Actions, resources, and condition keys for Amazon S3
Amazon S3 (service prefix: s3) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Actions defined by Amazon S3
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AbortMultipartUpload | Grants permission to abort a multipart upload | Write | |||
| AssociateAccessGrantsIdentityCenter | Grants permission to associate Access Grants identity center | Write | |||
| BypassGovernanceRetention | Grants permission to allow circumvention of governance-mode object retention settings | Permissions management | |||
|
s3:x-amz-server-side-encryption s3:x-amz-server-side-encryption-aws-kms-key-id s3:x-amz-server-side-encryption-customer-algorithm s3:x-amz-website-redirect-location s3:object-lock-retain-until-date |
|||||
| CreateAccessGrant | Grants permission to create Access Grant | Write | |||
| CreateAccessGrantsInstance | Grants permission to Create Access Grants Instance | Write | |||
| CreateAccessGrantsLocation | Grants permission to create Access Grants location | Write | |||
| CreateAccessPoint | Grants permission to create a new access point | Write | |||
| CreateAccessPointForObjectLambda | Grants permission to create an object lambda enabled accesspoint | Write | |||
| CreateBucket | Grants permission to create a new bucket | Write | |||
| CreateJob | Grants permission to create a new Amazon S3 Batch Operations job | Write |
iam:PassRole |
||
| CreateMultiRegionAccessPoint | Grants permission to create a new Multi-Region Access Point | Write | |||
| CreateStorageLensGroup | Grants permission to create an Amazon S3 Storage Lens group | Write | |||
| DeleteAccessGrant | Grants permission to delete Access Grant | Write | |||
| DeleteAccessGrantsInstance | Grants permission to Delete Access Grants Instance | Write | |||
| DeleteAccessGrantsInstanceResourcePolicy | Grants permission to read Access grants instance resource policy | Write | |||
| DeleteAccessGrantsLocation | Grants permission to delete Access Grants location | Write | |||
| DeleteAccessPoint | Grants permission to delete the access point named in the URI | Write | |||
| DeleteAccessPointForObjectLambda | Grants permission to delete the object lambda enabled access point named in the URI | Write | |||
| DeleteAccessPointPolicy | Grants permission to delete the policy on a specified access point | Permissions management | |||
| DeleteAccessPointPolicyForObjectLambda | Grants permission to delete the policy on a specified object lambda enabled access point | Permissions management | |||
| DeleteBucket | Grants permission to delete the bucket named in the URI | Write | |||
| DeleteBucketPolicy | Grants permission to delete the policy on a specified bucket | Permissions management | |||
| DeleteBucketWebsite | Grants permission to remove the website configuration for a bucket | Write | |||
| DeleteJobTagging | Grants permission to remove tags from an existing Amazon S3 Batch Operations job | Tagging | |||
| DeleteMultiRegionAccessPoint | Grants permission to delete the Multi-Region Access Point named in the URI | Write | |||
| DeleteObject | Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object | Write | |||
| DeleteObjectTagging | Grants permission to use the tagging subresource to remove the entire tag set from the specified object | Tagging | |||
| DeleteObjectVersion | Grants permission to remove a specific version of an object | Write | |||
| DeleteObjectVersionTagging | Grants permission to remove the entire tag set for a specific version of the object | Tagging | |||
| DeleteStorageLensConfiguration | Grants permission to delete an existing Amazon S3 Storage Lens configuration | Write | |||
| DeleteStorageLensConfigurationTagging | Grants permission to remove tags from an existing Amazon S3 Storage Lens configuration | Tagging | |||
| DeleteStorageLensGroup | Grants permission to delete an existing S3 Storage Lens group | Write | |||
| DescribeJob | Grants permission to retrieve the configuration parameters and status for a batch operations job | Read | |||
| DescribeMultiRegionAccessPointOperation | Grants permission to retrieve the configurations for a Multi-Region Access Point | Read | |||
