Required permissions for Amazon S3 API operations - Amazon Simple Storage Service

Required permissions for Amazon S3 API operations

Note

This page is about Amazon S3 policy actions for general purpose buckets. To learn more about Amazon S3 policy actions for directory buckets, see Actions for directory buckets.

To perform an S3 API operation, you must have the right permissions. This page maps S3 API operations to the required permissions. To grant permissions to perform an S3 API operation, you must compose a valid policy (such as an S3 bucket policy or IAM identity-based policy), and specify corresponding actions in the Action element of the policy. These actions are called policy actions. Not every S3 API operation is represented by a single permission (a single policy action), and some permissions (some policy actions) are required for many different API operations.

When you compose policies, you must specify the Resource element based on the correct resource type required by the corresponding Amazon S3 policy actions. This page categorizes permissions to S3 API operations by the resource types. For more information about the resource types, see Resource types defined by Amazon S3 in the Service Authorization Reference. For a full list of Amazon S3 policy actions, resources, and condition keys for use in policies, see Actions, resources, and condition keys for Amazon S3 in the Service Authorization Reference. For a complete list of Amazon S3 API operations, see Amazon S3 API Actions in the Amazon Simple Storage Service API Reference.

Bucket operations are S3 API operations that operate on the bucket resource type. You must specify S3 policy actions for bucket operations in bucket policies or IAM identity-based policies.

In the policies, the Resource element must be the bucket Amazon Resource Name (ARN). For more information about the Resource element format and example policies, see Bucket operations.

Note

To grant permissions to bucket operations in access point policies, note the following:

  • Permissions granted for bucket operations in an access point policy are effective only if the underlying bucket allows the same permissions. When you use an access point, you must delegate access control from the bucket to the access point or add the same permissions in the access point policy to the underlying bucket's policy.

  • In access point policies that grant permissions to bucket operations, the Resource element must be the accesspoint ARN. For more information about the Resource element format and example policies, see Bucket operations in access point policies. For more information about access point policies, see Configuring IAM policies for using access points.

  • Not all bucket operations are supported by access points. For more information, see Access point compatibility with S3 operations.

The following is the mapping of bucket operations and required policy actions.

API operations Policy actions Description of policy actions

CreateBucket

(Required) s3:CreateBucket

Required to create a new s3 bucket.

(Conditionally required) s3:PutBucketAcl

Required if you want to use access control list (ACL) to specify permissions on a bucket when you make a CreateBucket request.

(Conditionally required) s3:PutBucketObjectLockConfiguration, s3:PutBucketVersioning

Required if you want to enable Object Lock when you create a bucket.

(Conditionally required) s3:PutBucketOwnershipControls

Required if you want to specify S3 Object Ownership when you create a bucket.

CreateBucketMetadataTableConfiguration

(Required) s3:CreateBucketMetadataTableConfiguration, s3tables:CreateNamespace, s3tables:CreateTable, s3tables:GetTable, s3tables:PutTablePolicy

Required to create a metadata table configuration on a general purpose bucket.

To create the metadata table in the table bucket that's specified in your metadata table configuration, you must have the specified s3tables permissions.

If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see Integrating Amazon S3 Tables with AWS analytics services.

DeleteBucket

(Required) s3:DeleteBucket

Required to delete an S3 bucket.

DeleteBucketAnalyticsConfiguration

(Required) s3:PutAnalyticsConfiguration

Required to delete an S3 analytics configuration from an S3 bucket.

DeleteBucketCors

(Required) s3:PutBucketCORS

Required to delete the cross-origin resource sharing (CORS) configuration for an bucket.

DeleteBucketEncryption

(Required) s3:PutEncryptionConfiguration

Required to reset the default encryption configuration for an S3 bucket as server-side encryption with Amazon S3 managed keys (SSE-S3).

DeleteBucketIntelligentTieringConfiguration

(Required) s3:PutIntelligentTieringConfiguration

Required to delete the existing S3 Intelligent-Tiering configuration from an S3 bucket.

