Example directory bucket policies for S3 Express One Zone
This section provides example directory bucket policies for use with the
Amazon S3 Express One Zone storage class. To use these policies, replace the
with your own information.user input
placeholders
The following example bucket policy allows AWS account ID
to use the
111122223333
CreateSession
API operation with the default ReadWrite
session
for the specified directory bucket. This policy grants access to the Zonal endpoint (object
level) API operations.
Example – Bucket policy to allow CreateSession
calls with the default
ReadWrite
session
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadWriteAccess", "Effect": "Allow", "Resource": "arn:aws:s3express:
us-west-2
:account-id
:bucket/bucket-base-name
--azid
--x-s3", "Principal": { "AWS": [ "111122223333
" ] }, "Action": [ "s3express:CreateSession" ] } ] }
Example – Bucket policy to allow CreateSession
calls with a
ReadOnly
session
The following example bucket policy allows AWS account ID
to use the
111122223333
CreateSession
API operation. This policy uses the
s3express:SessionMode
condition key with the ReadOnly
value to set a read-only session.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccess", "Effect": "Allow", "Principal": { "AWS": "
111122223333
" }, "Action": "s3express:CreateSession", "Resource": "*", "Condition": { "StringEquals": { "s3express:SessionMode": "ReadOnly" } } } ] }
Example – Bucket policy to allow cross-account access for CreateSession
calls
The following example bucket policy allows AWS account ID
to use the
111122223333
CreateSession
API operation for the specified directory bucket that's
owned by AWS account ID
.444455556666
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CrossAccount", "Effect": "Allow", "Principal": { "AWS": "
111122223333
" }, "Action": [ "s3express:CreateSession" ], "Resource": "arn:aws:s3express:us-west-2
:444455556666
:bucket/bucket-base-name
--azid
--x-s3" } ] }