| DissociateAccessGrantsIdentityCenter | Grants permission to disassociate Access Grants identity center | Write | |||
| GetAccelerateConfiguration | Grants permission to uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended | Read | |||
| GetAccessGrant | Grants permission to read Access Grant | Read | |||
| GetAccessGrantsInstance | Grants permission to Read Access Grants Instance | Read | |||
| GetAccessGrantsInstanceForPrefix | Grants permission to Read Access Grants Instance by prefix | Read | |||
| GetAccessGrantsInstanceResourcePolicy | Grants permission to read Access grants instance resource policy | Read | |||
| GetAccessGrantsLocation | Grants permission to read Access Grants location | Read | |||
| GetAccessPoint | Grants permission to return configuration information about the specified access point | Read | |||
| GetAccessPointConfigurationForObjectLambda | Grants permission to retrieve the configuration of the object lambda enabled access point | Read | |||
| GetAccessPointForObjectLambda | Grants permission to create an object lambda enabled accesspoint | Read | |||
| GetAccessPointPolicy | Grants permission to return the access point policy associated with the specified access point | Read | |||
| GetAccessPointPolicyForObjectLambda | Grants permission to return the access point policy associated with the specified object lambda enabled access point | Read | |||
| GetAccessPointPolicyStatus | Grants permission to return the policy status for a specific access point policy | Read | |||
| GetAccessPointPolicyStatusForObjectLambda | Grants permission to return the policy status for a specific object lambda access point policy | Read | |||
| GetAccountPublicAccessBlock | Grants permission to retrieve the PublicAccessBlock configuration for an AWS account | Read | |||
| GetAnalyticsConfiguration | Grants permission to get an analytics configuration from an Amazon S3 bucket, identified by the analytics configuration ID | Read | |||
| GetBucketAcl | Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket | Read | |||
| GetBucketCORS | Grants permission to return the CORS configuration information set for an Amazon S3 bucket | Read | |||
| GetBucketLocation | Grants permission to return the Region that an Amazon S3 bucket resides in | Read | |||
| GetBucketLogging | Grants permission to return the logging status of an Amazon S3 bucket and the permissions users have to view or modify that status | Read | |||
| GetBucketNotification | Grants permission to get the notification configuration of an Amazon S3 bucket | Read | |||
| GetBucketObjectLockConfiguration | Grants permission to get the Object Lock configuration of an Amazon S3 bucket | Read | |||
| GetBucketOwnershipControls | Grants permission to retrieve ownership controls on a bucket | Read | |||
| GetBucketPolicy | Grants permission to return the policy of the specified bucket | Read | |||
| GetBucketPolicyStatus | Grants permission to retrieve the policy status for a specific Amazon S3 bucket, which indicates whether the bucket is public | Read | |||
| GetBucketPublicAccessBlock | Grants permission to retrieve the PublicAccessBlock configuration for an Amazon S3 bucket | Read | |||
| GetBucketRequestPayment | Grants permission to return the request payment configuration for an Amazon S3 bucket | Read | |||
| GetBucketTagging | Grants permission to return the tag set associated with an Amazon S3 bucket | Read | |||
| GetBucketVersioning | Grants permission to return the versioning state of an Amazon S3 bucket | Read | |||
| GetBucketWebsite | Grants permission to return the website configuration for an Amazon S3 bucket | Read | |||
| GetDataAccess | Grants permission to get Access | Read | |||
| GetEncryptionConfiguration | Grants permission to return the default encryption configuration an Amazon S3 bucket | Read | |||
| GetIntelligentTieringConfiguration | Grants permission to get an or list all Amazon S3 Intelligent Tiering configuration in a S3 Bucket | Read | |||
| GetInventoryConfiguration | Grants permission to return an inventory configuration from an Amazon S3 bucket, identified by the inventory configuration ID | Read | |||
| GetJobTagging | Grants permission to return the tag set of an existing Amazon S3 Batch Operations job | Read | |||