DeleteBucketInventoryConfiguration

(Required) s3:PutInventoryConfiguration

Required to delete an S3 Inventory configuration from an S3 bucket.

DeleteBucketLifecycle

(Required) s3:PutLifecycleConfiguration

Required to delete the S3 Lifecycle configuration for an S3 bucket.

DeleteBucketMetadataTableConfiguration

(Required) s3:DeleteBucketMetadataTableConfiguration

Required to delete a metadata table configuration from a general purpose bucket.

DeleteBucketMetricsConfiguration

(Required) s3:PutMetricsConfiguration

Required to delete a metrics configuration for the Amazon CloudWatch request metrics from an S3 bucket.

DeleteBucketOwnershipControls

(Required) s3:PutBucketOwnershipControls

Required to remove the Object Ownership setting for an S3 bucket. After removal, the Object Ownership setting becomes Object writer.

DeleteBucketPolicy

(Required) s3:DeleteBucketPolicy

Required to delete the policy of an S3 bucket.

DeleteBucketReplication

(Required) s3:PutReplicationConfiguration

Required to delete the replication configuration of an S3 bucket.

DeleteBucketTagging

(Required) s3:PutBucketTagging

Required to delete tags from an S3 bucket.

DeleteBucketWebsite

(Required) s3:DeleteBucketWebsite

Required to remove the website configuration for an S3 bucket.

DeletePublicAccessBlock (Bucket-level)

(Required) s3:PutBucketPublicAccessBlock

Required to remove the block public access configuration for an S3 bucket.

GetBucketAccelerateConfiguration

(Required) s3:GetAccelerateConfiguration

Required to use the accelerate subresource to return the Amazon S3 Transfer Acceleration state of a bucket, which is either Enabled or Suspended.

GetBucketAcl

(Required) s3:GetBucketAcl

Required to return the access control list (ACL) of an S3 bucket.

GetBucketAnalyticsConfiguration

(Required) s3:GetAnalyticsConfiguration

Required to return an analytics configuration that's identified by the analytics configuration ID from an S3 bucket.

GetBucketCors

(Required) s3:GetBucketCORS

Required to return the cross-origin resource sharing (CORS) configuration for an S3 bucket.

GetBucketEncryption

(Required) s3:GetEncryptionConfiguration

Required to return the default encryption configuration for an S3 bucket.

GetBucketIntelligentTieringConfiguration

(Required) s3:GetIntelligentTieringConfiguration

Required to get the S3 Intelligent-Tiering configuration of an S3 bucket.

GetBucketInventoryConfiguration

(Required) s3:GetInventoryConfiguration

Required to return an inventory configuration that's identified by the inventory configuration ID from the bucket.

GetBucketLifecycle

(Required) s3:GetLifecycleConfiguration

Required to return the S3 Lifecycle configuration of the bucket.

GetBucketLocation

(Required) s3:GetBucketLocation

Required to return the AWS Region that an S3 bucket resides in.

GetBucketLogging

(Required) s3:GetBucketLogging

Required to return the logging status of an S3 bucket and the permissions that users have to view and modify that status.

GetBucketMetadataTableConfiguration

(Required) s3:GetBucketMetadataTableConfiguration

Required to retrieve a metadata table configuration for a general purpose bucket.

GetBucketMetricsConfiguration

(Required) s3:GetMetricsConfiguration

Required to get a metrics configuration that's specified by the metrics configuration ID from the bucket.

GetBucketNotificationConfiguration

(Required) s3:GetBucketNotification

Required to return the notification configuration of an S3 bucket.

GetBucketOwnershipControls

(Required) s3:GetBucketOwnershipControls

Required to retrieve the Object Ownership setting for an S3 bucket.

GetBucketPolicy

(Required) s3:GetBucketPolicy

Required to return the policy of an S3 bucket.

GetBucketPolicyStatus

(Required) s3:GetBucketPolicyStatus

Required to retrieve the policy status for an S3 bucket, indicating whether the bucket is public.

GetBucketReplication

(Required) s3:GetReplicationConfiguration

Required to return the replication configuration of an S3 bucket.

