Actions, resources, and condition keys for Amazon S3 Object Lambda - Service Authorization Reference

Actions, resources, and condition keys for Amazon S3 Object Lambda

Amazon S3 Object Lambda (service prefix: s3-object-lambda) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon S3 Object Lambda

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AbortMultipartUpload Grants permission to abort a multipart upload Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

DeleteObject Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

DeleteObjectTagging Grants permission to use the tagging subresource to remove the entire tag set from the specified object Tagging

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

DeleteObjectVersion Grants permission to remove a specific version of an object Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

s3-object-lambda:versionid

DeleteObjectVersionTagging Grants permission to remove the entire tag set for a specific version of the object Tagging

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

s3-object-lambda:versionid

GetObject Grants permission to retrieve objects from Amazon S3 Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

GetObjectAcl Grants permission to return the access control list (ACL) of an object Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

GetObjectLegalHold Grants permission to get an object's current Legal Hold status Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

GetObjectRetention Grants permission to retrieve the retention settings for an object Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

GetObjectTagging Grants permission to return the tag set of an object Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

GetObjectVersion Grants permission to retrieve a specific version of an object Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

s3-object-lambda:versionid

GetObjectVersionAcl Grants permission to return the access control list (ACL) of a specific object version Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

s3-object-lambda:versionid

GetObjectVersionTagging Grants permission to return the tag set for a specific version of the object Read

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

s3-object-lambda:versionid

ListBucket Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000) List

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

ListBucketMultipartUploads Grants permission to list in-progress multipart uploads List

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

ListBucketVersions Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket List

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

ListMultipartUploadParts Grants permission to list the parts that have been uploaded for a specific multipart upload List

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

PutObject Grants permission to add an object to a bucket Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

PutObjectAcl Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket. Permissions management

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

PutObjectLegalHold Grants permission to apply a Legal Hold configuration to the specified object Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

PutObjectRetention Grants permission to place an Object Retention configuration on an object Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

PutObjectTagging Grants permission to set the supplied tag-set to an object that already exists in a bucket Tagging

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

PutObjectVersionAcl Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket Permissions management

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

s3-object-lambda:versionid

PutObjectVersionTagging Grants permission to set the supplied tag-set for a specific version of an object Tagging

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

s3-object-lambda:versionid

RestoreObject Grants permission to restore an archived copy of an object back into Amazon S3 Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

WriteGetObjectResponse Grants permission to provide data for GetObject requests send to S3 Object Lambda Write

objectlambdaaccesspoint*

s3-object-lambda:authType

s3-object-lambda:signatureAge

s3-object-lambda:TlsVersion

Resource types defined by Amazon S3 Object Lambda

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
objectlambdaaccesspoint arn:${Partition}:s3-object-lambda:${Region}:${Account}:accesspoint/${AccessPointName}

Condition keys for Amazon S3 Object Lambda

Amazon S3 Object Lambda defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
s3-object-lambda:TlsVersion Filters access by the TLS version used by the client Numeric
s3-object-lambda:authType Filters access by authentication method String
s3-object-lambda:signatureAge Filters access by the age in milliseconds of the request signature Numeric
s3-object-lambda:versionid Filters access by a specific object version String