Actions, resources, and condition keys for Amazon S3 - AWS Identity and Access Management

Actions, resources, and condition keys for Amazon S3

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html.

Amazon S3 (service prefix: s3) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon S3

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AbortMultipartUpload Grants permission to abort a multipart upload Write

object*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

BypassGovernanceRetention Grants permission to allow circumvention of governance-mode object retention settings Permissions management

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

CreateAccessPoint Grants permission to create a new access point Write

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:locationconstraint

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

CreateBucket Grants permission to create a new bucket Write

bucket*

s3:authType

s3:locationconstraint

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

CreateJob Grants permission to create a new Amazon S3 Batch Operations job Write

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:RequestJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

iam:PassRole

DeleteAccessPoint Grants permission to delete the access point named in the URI Write

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteAccessPointPolicy Grants permission to delete the policy on a specified access point Permissions management

accesspoint*

s3:DataAccessPointArn

s3:DataAccessPointAccount

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucket Grants permission to delete the bucket named in the URI Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucketOwnershipControls Grants permission to delete ownership controls on a bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucketPolicy Grants permission to delete the policy on a specified bucket Permissions management

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucketWebsite Grants permission to remove the website configuration for a bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteJobTagging Grants permission to remove tags from an existing Amazon S3 Batch Operations job Tagging

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

DeleteObject Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteObjectTagging Grants permission to use the tagging subresource to remove the entire tag set from the specified object Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

DeleteObjectVersion Grants permission to remove a specific version of an object Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

DeleteObjectVersionTagging Grants permission to remove the entire tag set for a specific version of the object Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

DescribeJob Grants permission to retrieve the configuration parameters and status for a batch operations job Read

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccelerateConfiguration Grants permission to uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccessPoint Grants permission to return configuration information about the specified access point Read

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccessPointPolicy Grants permission to returns the access point policy associated with the specified access point Read

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccessPointPolicyStatus Grants permission to return the policy status for a specific access point policy Read

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAccountPublicAccessBlock Grants permission to retrieve the PublicAccessBlock configuration for an AWS account Read

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetAnalyticsConfiguration Grants permission to get an analytics configuration from an Amazon S3 bucket, identified by the analytics configuration ID Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketAcl Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketCORS Grants permission to return the CORS configuration information set for an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketLocation Grants permission to return the Region that an Amazon S3 bucket resides in Read

bucket*

GetBucketLogging Grants permission to return the logging status of an Amazon S3 bucket and the permissions users have to view or modify that status Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketNotification Grants permission to get the notification configuration of an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketObjectLockConfiguration Grants permission to get the Object Lock configuration of an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

GetBucketOwnershipControls Grants permission to retrieve ownership controls on a bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketPolicy Grants permission to return the policy of the specified bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketPolicyStatus Grants permission to retrieve the policy status for a specific Amazon S3 bucket, which indicates whether the bucket is public Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketPublicAccessBlock Grants permission to retrieve the PublicAccessBlock configuration for an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketRequestPayment Grants permission to return the request payment configuration for an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketTagging Grants permission to return the tag set associated with an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketVersioning Grants permission to return the versioning state of an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetBucketWebsite Grants permission to return the website configuration for an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetEncryptionConfiguration Grants permission to return the default encryption configuration an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetInventoryConfiguration Grants permission to return an inventory configuration from an Amazon S3 bucket, identified by the inventory configuration ID Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetJobTagging Grants permission to return the tag set of an existing Amazon S3 Batch Operations job Read

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetLifecycleConfiguration Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetMetricsConfiguration Grants permission to get a metrics configuration from an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObject Grants permission to retrieve objects from Amazon S3 Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectAcl Grants permission to return the access control list (ACL) of an object Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectLegalHold Grants permission to get an object's current Legal Hold status Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectRetention Grants permission to retrieve the retention settings for an object Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectTagging Grants permission to return the tag set of an object Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectTorrent Grants permission to return torrent files from an Amazon S3 bucket Read

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectVersion Grants permission to retrieve a specific version of an object Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionAcl Grants permission to return the access control list (ACL) of a specific object version Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionForReplication Grants permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS Read