| GetLifecycleConfiguration | Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket | Read | |||
| GetMetricsConfiguration | Grants permission to get a metrics configuration from an Amazon S3 bucket | Read | |||
| GetMultiRegionAccessPoint | Grants permission to return configuration information about the specified Multi-Region Access Point | Read | |||
| GetMultiRegionAccessPointPolicy | Grants permission to return the access point policy associated with the specified Multi-Region Access Point | Read | |||
| GetMultiRegionAccessPointPolicyStatus | Grants permission to return the policy status for a specific Multi-Region Access Point policy | Read | |||
| GetMultiRegionAccessPointRoutes | Grants permission to return the route configuration for a Multi-Region Access Point | Read | |||
| GetObject | Grants permission to retrieve objects from Amazon S3 | Read | |||
| GetObjectAcl | Grants permission to return the access control list (ACL) of an object | Read | |||
| GetObjectAttributes | Grants permission to retrieve attributes related to a specific object | Read | |||
| GetObjectLegalHold | Grants permission to get an object's current Legal Hold status | Read | |||
| GetObjectRetention | Grants permission to retrieve the retention settings for an object | Read | |||
| GetObjectTagging | Grants permission to return the tag set of an object | Read | |||
| GetObjectTorrent | Grants permission to return torrent files from an Amazon S3 bucket | Read | |||
| GetObjectVersion | Grants permission to retrieve a specific version of an object | Read | |||
| GetObjectVersionAcl | Grants permission to return the access control list (ACL) of a specific object version | Read | |||
| GetObjectVersionAttributes | Grants permission to retrieve attributes related to a specific version of an object | Read | |||
| GetObjectVersionForReplication | Grants permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS | Read | |||
| GetObjectVersionTagging | Grants permission to return the tag set for a specific version of the object | Read | |||
| GetObjectVersionTorrent | Grants permission to get Torrent files about a different version using the versionId subresource | Read | |||
| GetReplicationConfiguration | Grants permission to get the replication configuration information set on an Amazon S3 bucket | Read | |||
| GetStorageLensConfiguration | Grants permission to get an Amazon S3 Storage Lens configuration | Read | |||
| GetStorageLensConfigurationTagging | Grants permission to get the tag set of an existing Amazon S3 Storage Lens configuration | Read | |||
| GetStorageLensDashboard | Grants permission to get an Amazon S3 Storage Lens dashboard | Read | |||
| GetStorageLensGroup | Grants permission to get an Amazon S3 Storage Lens group | Read | |||
| InitiateReplication [permission only] | Grants permission to initiate the replication process by setting replication status of an object to pending | Write | |||
| ListAccessGrants | Grants permission to list Access Grant | List | |||
| ListAccessGrantsInstances | Grants permission to List Access Grants Instances | List | |||
| ListAccessGrantsLocations | Grants permission to list Access Grants locations | List | |||
| ListAccessPoints | Grants permission to list access points | List | |||
| ListAccessPointsForObjectLambda | Grants permission to list object lambda enabled accesspoints | List | |||
| ListAllMyBuckets | Grants permission to list all buckets owned by the authenticated sender of the request | List | |||
| ListBucket | Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000) | List | |||
| ListBucketMultipartUploads | Grants permission to list in-progress multipart uploads | List | |||
| ListBucketVersions | Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket | List | |||
| ListCallerAccessGrants | Grants permission to list caller's Access Grant | List | |||
| ListJobs | Grants permission to list current jobs and jobs that have ended recently | List | |||
| ListMultiRegionAccessPoints | Grants permission to list Multi-Region Access Points | List | |||
| ListMultipartUploadParts | Grants permission to list the parts that have been uploaded for a specific multipart upload | List | |||
