Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon S3

Amazon S3 (service prefix: s3) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon S3

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AbortMultipartUpload Aborts a multipart upload.

Write

object*

CreateBucket Creates a new bucket.

Write

bucket*

DeleteBucket Deletes the bucket named in the URI

Write

bucket*

DeleteBucketPolicy Delete the policy on a specified bucket

Permissions management

bucket*

DeleteBucketWebsite Removes the website configuration for a bucket.

Write

bucket*

DeleteObject Removes the null version (if there is one) of an object and inserts a delete marker, which becomes the current version of the object.

Write

object*

DeleteObjectTagging This implementation of the DELETE operation uses the tagging subresource to remove the entire tag set from the specified object.

Write

Tagging

object*

DeleteObjectVersion To remove a specific version of a object, you must be the bucket owner and you must use the versionId subresource.

Write

object*

DeleteObjectVersionTagging DELETE Object tagging (for a Specific Version of the Object)

Write

Tagging

object*

GetAccelerateConfiguration This implementation of the GET operation uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended.

Read

Write

bucket*

GetAnalyticsConfiguration This implementation of the GET operation returns an analytics configuration (identified by the analytics configuration ID) from the bucket.

Read

Write

bucket*

GetBucketAcl Return the access control list (ACL) of a bucket.

Read

Write

bucket*

GetBucketCORS Returns the cors configuration information set for the bucket.

Read

Write

bucket*

GetBucketLocation Return a bucket's region.

Read

Write

bucket*

GetBucketLogging Return the logging status of a bucket and the permissions users have to view and modify that status.

Read

Write

bucket*

GetBucketNotification Return the notification configuration of a bucket.

Read

Write

bucket*

GetBucketPolicy Return the policy of a specified bucket.

Read

Write

bucket*

GetBucketRequestPayment Return the request payment configuration of a bucket.

Read

Write

bucket*

GetBucketTagging Return the tag set associated with the bucket.

Read

Write

bucket*

GetBucketVersioning Return the versioning state of a bucket.

Read

Write

bucket*

GetBucketWebsite Returns the website configuration associated with a bucket.

Read

Write

bucket*

GetInventoryConfiguration This implementation of the GET operation returns an inventory configuration (identified by the inventory configuration ID) from the bucket.

Read

Write

bucket*

GetIpConfiguration

Read

Write

bucket*

GetLifecycleConfiguration Returns the lifecycle configuration information set on the bucket.

Read

Write

bucket*

GetMetricsConfiguration Gets a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from the bucket. Note that this doesn't include the daily storage metrics.

Read

Write

bucket*

GetObject Retrieves objects from Amazon S3.

Read

Write

object*

GetObjectAcl Return the access control list (ACL) of an object.

Read

Write

object*

GetObjectTagging This implementation of the GET operation returns the tags associated with an object. You send the GET request against the tagging subresource associated with the object.

Read

Write

object*

GetObjectTorrent return torrent files from a bucket.

Read

Write

object*

GetObjectVersion To return a different version, use the versionId subresource.

Read

Write

object*

GetObjectVersionAcl To return ACL information about a different version, use the versionId subresource.

Read

Write

object*

GetObjectVersionForReplication

Read

Write

object*

GetObjectVersionTagging GET Object tagging (for a Specific Version of the Object)

Read

Write

object*

GetObjectVersionTorrent To return Torrent files about a different version, use the versionId subresource.

Read

Write

object*

GetReplicationConfiguration Returns the replication configuration information set on the bucket.

Read

Write

bucket*

ListAllMyBuckets Returns a list of all buckets owned by the authenticated sender of the request.

Read

Write

List

ListBucket Returns some or all (up to 1000) of the objects in a bucket.

Read

Write

List

bucket*

ListBucketByTags

Read

Write

bucket*

ListBucketMultipartUploads Lists in-progress multipart uploads.

Read

Write

bucket*

ListBucketVersions Use the versions subresource to list metadata about all of the versions of objects in a bucket.

Read

Write

bucket*

ListMultipartUploadParts Lists the parts that have been uploaded for a specific multipart upload.

Read

Write

object*

ObjectOwnerOverrideToBucketOwner

Permissions management

object*

PutAccelerateConfiguration This implementation of the PUT operation uses the accelerate subresource to set the Transfer Acceleration state of an existing bucket.

Write

bucket*

PutAnalyticsConfiguration This implementation of the PUT operation adds an analytics configuration (identified by the analytics ID) to the bucket. You can have up to 1,000 analytics configurations per bucket.