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

GetObjectVersionTagging Grants permission to return the tag set for a specific version of the object Read

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionTorrent Grants permission to get Torrent files about a different version using the versionId subresource Read

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetReplicationConfiguration Grants permission to get the replication configuration information set on an Amazon S3 bucket Read

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListAccessPoints Grants permission to list access points Read

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListAllMyBuckets Grants permission to list all buckets owned by the authenticated sender of the request List

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListBucket Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000) List

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListBucketMultipartUploads Grants permission to list in-progress multipart uploads List

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListBucketVersions Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket List

bucket*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:delimiter

s3:max-keys

s3:prefix

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListJobs Grants permission to list current jobs and jobs that have ended recently List

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ListMultipartUploadParts Grants permission to list the parts that have been uploaded for a specific multipart upload List

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ObjectOwnerOverrideToBucketOwner Grants permission to change replica ownership Permissions management

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAccelerateConfiguration Grants permission to use the accelerate subresource to set the Transfer Acceleration state of an existing S3 bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAccessPointPolicy Grants permission to associate an access policy with a specified access point Permissions management

accesspoint*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAccountPublicAccessBlock Grants permission to create or modify the PublicAccessBlock configuration for an AWS account Permissions management

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutAnalyticsConfiguration Grants permission to set an analytics configuration for the bucket, specified by the analytics configuration ID Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketAcl Grants permission to set the permissions on an existing bucket using access control lists (ACLs) Permissions management

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

PutBucketCORS Grants permission to set the CORS configuration for an Amazon S3 bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketLogging Grants permission to set the logging parameters for an Amazon S3 bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketNotification Grants permission to receive notifications when certain events happen in an Amazon S3 bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketObjectLockConfiguration Grants permission to put Object Lock configuration on a specific bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

PutBucketOwnershipControls Grants permission to add or replace ownership controls on a bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketPolicy Grants permission to add or replace a bucket policy on a bucket Permissions management

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketPublicAccessBlock Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket Permissions management

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketRequestPayment Grants permission to set the request payment configuration of a bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketTagging Grants permission to add a set of tags to an existing Amazon S3 bucket Tagging

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketVersioning Grants permission to set the versioning state of an existing Amazon S3 bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutBucketWebsite Grants permission to set the configuration of the website that is specified in the website subresource Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutEncryptionConfiguration Grants permission to set the encryption configuration for an Amazon S3 bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutInventoryConfiguration Grants permission to add an inventory configuration to the bucket, identified by the inventory ID Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutJobTagging Grants permission to replace tags on an existing Amazon S3 Batch Operations job Tagging

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

aws:TagKeys

aws:RequestTag/${TagKey}

PutLifecycleConfiguration Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutMetricsConfiguration Grants permission to set or update a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket Write

bucket*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutObject Grants permission to add an object to a bucket Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

s3:object-lock-legal-hold

PutObjectAcl Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket. Permissions management

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectLegalHold Grants permission to apply a Legal Hold configuration to the specified object Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:object-lock-legal-hold

PutObjectRetention Grants permission to place an Object Retention configuration on an object Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:object-lock-mode

s3:object-lock-retain-until-date

s3:object-lock-remaining-retention-days

PutObjectTagging Grants permission to set the supplied tag-set to an object that already exists in a bucket Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

PutObjectVersionAcl Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket Permissions management

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectVersionTagging Grants permission to set the supplied tag-set for a specific version of an object Tagging

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authType

s3:signatureAge

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

PutReplicationConfiguration Grants permission to create a new replication configuration or replace an existing one Write

bucket*

iam:PassRole

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ReplicateDelete Grants permission to replicate delete markers to the destination bucket Write

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

ReplicateObject Grants permission to replicate objects and object tags to the destination bucket Write

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

ReplicateTags Grants permission to replicate object tags to the destination bucket Tagging

object*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

RestoreObject Grants permission to restore an archived copy of an object back into Amazon S3 Write

object*

s3:DataAccessPointAccount

s3:DataAccessPointArn

s3:AccessPointNetworkOrigin

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

UpdateJobPriority Grants permission to update the priority of an existing job Write