| ListStorageLensConfigurations | Grants permission to list Amazon S3 Storage Lens configurations | List | |||
| ListStorageLensGroups | Grants permission to list S3 Storage Lens groups | List | |||
| ListTagsForResource | Grants permission to list the tags attached to the specified resource | List | |||
| ObjectOwnerOverrideToBucketOwner | Grants permission to change replica ownership | Permissions management | |||
| PauseReplication [permission only] | Grants permission to pause S3 Replication from target source buckets to destination buckets | Write |
S3:GetReplicationConfiguration S3:PutReplicationConfiguration |
||
| PutAccelerateConfiguration | Grants permission to use the accelerate subresource to set the Transfer Acceleration state of an existing S3 bucket | Write | |||
| PutAccessGrantsInstanceResourcePolicy | Grants permission to put Access grants instance resource policy | Write | |||
| PutAccessPointConfigurationForObjectLambda | Grants permission to set the configuration of the object lambda enabled access point | Write | |||
| PutAccessPointPolicy | Grants permission to associate an access policy with a specified access point | Permissions management | |||
| PutAccessPointPolicyForObjectLambda | Grants permission to associate an access policy with a specified object lambda enabled access point | Permissions management | |||
| PutAccessPointPublicAccessBlock | Grants permission to associate public access block configurations with a specified access point, while creating a access point | Permissions management | |||
| PutAccountPublicAccessBlock | Grants permission to create or modify the PublicAccessBlock configuration for an AWS account | Permissions management | |||
| PutAnalyticsConfiguration | Grants permission to set an analytics configuration for the bucket, specified by the analytics configuration ID | Write | |||
| PutBucketAcl | Grants permission to set the permissions on an existing bucket using access control lists (ACLs) | Permissions management | |||
| PutBucketCORS | Grants permission to set the CORS configuration for an Amazon S3 bucket | Write | |||
| PutBucketLogging | Grants permission to set the logging parameters for an Amazon S3 bucket | Write | |||
| PutBucketNotification | Grants permission to receive notifications when certain events happen in an Amazon S3 bucket | Write | |||
| PutBucketObjectLockConfiguration | Grants permission to put Object Lock configuration on a specific bucket | Write | |||
| PutBucketOwnershipControls | Grants permission to add, replace or delete ownership controls on a bucket | Write | |||
| PutBucketPolicy | Grants permission to add or replace a bucket policy on a bucket | Permissions management | |||
| PutBucketPublicAccessBlock | Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket | Permissions management | |||
| PutBucketRequestPayment | Grants permission to set the request payment configuration of a bucket | Write | |||
| PutBucketTagging | Grants permission to add a set of tags to an existing Amazon S3 bucket | Tagging | |||
| PutBucketVersioning | Grants permission to set the versioning state of an existing Amazon S3 bucket | Write | |||
| PutBucketWebsite | Grants permission to set the configuration of the website that is specified in the website subresource | Write | |||
| PutEncryptionConfiguration | Grants permission to set the encryption configuration for an Amazon S3 bucket | Write | |||
| PutIntelligentTieringConfiguration | Grants permission to create new or update or delete an existing Amazon S3 Intelligent Tiering configuration | Write | |||
| PutInventoryConfiguration | Grants permission to add an inventory configuration to the bucket, identified by the inventory ID | Write | |||
| PutJobTagging | Grants permission to replace tags on an existing Amazon S3 Batch Operations job | Tagging | |||
| PutLifecycleConfiguration | Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration | Write | |||
| PutMetricsConfiguration | Grants permission to set or update a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket | Write | |||
| PutMultiRegionAccessPointPolicy | Grants permission to associate an access policy with a specified Multi-Region Access Point | Permissions management | |||
