AWS Identity and Access Management (IAM) for S3 Express One Zone
AWS Identity and Access Management (IAM) is an AWS service that helps administrators securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in S3 Express One Zone. You can use IAM for no additional charge.
By default, users don't have permissions for directory buckets and S3 Express One Zone operations. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see Security best practices in IAM in the IAM User Guide.
To provide access, you can add permissions to your users, groups, or roles through the following means:
-
Users and groups in AWS IAM Identity Center – Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider – Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM roles and users – Create a role that your user can assume. Follow the instructions in Creating a role to delegate permissions to an IAM user in the IAM User Guide.
By default, directory buckets are private and can be accessed only by users who are explicitly granted access. The access control boundary for directory buckets is set only at the bucket level. In contrast, the access control boundary for general purpose buckets can be set at the bucket, prefix, or object tag level. This difference means that directory buckets are the only resource that you can include in bucket policies or IAM identity policies for S3 Express One Zone access.
With S3 Express One Zone, in addition to IAM authorization, you authenticate and authorize
requests through a new session-based mechanism that's handled by the
CreateSession
API operation. You can use CreateSession
to
request temporary credentials that provide low-latency access to your bucket. These
temporary credentials are scoped to a specific directory bucket.
To work with CreateSession
, we recommend using the latest version of the
AWS SDKs or using the AWS Command Line Interface (AWS CLI). The supported AWS SDKs and the AWS CLI handle
session establishment, refreshment, and termination on your behalf.
You use session tokens with only Zonal (object-level) operations (except for
CopyObject
and HeadBucket
) to distribute the latency that’s
associated with authorization over a number of requests in a session. For Regional endpoint
API operations (bucket-level operations), you use IAM authorization, which doesn’t involve
managing a session. For more information, see AWS Identity and Access Management (IAM) for S3 Express One Zone and CreateSession authorization.
For more information about IAM for S3 Express One Zone, see the following topics.
Topics
Principals
When you create a resource-based policy to grant access to your buckets, you must use
the Principal
element to specify the person or application that can make a
request for an action or operation on that resource. For directory bucket policies, you
can use the following principals:
-
An AWS account
-
An IAM user
-
An IAM role
-
A federated user
For more information, see Principal in the IAM User Guide.
Resources
Amazon Resource Names (ARNs) for directory buckets contain the s3express
namespace, the AWS Region, the AWS account ID, and the directory bucket name,
which includes the Availability Zone ID. To access and perform actions on your
directory bucket, you must use the following ARN format:
arn:aws:s3express:
region
:account-id
:bucket/base-bucket-name
--azid
--x-s3
For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide. For more information about resources, see IAM JSON Policy Elements: Resource in the IAM User Guide.
Actions for S3 Express One Zone
In an IAM identity-based policy or resource-based policy, you define which S3
actions are allowed or denied. S3 Express One Zone actions correspond to specific API
operations. S3 Express One Zone has a unique IAM namespace that is distinct from the standard
namespace for Amazon S3. This namespace is s3express
.
When you allow the s3express:CreateSession
permission, this enables the
CreateSession
API operation to retrieve session tokens when accessing
Zonal endpoint API (or object level) operations . These session tokens return
credentials that are used to grant access to all of the other Zonal endpoint API
operations. As a result, you don't have to grant access permissions to Zonal API
operations by using IAM policies. Instead, the session token enables access.
For more information about Zonal and Regional endpoint API operations, see
Networking for S3 Express One Zone. To learn more
about the CreateSession
API operation, see CreateSession in the Amazon Simple Storage Service API Reference.
You can specify the following actions in the Action
element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS.
When you use an action in a policy, you usually allow or deny access to the API
operation with the same name. However, in some cases, a single action controls access to
more than one API operation. Access to bucket-level actions can be granted in only IAM
identity-based policies (user or role) and not bucket policies.