Write

bucket*

PutBucketAcl Set the permissions on an existing bucket using access control lists (ACL).

Permissions management

bucket*

PutBucketCORS Sets the cors configuration for your bucket.

Write

bucket*

PutBucketLogging Set the logging parameters for a bucket.

Write

bucket*

PutBucketNotification Enables you to receive notifications when certain events happen in your bucket.

Write

bucket*

PutBucketPolicy Add to or replace a policy on a bucket.

Permissions management

bucket*

PutBucketRequestPayment Set the request payment configuration of a bucket.

Write

bucket*

PutBucketTagging Add a set of tags to an existing bucket.

Write

Tagging

bucket*

PutBucketVersioning Set the versioning state of an existing bucket.

Write

bucket*

PutBucketWebsite Sets the configuration of the website that is specified in the website subresource.

Write

bucket*

PutInventoryConfiguration This implementation of the PUT operation adds an inventory configuration (identified by the inventory ID) to the bucket. You can have up to 1,000 inventory configurations per bucket.

Write

bucket*

PutIpConfiguration

Write

bucket*

PutLifecycleConfiguration Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.

Write

bucket*

PutMetricsConfiguration Sets or updates a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from the bucket.

Write

bucket*

PutObject Adds an object to a bucket.

Write

object*

PutObjectAcl Set the access control list (ACL) permissions for an object that already exists in a bucket.

Permissions management

object*

PutObjectTagging This implementation of the PUT operation uses the tagging subresource to add a set of tags to an existing object.

Write

Tagging

object*

PutObjectVersionAcl The ACL of an object is set at the object version level.

Permissions management

object*

PutObjectVersionTagging PUT Object tagging (for a Specific Version of the Object)

Write

Tagging

object*

PutReplicationConfiguration In a versioning-enabled bucket, this operation creates a new replication configuration (or replaces an existing one, if present).

Write

bucket*

ReplicateDelete

Write

object*

ReplicateObject

Write

object*

ReplicateTags

Write

Tagging

object*

RestoreObject Restores a temporary copy of an archived object.

Write

object*

Resources Defined by S3

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys

bucket

arn:${Partition}:s3:::${BucketName}

object

arn:${Partition}:s3:::${BucketName}/${ObjectName}

Condition Keys for Amazon S3

Amazon S3 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAMPolicy Reference.

Condition keys Description Type

s3:ExistingObjectTag/<key>

Enables you to verify that an existing object tag has the specific tag key and value. String

s3:LocationConstraint

Enables you to restrict users to creating buckets in only a specific region. String

s3:RequestObjectTag/<key>

Restrict the tag keys and values that you want to allow on objects. String

s3:RequestObjectTagKeys

restrict the tag keys that you want to allow on objects. String

s3:VersionId

Enables you to limit the permission for the s3:PutObjectVersionTagging action to a specific object version. String

s3:authtype

String

s3:delimiter

Enables you to require the user to specify the delimiter parameter in the GET Bucket Object versions request. String

s3:locationconstraint

Enables you to restrict the user to creating a bucket in only a specific region. String

s3:max-keys

Enables you to limit the number of keys Amazon S3 returns in response to the GetBucket and ListObjects requests by requiring the user to specify the max-keys parameter. Numeric

s3:prefix

Enables you to limit the response of the GetBucket and ListObjects APIs to key names with specific prefix. String

s3:signatureage

Numeric

s3:signatureversion

String

s3:versionid

String

s3:x-amz-acl

Enables you to require specific access permissions when uploading an object. String

s3:x-amz-content-sha256

String

s3:x-amz-copy-source

Enables you to restrict the copy source to a specific bucket, a specific folder in the bucket, or a specific object in a bucket. String

s3:x-amz-grant-full-control

String

s3:x-amz-grant-read

String

s3:x-amz-grant-read-acp

String

s3:x-amz-grant-write

String

s3:x-amz-grant-write-acp

String

s3:x-amz-metadata-directive

Enables you to enforce certain behavior (COPY vs. REPLACE) when objects are uploaded. String

s3:x-amz-server-side-encryption

Enables you to require the user to specify this header in the request to ensure that objects the user uploads are encrypted when they are saved. String

s3:x-amz-server-side-encryption-aws-kms-key-id

String

s3:x-amz-storage-class

String

s3:x-amz-website-redirect-location

String