| PutObject | Grants permission to add an object to a bucket | Write | |||
|
s3:x-amz-server-side-encryption s3:x-amz-server-side-encryption-aws-kms-key-id s3:x-amz-server-side-encryption-customer-algorithm s3:x-amz-website-redirect-location s3:object-lock-retain-until-date |
|||||
| PutObjectAcl | Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket | Permissions management | |||
| PutObjectLegalHold | Grants permission to apply a Legal Hold configuration to the specified object | Write | |||
| PutObjectRetention | Grants permission to place an Object Retention configuration on an object | Write | |||
| PutObjectTagging | Grants permission to set the supplied tag-set to an object that already exists in a bucket | Tagging | |||
| PutObjectVersionAcl | Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket | Permissions management | |||
| PutObjectVersionTagging | Grants permission to set the supplied tag-set for a specific version of an object | Tagging | |||
| PutReplicationConfiguration | Grants permission to create a new replication configuration or replace an existing one | Write |
iam:PassRole |
||
| PutStorageLensConfiguration | Grants permission to create or update an Amazon S3 Storage Lens configuration | Write | |||
| PutStorageLensConfigurationTagging | Grants permission to put or replace tags on an existing Amazon S3 Storage Lens configuration | Tagging | |||
| ReplicateDelete | Grants permission to replicate delete markers to the destination bucket | Write | |||
| ReplicateObject | Grants permission to replicate objects and object tags to the destination bucket | Write | |||
|
s3:x-amz-server-side-encryption |
|||||
| ReplicateTags | Grants permission to replicate object tags to the destination bucket | Tagging | |||
| RestoreObject | Grants permission to restore an archived copy of an object back into Amazon S3 | Write | |||
| SubmitMultiRegionAccessPointRoutes | Grants permission to submit a route configuration update for a Multi-Region Access Point | Write | |||
| TagResource | Grants permission to add tags to the specified resource | Tagging | |||
| UntagResource | Grants permission to remove tags from the specified resource | Tagging | |||
| UpdateAccessGrantsLocation | Grants permission to update Access Grants location | Write | |||
| UpdateJobPriority | Grants permission to update the priority of an existing job | Write | |||
| UpdateJobStatus | Grants permission to update the status for the specified job | Write | |||
| UpdateStorageLensGroup | Grants permission to update an existing S3 Storage Lens group | Write | |||
Resource types defined by Amazon S3
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| accesspoint |
arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}
|
|
| bucket |
arn:${Partition}:s3:::${BucketName}
|
|
| object |
arn:${Partition}:s3:::${BucketName}/${ObjectName}
|
|
| job |
arn:${Partition}:s3:${Region}:${Account}:job/${JobId}
|
|
| storagelensconfiguration |
arn:${Partition}:s3:${Region}:${Account}:storage-lens/${ConfigId}
|
|
| storagelensgroup |
arn:${Partition}:s3:${Region}:${Account}:storage-lens-group/${Name}
|
|
| objectlambdaaccesspoint |
arn:${Partition}:s3-object-lambda:${Region}:${Account}:accesspoint/${AccessPointName}
|
|
| multiregionaccesspoint |
arn:${Partition}:s3::${Account}:accesspoint/${AccessPointAlias}
|
|
| multiregionaccesspointrequestarn |
arn:${Partition}:s3:us-west-2:${Account}:async-request/mrap/${Operation}/${Token}
|
|
| accessgrantsinstance |
arn:${Partition}:s3:${Region}:${Account}:access-grants/default
|
|
| accessgrantslocation |
arn:${Partition}:s3:${Region}:${Account}:access-grants/default/location/${Token}
|
|
| accessgrant |
arn:${Partition}:s3:${Region}:${Account}:access-grants/default/grant/${Token}
|
Condition keys for Amazon S3
Amazon S3 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
| aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
| s3:AccessGrantsInstanceArn | Filters access by access grants instance ARN | ARN |
| s3:AccessPointNetworkOrigin | Filters access by the network origin (Internet or VPC) | String |
| s3:DataAccessPointAccount | Filters access by the AWS Account ID that owns the access point | String |