GetBucketRequestPayment

(Required) s3:GetBucketRequestPayment

Required to return the request payment configuration for an S3 bucket.

GetBucketVersioning

(Required) s3:GetBucketVersioning

Required to return the versioning state of an S3 bucket.

GetBucketTagging

(Required) s3:GetBucketTagging

Required to return the tag set that's associated with an S3 bucket.

GetBucketWebsite

(Required) s3:GetBucketWebsite

Required to return the website configuration for an S3 bucket.

GetObjectLockConfiguration

(Required) s3:GetBucketObjectLockConfiguration

Required to get the Object Lock configuration for an S3 bucket.

GetPublicAccessBlock (Bucket-level)

(Required) s3:GetBucketPublicAccessBlock

Required to retrieve the block public access configuration for an S3 bucket.

HeadBucket

(Required) s3:ListBucket

Required to determine if a bucket exists and if you have permission to access it.

ListBucketAnalyticsConfigurations

(Required) s3:GetAnalyticsConfiguration

Required to list the analytics configurations for an S3 bucket.

ListBucketIntelligentTieringConfigurations

(Required) s3:GetIntelligentTieringConfiguration

Required to list the S3 Intelligent-Tiering configurations of an S3 bucket.

ListBucketInventoryConfigurations

(Required) s3:GetInventoryConfiguration

Required to return a list of inventory configurations for an S3 bucket.

ListBucketMetricsConfigurations

(Required) s3:GetMetricsConfiguration

Required to list the metrics configurations for an S3 bucket.

ListObjects

(Required) s3:ListBucket

Required to list some or all (up to 1,000) of the objects in an S3 bucket.

(Conditionally required) s3:GetObjectAcl

Required if you want to display object owner information.

ListObjectsV2

(Required) s3:ListBucket

Required to list some or all (up to 1,000) of the objects in an S3 bucket.

(Conditionally required) s3:GetObjectAcl

Required if you want to display object owner information.

ListObjectVersions

(Required) s3:ListBucketVersions

Required to get metadata about all the versions of objects in an S3 bucket.

PutBucketAccelerateConfiguration

(Required) s3:PutAccelerateConfiguration

Required to set the accelerate configuration of an existing bucket.

PutBucketAcl

(Required) s3:PutBucketAcl

Required to use access control lists (ACLs) to set the permissions on an existing bucket.

PutBucketAnalyticsConfiguration

(Required) s3:PutAnalyticsConfiguration

Required to set an analytics configuration for an S3 bucket.

PutBucketCors

(Required) s3:PutBucketCORS

Required to set the cross-origin resource sharing (CORS) configuration for an S3 bucket.

PutBucketEncryption

(Required) s3:PutEncryptionConfiguration

Required to configure the default encryption for an S3 bucket.

PutBucketIntelligentTieringConfiguration

(Required) s3:PutIntelligentTieringConfiguration

Required to put the S3 Intelligent-Tiering configuration to an S3 bucket.

PutBucketInventoryConfiguration

(Required) s3:PutInventoryConfiguration

Required to add an inventory configuration to an S3 bucket.

PutBucketLifecycle

(Required) s3:PutLifecycleConfiguration

Required to create a new S3 Lifecycle configuration or replace an existing lifecycle configuration for an S3 bucket.

PutBucketLogging

(Required) s3:PutBucketLogging

Required to set the logging parameters for an S3 bucket and specify permissions for who can view and modify the logging parameters.

PutBucketMetricsConfiguration

(Required) s3:PutMetricsConfiguration

Required to set or update a metrics configuration for the Amazon CloudWatch request metrics of an S3 bucket.

PutBucketNotificationConfiguration

(Required) s3:PutBucketNotification

Required to enable notifications of specified events for an S3 bucket.

PutBucketOwnershipControls

(Required) s3:PutBucketOwnershipControls

Required to create or modify the Object Ownership setting for an S3 bucket.

PutBucketPolicy

(Required) s3:PutBucketPolicy

Required to apply an S3 bucket policy to a bucket.

PutBucketReplication

(Required) s3:PutReplicationConfiguration

Required to create a new replication configuration or replace an existing one for an S3 bucket.

