Setting up IAM with S3 on Outposts
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 on Outposts resources. IAM is an AWS service that you can use with no additional charge. By default, users don't have permissions for S3 on Outposts resources and operations. To grant access permissions for S3 on Outposts resources and API operations, you can use IAM to create users, groups, or roles and attach permissions.
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Create a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Create a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
In addition to IAM identity-based policies, S3 on Outposts supports both bucket and access point policies. Bucket policies and access point policies are resource-based policies that are attached to the S3 on Outposts resource.
-
A bucket policy is attached to the bucket and allows or denies requests to the bucket and the objects in it based on the elements in the policy.
-
In contrast, an access point policy is attached to the access point and allows or denies requests to the access point.
The access point policy works with the bucket policy that is attached to the underlying S3 on Outposts bucket. For an application or user to access objects in an S3 on Outposts bucket through an S3 on Outposts access point, both the access point policy and the bucket policy must permit the request.
Restrictions that you include in an access point policy apply only to requests made through that access point. For example, if an access point is attached to a bucket, you can't use the access point policy to allow or deny requests that are made directly to the bucket. However, restrictions that you apply to a bucket policy can allow or deny requests made directly to the bucket or through the access point.
In an IAM policy or a resource-based policy, you define which S3 on Outposts actions are
allowed or denied. S3 on Outposts actions correspond to specific S3 on Outposts API operations.
S3 on Outposts actions use the s3-outposts:
namespace prefix. Requests made to
the S3 on Outposts control API in an AWS Region and requests made to the object API
endpoints on the Outpost are authenticated by using IAM and authorized against the
s3-outposts:
namespace prefix. To work with S3 on Outposts, configure your
IAM users and authorize them against the s3-outposts:
IAM namespace.
For more information, see Actions, resources, and condition keys for Amazon S3 on Outposts in the Service Authorization Reference.
Note
-
Access control lists (ACLs) are not supported by S3 on Outposts.
-
S3 on Outposts defaults to the bucket owner as object owner to help ensure that the owner of a bucket can't be prevented from accessing or deleting objects.
-
S3 on Outposts always has S3 Block Public Access enabled to help ensure that objects can never have public access.
For more information about setting up IAM for S3 on Outposts, see the following topics.
Topics
Principals for S3 on Outposts policies
When you create a resource-based policy to grant access to your S3 on Outposts bucket,
you must use the Principal
element to specify the person or application
that can make a request for an action or operation on that resource. For S3 on Outposts
policies, you can use one of the following principals:
-
An AWS account
-
An IAM user
-
An IAM role
-
All principals, by specifying a wildcard character (*) in a policy that uses a
Condition
element to limit access to a specific IP range
Important
You can't write a policy for an S3 on Outposts bucket that uses a wildcard character
(*
) in the Principal
element unless the policy also
includes a Condition
that limits access to a specific IP address range.
This restriction helps ensure that there is no public access to your S3 on Outposts
bucket. For an example, see Example policies for S3 on Outposts.
For more information about the Principal
element, see AWS JSON
policy elements: Principal in the IAM User Guide.
Resource ARNs for S3 on Outposts
Amazon Resource Names (ARNs) for S3 on Outposts contain the Outpost ID in addition to the AWS Region that the Outpost is homed to, the AWS account ID, and the resource name. To access and perform actions on your Outposts buckets and objects, you must use one of the ARN formats shown in the following table.
The
value in the ARN refers to a
group of AWS Regions. Each AWS account is scoped to one partition. The following are
the supported partitions:partition
-
aws
– AWS Regions -
aws-us-gov
– AWS GovCloud (US) Regions
The following table shows S3 on Outposts ARN formats.
Amazon S3 on Outposts ARN | ARN format | Example |
---|---|---|
Bucket ARN | arn: |
arn: |
Access point ARN | arn: |
arn: |
Object ARN | arn: |
arn: |
S3 on Outposts access point object ARN (used in policies) | arn: |
arn: |
S3 on Outposts ARN | arn: |
arn: |
Example policies for S3 on Outposts
Example : S3 on Outposts bucket policy with an AWS account principal
The following bucket policy uses an AWS account principal to grant access to an
S3 on Outposts bucket. To use this bucket policy, replace the
with your own information.user
input placeholders
{ "Version":"2012-10-17", "Id":"ExampleBucketPolicy1", "Statement":[ { "Sid":"statement1", "Effect":"Allow", "Principal":{ "AWS":"
123456789012
" }, "Action":"s3-outposts:*", "Resource":"arn:aws:s3-outposts:region
:123456789012
:outpost/op-01ac5d28a6a232904
/bucket/example-outposts-bucket
" } ] }
Example : S3 on Outposts bucket policy with a wildcard principal (*
) and
condition key to limit access to a specific IP address range
The following bucket policy uses a wildcard principal (*
) with the
aws:SourceIp
condition to limit access to a specific IP address
range. To use this bucket policy, replace the
with your own information.user input
placeholders
{ "Version": "2012-10-17", "Id": "ExampleBucketPolicy2", "Statement": [ { "Sid": "statement1", "Effect": "Allow", "Principal": { "AWS" : "*" }, "Action":"s3-outposts:*", "Resource":"arn:aws:s3-outposts:
region
:123456789012
:outpost/op-01ac5d28a6a232904
/bucket/example-outposts-bucket
", "Condition" : { "IpAddress" : { "aws:SourceIp": "192.0.2.0/24" }, "NotIpAddress" : { "aws:SourceIp": "198.51.100.0/24" } } } ] }
Permissions for S3 on Outposts endpoints
S3 on Outposts requires its own permissions in IAM to manage S3 on Outposts endpoint actions.
Note
-
For endpoints that use the customer-owned IP address pool (CoIP pool) access type, you also must have permissions to work with IP addresses from your CoIP pool, as described in the following table.
-
For shared accounts that access S3 on Outposts by using AWS Resource Access Manager, users in these shared accounts can't create their own endpoints on a shared subnet. If a user in a shared account wants to manage their own endpoints, the shared account must create its own subnet on the Outpost. For more information, see Sharing S3 on Outposts by using AWS RAM.
The following table shows S3 on Outposts endpoint-related IAM permissions.
Action | IAM permissions |
---|---|
CreateEndpoint |
For endpoints that are using the on-premises customer-owned IP address pool (CoIP pool) access type, the following additional permissions are required:
|
DeleteEndpoint |
For endpoints that are using the on-premises customer-owned IP address pool (CoIP pool) access type, the following additional permissions are required:
|
ListEndpoints |
|
Note
You can use resource tags in an IAM policy to manage permissions.
Service-linked roles for S3 on Outposts
S3 on Outposts uses IAM service-linked roles to create some network resources on your behalf. For more information, see Using service-linked roles for Amazon S3 on Outposts.