid values:
|
|
|
The length of time, in milliseconds, that a signature is valid in an authenticated request. This condition works only for presigned URLs. In Signature Version 4, the signing key is valid for up to seven days. Therefore, the signatures are also valid for up to seven days. For more information, see Introduction to signing requests in the Amazon Simple Storage Service API Reference. You can use this condition to further limit the signature age. Example value: |
|
|
You can use this condition key to disallow unsigned content in your bucket. When you use Signature Version 4, for requests that use the
You can use this condition key in your bucket policy to deny any uploads where the payloads are not signed. For example:
Valid value: |
Bucket policy examples that use Signature Version 4-related condition keys
To use the following examples, replace the user input
placeholders
Example : s3-outposts:signatureAge
The following bucket policy denies any S3 on Outposts presigned URL request on objects
in example-outpost-bucket if the signature is more than 10 minutes old.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Deny a presigned URL request if the signature is more than 10 minutes old", "Effect": "Deny", "Principal": {"AWS":"444455556666"}, "Action": "s3-outposts:*", "Resource": "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket/object/*", "Condition": { "NumericGreaterThan": {"s3-outposts:signatureAge": 600000}, "StringEquals": {"s3-outposts:authType": "REST-QUERY-STRING"} } } ] }
Example : s3-outposts:authType
The following bucket policy allows only requests that use the
Authorization header for request authentication. Any presigned URL
requests will be denied since presigned URLs use query parameters to provide request
and authentication information. For more information, see Authentication
methods in the Amazon Simple Storage Service API Reference.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow only requests that use the Authorization header for request authentication. Deny presigned URL requests.", "Effect": "Deny", "Principal": {"AWS":"111122223333"}, "Action": "s3-outposts:*", "Resource": "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket/object/*", "Condition": { "StringNotEquals": { "s3-outposts:authType": "REST-HEADER" } } } ] }
Example : s3-outposts:x-amz-content-sha256
The following bucket policy denies any uploads with unsigned payloads, such as uploads that are using presigned URLs. For more information, see Authenticating requests and Authentication methods in the Amazon Simple Storage Service API Reference.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Deny uploads with unsigned payloads.", "Effect": "Deny", "Principal": {"AWS":"111122223333"}, "Action": "s3-outposts:*", "Resource": "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket/object/*", "Condition": { "StringEquals": { "s3-outposts:x-amz-content-sha256": "UNSIGNED-PAYLOAD" } } } ] }
