Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon S3

Amazon S3 (service prefix: s3) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon S3

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AbortMultipartUpload Aborts a multipart upload. Write

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

CreateBucket Creates a new bucket. Write

bucket*

s3:authtype

s3:locationconstraint

s3:signatureage

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

DeleteBucket Deletes the bucket named in the URI Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucketPolicy Delete the policy on a specified bucket Permissions management

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

DeleteBucketWebsite Removes the website configuration for a bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

DeleteObject Removes the null version (if there is one) of an object and inserts a delete marker, which becomes the current version of the object. Write

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

DeleteObjectTagging This implementation of the DELETE operation uses the tagging subresource to remove the entire tag set from the specified object. Tagging

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

DeleteObjectVersion To remove a specific version of a object, you must be the bucket owner and you must use the versionId subresource. Write

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

DeleteObjectVersionTagging DELETE Object tagging (for a Specific Version of the Object) Tagging

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetAccelerateConfiguration This implementation of the GET operation uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetAnalyticsConfiguration This implementation of the GET operation returns an analytics configuration (identified by the analytics configuration ID) from the bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketAcl Return the access control list (ACL) of a bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketCORS Returns the cors configuration information set for the bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketLocation Return a bucket's region. Read

bucket*

GetBucketLogging Return the logging status of a bucket and the permissions users have to view and modify that status. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketNotification Return the notification configuration of a bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketPolicy Return the policy of a specified bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketRequestPayment Return the request payment configuration of a bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketTagging Return the tag set associated with the bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketVersioning Return the versioning state of a bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetBucketWebsite Returns the website configuration associated with a bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetEncryptionConfiguration Returns the encryption configuration information set on the bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetInventoryConfiguration This implementation of the GET operation returns an inventory configuration (identified by the inventory configuration ID) from the bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetIpConfiguration Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetLifecycleConfiguration Returns the lifecycle configuration information set on the bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetMetricsConfiguration Gets a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from the bucket. Note that this doesn't include the daily storage metrics. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetObject Retrieves objects from Amazon S3. Read

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetObjectAcl Return the access control list (ACL) of an object. Read

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetObjectTagging This implementation of the GET operation returns the tags associated with an object. You send the GET request against the tagging subresource associated with the object. Read

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetObjectTorrent return torrent files from a bucket. Read

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetObjectVersion To return a different version, use the versionId subresource. Read

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionAcl To return ACL information about a different version, use the versionId subresource. Read

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionForReplication Read

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

GetObjectVersionTagging GET Object tagging (for a Specific Version of the Object) Read

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetObjectVersionTorrent To return Torrent files about a different version, use the versionId subresource. Read

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

GetReplicationConfiguration Returns the replication configuration information set on the bucket. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ListAllMyBuckets Returns a list of all buckets owned by the authenticated sender of the request. List

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ListBucket Returns some or all (up to 1000) of the objects in a bucket. List

bucket*

s3:authtype

s3:delimiter

s3:max-keys

s3:prefix

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ListBucketByTags Read

bucket*

s3:authtype

s3:max-keys

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ListBucketMultipartUploads Lists in-progress multipart uploads. Read

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ListBucketVersions Use the versions subresource to list metadata about all of the versions of objects in a bucket. Read

bucket*

s3:authtype

s3:delimiter

s3:max-keys

s3:prefix

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ListMultipartUploadParts Lists the parts that have been uploaded for a specific multipart upload. Read

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ObjectOwnerOverrideToBucketOwner Permissions management

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutAccelerateConfiguration This implementation of the PUT operation uses the accelerate subresource to set the Transfer Acceleration state of an existing bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutAnalyticsConfiguration This implementation of the PUT operation adds an analytics configuration (identified by the analytics ID) to the bucket. You can have up to 1,000 analytics configurations per bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketAcl Set the permissions on an existing bucket using access control lists (ACL). Permissions management

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

PutBucketCORS Sets the cors configuration for your bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketLogging Set the logging parameters for a bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketNotification Enables you to receive notifications when certain events happen in your bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketPolicy Add to or replace a policy on a bucket. Permissions management

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketRequestPayment Set the request payment configuration of a bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketTagging Add a set of tags to an existing bucket. Tagging