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:RequestJobPriority

s3:ExistingJobPriority

s3:ExistingJobOperation

UpdateJobStatus Grants permission to update the status for the specified job Write

job*

s3:authType

s3:signatureAge

s3:signatureversion

s3:x-amz-content-sha256

s3:ExistingJobPriority

s3:ExistingJobOperation

s3:JobSuspendedCause

Resource types defined by Amazon S3

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
accesspoint arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}
bucket arn:${Partition}:s3:::${BucketName}
object arn:${Partition}:s3:::${BucketName}/${ObjectName}
job arn:${Partition}:s3:${Region}:${Account}:job/${JobId}

Condition keys for Amazon S3

Amazon S3 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters actions based on the tags associated with the resource String
aws:TagKeys Filters actions based on the tag keys that are passed in the request String
s3:AccessPointNetworkOrigin Filters access by the network origin (Internet or VPC) String
s3:DataAccessPointAccount Filters access by the AWS Account ID that owns the access point String
s3:DataAccessPointArn Filters access by an access point Amazon Resource Name (ARN) String
s3:ExistingJobOperation Filters access to updating the job priority by operation String
s3:ExistingJobPriority Filters access to cancelling existing jobs by priority range Numeric
s3:ExistingObjectTag/<key> Filters access by existing object tag key and value String
s3:JobSuspendedCause Filters access to cancelling suspended jobs by a specific job suspended cause (for example, AWAITING_CONFIRMATION) String
s3:LocationConstraint Filters access by a specific Region String
s3:RequestJobOperation Filters access to creating jobs by operation String
s3:RequestJobPriority Filters access to creating new jobs by priority range Numeric
s3:RequestObjectTag/<key> Filters access by the tag keys and values to be added to objects String
s3:RequestObjectTagKeys Filters access by the tag keys to be added to objects String
s3:VersionId Filters access by a specific object version String
s3:authType Filters access by authentication method String
s3:delimiter Filters access by delimiter parameter String
s3:locationconstraint Filters access by a specific Region String
s3:max-keys Filters access by maximum number of keys returned in a ListBucket request Numeric
s3:object-lock-legal-hold Filters access by object legal hold status String
s3:object-lock-mode Filters access by object retention mode (COMPLIANCE or GOVERNANCE) String
s3:object-lock-remaining-retention-days Filters access by remaining object retention days String
s3:object-lock-retain-until-date Filters access by object retain-until date String
s3:prefix Filters access by key name prefix String
s3:signatureAge Filters access by the age in milliseconds of the request signature Numeric
s3:signatureversion Filters access by the version of AWS Signature used on the request String
s3:versionid Filters access by a specific object version String
s3:x-amz-acl Filters access by canned ACL in the request's x-amz-acl header String
s3:x-amz-content-sha256 Filters access to unsigned content in your bucket String
s3:x-amz-copy-source Filters access to requests with a specific bucket, prefix, or object as the copy source String
s3:x-amz-grant-full-control Filters access to requests with the x-amz-grant-full-control (full control) header String
s3:x-amz-grant-read Filters access to requests with the x-amz-grant-read (read access) header String
s3:x-amz-grant-read-acp Filters access to requests with the x-amz-grant-read-acp (read permissions for the ACL) header String
s3:x-amz-grant-write Filters access to requests with the x-amz-grant-write (write access) header String
s3:x-amz-grant-write-acp Filters access to requests with the x-amz-grant-write-acp (write permissions for the ACL) header String
s3:x-amz-metadata-directive Filters access by object metadata behavior (COPY or REPLACE) when objects are copied String
s3:x-amz-server-side-encryption Filters access by server-side encryption String
s3:x-amz-server-side-encryption-aws-kms-key-id Filters access by AWS KMS customer managed CMK for server-side encryption String
s3:x-amz-storage-class Filters access by storage class String
s3:x-amz-website-redirect-location Filters access by a specific website redirect location for buckets that are configured as static websites String