| s3:DataAccessPointArn | Filters access by an access point Amazon Resource Name (ARN) | ARN |
| s3:ExistingJobOperation | Filters access by operation to updating the job priority | String |
| s3:ExistingJobPriority | Filters access by priority range to cancelling existing jobs | Numeric |
| s3:ExistingObjectTag/<key> | Filters access by existing object tag key and value | String |
| s3:InventoryAccessibleOptionalFields | Filters access by restricting which optional metadata fields a user can add when configuring S3 Inventory reports | ArrayOfString |
| s3:JobSuspendedCause | Filters access by a specific job suspended cause (for example, AWAITING_CONFIRMATION) to cancelling suspended jobs | String |
| s3:RequestJobOperation | Filters access by operation to creating jobs | String |
| s3:RequestJobPriority | Filters access by priority range to creating new jobs | Numeric |
| s3:RequestObjectTag/<key> | Filters access by the tag keys and values to be added to objects | String |
| s3:RequestObjectTagKeys | Filters access by the tag keys to be added to objects | ArrayOfString |
| s3:ResourceAccount | Filters access by the resource owner AWS account ID | String |
| s3:TlsVersion | Filters access by the TLS version used by the client | Numeric |
| s3:authType | Filters access by authentication method | String |
| s3:delimiter | Filters access by delimiter parameter | String |
| s3:destinationRegion | Filters access by a specific replication destination region for targeted buckets of the AWS FIS action aws:s3:bucket-pause-replication | String |
| s3:isReplicationPauseRequest | Filters access by request made via AWS FIS action aws:s3:bucket-pause-replication | Bool |
| s3:locationconstraint | Filters access by a specific Region | String |
| s3:max-keys | Filters access by maximum number of keys returned in a ListBucket request | Numeric |
| s3:object-lock-legal-hold | Filters access by object legal hold status | String |
| s3:object-lock-mode | Filters access by object retention mode (COMPLIANCE or GOVERNANCE) | String |
| s3:object-lock-remaining-retention-days | Filters access by remaining object retention days | Numeric |
| s3:object-lock-retain-until-date | Filters access by object retain-until date | Date |
| s3:prefix | Filters access by key name prefix | String |
| s3:signatureAge | Filters access by the age in milliseconds of the request signature | Numeric |
| s3:signatureversion | Filters access by the version of AWS Signature used on the request | String |
| s3:versionid | Filters access by a specific object version | String |
| s3:x-amz-acl | Filters access by canned ACL in the request's x-amz-acl header | String |
| s3:x-amz-content-sha256 | Filters access by unsigned content in your bucket | String |
| s3:x-amz-copy-source | Filters access by copy source bucket, prefix, or object in the copy object requests | String |
| s3:x-amz-grant-full-control | Filters access by x-amz-grant-full-control (full control) header | String |
| s3:x-amz-grant-read | Filters access by x-amz-grant-read (read access) header | String |
| s3:x-amz-grant-read-acp | Filters access by the x-amz-grant-read-acp (read permissions for the ACL) header | String |
| s3:x-amz-grant-write | Filters access by the x-amz-grant-write (write access) header | String |
| s3:x-amz-grant-write-acp | Filters access by the x-amz-grant-write-acp (write permissions for the ACL) header | String |
| s3:x-amz-metadata-directive | Filters access by object metadata behavior (COPY or REPLACE) when objects are copied | String |
| s3:x-amz-object-ownership | Filters access by Object Ownership | String |
| s3:x-amz-server-side-encryption | Filters access by server-side encryption | String |
| s3:x-amz-server-side-encryption-aws-kms-key-id | Filters access by AWS KMS customer managed CMK for server-side encryption | ARN |
| s3:x-amz-server-side-encryption-customer-algorithm | Filters access by customer specified algorithm for server-side encryption | String |
| s3:x-amz-storage-class | Filters access by storage class | String |
| s3:x-amz-website-redirect-location | Filters access by a specific website redirect location for buckets that are configured as static websites | String |