Actions and condition keys for S3 Express One Zone | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Action | API | Description | Access level | Condition keys | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
CreateBucket |
Grants permission to create a new bucket. |
Write |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:CreateSession |
CreateSession |
Grants permission to create a session token, which is used for
granting access to all Zonal (object-level) API operations, such as
|
Write |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:DeleteBucket |
DeleteBucket |
Grants permission to delete the bucket named in the URI. |
Write |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:DeleteBucketPolicy |
DeleteBucketPolicy |
Grants permission to delete the policy on a specified bucket. |
Permissions management |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:GetBucketPolicy |
GetBucketPolicy |
Grants permission to return the policy of the specified bucket. |
Read |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:ListAllMyDirectoryBuckets |
ListDirectoryBuckets |
Grants permission to list all directory buckets owned by the authenticated sender of the request. |
List |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
s3express:PutBucketPolicy |
PutBucketPolicy |
Grants permission to add or replace a bucket policy on a bucket. |
Permissions management |
|
Condition keys for S3 Express One Zone
S3 Express One Zone defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further
refine the conditions under which the policy statement applies.
Condition key | Description | Type |
---|---|---|
s3express:authType |
Filters access by authentication method. To restrict incoming requests to
use a specific authentication method, you can use this optional condition
key. For example, you can use this condition key to allow only the HTTP
Valid values:
|
String |
s3express:LocationName |
Filters access to the Example value:
|
String |
s3express:ResourceAccount |
Filters access by the resource owner's AWS account ID. To restrict user, role, or application access to the directory buckets
that are owned by a specific AWS account ID, you can use either the
Example value:
|
String |
s3express:SessionMode |
Filters access by the permission requested by the
Valid values:
|
String |
s3express:signatureAge |
Filters access by the age in milliseconds of the request signature. This condition works only for presigned URLs. In AWS Signature Version 4, the signing key is valid for up to seven days. Therefore, the signatures are also valid for up to seven days. For more information, see Introduction to signing requests in the Amazon Simple Storage Service API Reference. You can use this condition to further limit the signature age. Example
value:
|
Numeric |
s3express:signatureversion |
Identifies the version of AWS Signature that you want to support for authenticated requests. For authenticated requests, S3 Express One Zone supports Signature Version 4. Valid
value:
|
String |
s3express:TlsVersion |
Filters access by the TLS version that's used by the client. You can use the Example
value:
|
Numeric |
s3express:x-amz-content-sha256 |
Filters access by unsigned content in your bucket. You can use this condition key to disallow unsigned content in your bucket. When you use Signature Version 4 for requests that use the
You can use this condition key in your bucket policy to deny any uploads where the payloads aren't signed. For example:
Valid value:
|
String |
How API operations are authorized and authenticated
The following table lists authorization and authentication information for S3 Express One Zone API operations. For each API operation, the table shows the API operation name, IAM action, endpoint type (Regional or Zonal), and authorization mechanism (IAM or session-based). This table also indicates where cross-account access is supported. Access to bucket-level actions can be granted only in IAM identity-based policies (user or role), not bucket policies.
API | Endpoint type | IAM action | Cross-account access |
---|---|---|---|
CreateBucket |
Regional | s3express:CreateBucket |
No |
DeleteBucket |
Regional | s3express:DeleteBucket |
No |
ListDirectoryBuckets |
Regional | s3express:ListAllMyDirectoryBuckets |
No |
PutBucketPolicy |
Regional | s3express:PutBucketPolicy |
No |
GetBucketPolicy |
Regional | s3express:GetBucketPolicy |
No |
DeleteBucketPolicy |
Regional | s3express:DeleteBucketPolicy |
No |
CreateSession |
Zonal | s3express:CreateSession |
Yes |
CopyObject |
Zonal | s3express:CreateSession |
Yes |
DeleteObject |
Zonal | s3express:CreateSession |
Yes |
DeleteObjects |
Zonal | s3express:CreateSession |
Yes |
HeadObject |
Zonal | s3express:CreateSession |
Yes |
PutObject |
Zonal | s3express:CreateSession |
Yes |
GetObjectAttributes |
Zonal | s3express:CreateSession |
Yes |
ListObjectsV2 |
Zonal | s3express:CreateSession |
Yes |
HeadBucket |
Zonal | s3express:CreateSession |
Yes |
CreateMultipartUpload |
Zonal | s3express:CreateSession |
Yes |
UploadPart |
Zonal | s3express:CreateSession |
Yes |
UploadPartCopy |
Zonal | s3express:CreateSession |
Yes |
CompleteMultipartUpload |
Zonal | s3express:CreateSession |
Yes |
AbortMultipartUpload |
Zonal | s3express:CreateSession |
Yes |
ListParts |
Zonal | s3express:CreateSession |
Yes |
ListMultipartUploads |
Zonal | s3express:CreateSession |
Yes |