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketVersioning Set the versioning state of an existing bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutBucketWebsite Sets the configuration of the website that is specified in the website subresource. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutEncryptionConfiguration Sets the encryption configuration for the bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutInventoryConfiguration This implementation of the PUT operation adds an inventory configuration (identified by the inventory ID) to the bucket. You can have up to 1,000 inventory configurations per bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutIpConfiguration Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutLifecycleConfiguration Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutMetricsConfiguration Sets or updates a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from the bucket. Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutObject Adds an object to a bucket. Write

object*

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-copy-source

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-metadata-directive

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-storage-class

s3:x-amz-website-redirect-location

PutObjectAcl Set the access control list (ACL) permissions for an object that already exists in a bucket. Permissions management

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectTagging This implementation of the PUT operation uses the tagging subresource to add a set of tags to an existing object. Tagging

object*

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

PutObjectVersionAcl The ACL of an object is set at the object version level. Permissions management

object*

s3:ExistingObjectTag/<key>

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-acl

s3:x-amz-content-sha256

s3:x-amz-grant-full-control

s3:x-amz-grant-read

s3:x-amz-grant-read-acp

s3:x-amz-grant-write

s3:x-amz-grant-write-acp

s3:x-amz-storage-class

PutObjectVersionTagging PUT Object tagging (for a Specific Version of the Object) Tagging

object*

s3:ExistingObjectTag/<key>

s3:RequestObjectTag/<key>

s3:RequestObjectTagKeys

s3:authtype

s3:signatureage

s3:signatureversion

s3:versionid

s3:x-amz-content-sha256

PutReplicationConfiguration In a versioning-enabled bucket, this operation creates a new replication configuration (or replaces an existing one, if present). Write

bucket*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ReplicateDelete Write

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

ReplicateObject Write

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

s3:x-amz-server-side-encryption

s3:x-amz-server-side-encryption-aws-kms-key-id

ReplicateTags Tagging

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

RestoreObject Restores a temporary copy of an archived object. Write

object*

s3:authtype

s3:signatureage

s3:signatureversion

s3:x-amz-content-sha256

Resources Defined by S3

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
bucket arn:${Partition}:s3:::${BucketName}
object arn:${Partition}:s3:::${BucketName}/${ObjectName}

Condition Keys for Amazon S3

Amazon S3 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
s3:ExistingObjectTag/<key> Enables you to verify that an existing object tag has the specific tag key and value. String
s3:LocationConstraint Enables you to restrict users to creating buckets in only a specific region. String
s3:RequestObjectTag/<key> Restrict the tag keys and values that you want to allow on objects. String
s3:RequestObjectTagKeys restrict the tag keys that you want to allow on objects. String
s3:VersionId Enables you to limit the permission for the s3:PutObjectVersionTagging action to a specific object version. String
s3:authtype String
s3:delimiter Enables you to require the user to specify the delimiter parameter in the GET Bucket Object versions request. String
s3:locationconstraint Enables you to restrict the user to creating a bucket in only a specific region. String
s3:max-keys Enables you to limit the number of keys Amazon S3 returns in response to ListBucket requests by requiring the user to specify the max-keys parameter. Numeric
s3:prefix Enables you to limit the response of the ListBucket API to key names with specific prefix. String
s3:signatureage Numeric
s3:signatureversion String
s3:versionid String
s3:x-amz-acl Enables you to require specific access permissions when uploading an object. String
s3:x-amz-content-sha256 String
s3:x-amz-copy-source Enables you to restrict the copy source to a specific bucket, a specific folder in the bucket, or a specific object in a bucket. String
s3:x-amz-grant-full-control String
s3:x-amz-grant-read String
s3:x-amz-grant-read-acp String
s3:x-amz-grant-write String
s3:x-amz-grant-write-acp String
s3:x-amz-metadata-directive Enables you to enforce certain behavior (COPY vs. REPLACE) when objects are uploaded. String
s3:x-amz-server-side-encryption Enables you to require the user to specify this header in the request to ensure that objects the user uploads are encrypted when they are saved. String
s3:x-amz-server-side-encryption-aws-kms-key-id String
s3:x-amz-storage-class String
s3:x-amz-website-redirect-location String