Amazon S3 Storage Lens permissions
Amazon S3 Storage Lens requires new permissions in AWS Identity and Access Management (IAM) to authorize access to S3 Storage Lens actions. You can attach the policy to IAM users, groups, or roles to grant them permissions to enable or disable S3 Storage Lens, or to access any S3 Storage Lens dashboard or configuration.
The IAM user or role must belong to the account that created or owns the dashboard or configuration, unless your account is a member of AWS Organizations, and you were given access to create organization-level dashboards by your management account as a delegated administrator.
-
You can't use your account's root user credentials to view Amazon S3 Storage Lens dashboards. To access S3 Storage Lens dashboards, you must grant the required IAM permissions to a new or existing IAM user. Then, sign in with those user credentials to access S3 Storage Lens dashboards. For more information, see Security best practices in IAM in the IAM User Guide.
-
Using S3 Storage Lens on the Amazon S3 console can require multiple permissions. For example, to edit a dashboard on the console, you need the following permissions:
-
s3:ListStorageLensConfigurations -
s3:GetStorageLensConfiguration -
s3:PutStorageLensConfiguration
-
Topics
Setting account permissions to use S3 Storage Lens
Amazon S3 Storage Lens related IAM permissions | |
|---|---|
| Action | IAM permissions |
| Create or update an S3 Storage Lens dashboard in the Amazon S3 console. |
|
| Get the tags of an S3 Storage Lens dashboard on the Amazon S3 console. |
|
| View an S3 Storage Lens dashboard on the Amazon S3 console. |
|
| Delete an S3 Storage Lens dashboard on Amazon S3 console. |
|
| Create or update an S3 Storage Lens configuration by using the AWS CLI or an AWS SDK. |
|
| Get the tags of an S3 Storage Lens configuration by using the AWS CLI or an AWS SDK. |
|
| View an S3 Storage Lens configuration by using the AWS CLI or an AWS SDK. |
|
| Delete an S3 Storage Lens configuration by using the AWS CLI or AWS SDK. |
|
-
You can use resource tags in an IAM policy to manage permissions.
-
An IAM user or role with these permissions can see metrics from buckets and prefixes that they might not have direct permission to read or list objects from.
-
For S3 Storage Lens dashboard configurations with advanced metrics and recommendations aggregated at the prefix-level, if the selected prefix matches an object key, the dashboard might show the object key as your prefix up to the delimiter and maximum depth selected.
-
For metrics exports, which are stored in a bucket in your account, permissions are granted by using the existing
s3:GetObjectpermission in the IAM policy. Similarly, for an AWS Organizations entity, the organization's management account or delegated administrator accounts can use IAM policies to manage access permissions for organization-level dashboard and configurations.
Setting permissions to use S3 Storage Lens with AWS Organizations
You can use Amazon S3 Storage Lens to collect storage metrics and usage data for all accounts that are part of your AWS Organizations hierarchy. The following are the actions and permissions related to using S3 Storage Lens with Organizations.
AWS Organizations related IAM permissions for using S3 Storage Lens | |
|---|---|
| Action | IAM Permissions |
| Enable trusted access for S3 Storage Lens for your organization. |
|
| Disable trusted access for S3 Storage Lens for your organization. |
|
| Register a delegated administrator to create S3 Storage Lens dashboards or configurations for your organization. |
|
| Deregister a delegated administrator so that they can no longer create S3 Storage Lens dashboards or configurations for your organization. |
|
|
Additional permissions to create S3 Storage Lens organization-wide configurations. |
|
