Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Example bucket policies for directory buckets

PDF
RSS
Focus mode
Example bucket policies for directory buckets - Amazon Simple Storage Service

This section provides example directory bucket policies. To use these policies, replace the user input placeholders with your own information.

The following example bucket policy allows AWS account ID 111122223333 to use the CreateSession API operation with the default ReadWrite session for the specified directory bucket. This policy grants access to the Zonal endpoint (object level) API operations.

Example – Bucket policy to allow CreateSession calls with the default ReadWrite session

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteAccess",
            "Effect": "Allow",
            "Resource": "arn:aws:s3express:us-west-2:account-id:bucket/bucket-base-name--zone-id--x-s3",
            "Principal": {
                "AWS": [
                    "111122223333"
                ]
            },
            "Action": [
                "s3express:CreateSession"
            ]
        }
    ]
}
Example – Bucket policy to allow CreateSession calls with a ReadOnly session

The following example bucket policy allows AWS account ID 111122223333 to use the CreateSession API operation. This policy uses the s3express:SessionMode condition key with the ReadOnly value to set a read-only session. 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadOnlyAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "111122223333"
            },
            "Action": "s3express:CreateSession",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3express:SessionMode": "ReadOnly"
                }
            }
        }
    ]
}
Example – Bucket policy to allow cross-account access for CreateSession calls

The following example bucket policy allows AWS account ID 111122223333 to use the CreateSession API operation for the specified directory bucket that's owned by AWS account ID 444455556666.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CrossAccount",
            "Effect": "Allow",
            "Principal": {
                "AWS": "111122223333"
            },
            "Action": [
                "s3express:CreateSession"
            ],
            "Resource": "arn:aws:s3express:us-west-2:444455556666:bucket/bucket-base-name--zone-id--x-s3"

        }
    ]
}

Related resources

Amazon S3 API Reference
AWS CLI commands for Amazon S3
SDKs & Tools 

Related resources

Amazon S3 API Reference
AWS CLI commands for Amazon S3
SDKs & Tools 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.