PutBucketRequestPayment

(Required) s3:PutBucketRequestPayment

Required to set the request payment configuration for a bucket.

PutBucketTagging

(Required) s3:PutBucketTagging

Required to add a set of tags to an S3 bucket.

PutBucketVersioning

(Required) s3:PutBucketVersioning

Required to set the versioning state of an S3 bucket.

PutBucketWebsite

(Required) s3:PutBucketWebsite

Required to configure a bucket as a website and set the configuration of the website.

PutObjectLockConfiguration

(Required) s3:PutBucketObjectLockConfiguration

Required to put Object Lock configuration on an S3 bucket.

PutPublicAccessBlock (Bucket-level)

(Required) s3:PutBucketPublicAccessBlock

Required to create or modify the block public access configuration for an S3 bucket.

Object operations are S3 API operations that operate on the object resource type. You must specify S3 policy actions for object operations in resource-based policies (such as bucket policies, access point policies, Multi-Region Access Point policies, VPC endpoint policies) or IAM identity-based policies.

In the policies, the Resource element must be the object ARN. For more information about the Resource element format and example policies, see Object operations.

Note
  • AWS KMS policy actions (kms:GenerateDataKey and kms:Decrypt) are only applicable for the AWS KMS resource type and must be specified in IAM identity-based policies and AWS KMS resource-based policies (AWS KMS key policies). You can't specify AWS KMS policy actions in S3 resource-based policies, such as S3 bucket policies.

  • When you use access points to control access to object operations, you can use access point policies. To grant permissions to object operations in access point policies, note the following:

  • Not all object operations are supported by Multi-Region Access Points. For more information, see Multi-Region Access Point compatibility with S3 operations.

The following is the mapping of object operations and required policy actions.

API operations Policy actions Description of policy actions

AbortMultipartUpload

(Required) s3:AbortMultipartUpload

Required to abort a multipart upload.

CompleteMultipartUpload

(Required) s3:PutObject

Required to complete a multipart upload.

(Conditionally required) kms:Decrypt

Required if you want to complete a multipart upload for an AWS KMS customer managed key encrypted object.

CopyObject

For source object:

For source object:

(Required) Either s3:GetObject or s3:GetObjectVersion

  • s3:GetObject – Required if you want to copy an object from the source bucket without specifying versionId in the request.

  • s3:GetObjectVersion – Required if you want to copy a specific version of an object from the source bucket by specifying versionId in the request.

(Conditionally required) kms:Decrypt

Required if you want to copy an AWS KMS customer managed key encrypted object from the source bucket.

For destination object:

For destination object:

(Required) s3:PutObject

Required to put the copied object in the destination bucket.

(Conditionally required) s3:PutObjectAcl

Required if you want to put the copied object with the object access control list (ACL) to the destination bucket when you make a CopyObject request.

(Conditionally required) s3:PutObjectTagging

Required if you want to put the copied object with object tagging to the destination bucket when you make a CopyObject request.

(Conditionally required) kms:GenerateDataKey

Required if you want to encrypt the copied object with an AWS KMS customer managed key and put it to the destination bucket.

(Conditionally required) s3:PutObjectRetention

Required if you want to set an Object Lock retention configuration for the new object.

(Conditionally required) s3:PutObjectLegalHold

Required if you want to place an Object Lock legal hold on the new object.

CreateMultipartUpload

(Required) s3:PutObject

Required to create multipart upload.

(Conditionally required) s3:PutObjectAcl

Required if you want to set the object access control list (ACL) permissions for the uploaded object.

(Conditionally required) s3:PutObjectTagging

Required if you want to add object tagging(s) to the uploaded object.

(Conditionally required) kms:GenerateDataKey

Required if you want to use an AWS KMS customer managed key to encrypt an object when you initiate a multipart upload.

(Conditionally required) s3:PutObjectRetention

Required if you want to set an Object Lock retention configuration for the uploaded object.

(Conditionally required) s3:PutObjectLegalHold

Required if you want to apply an Object Lock legal hold to the uploaded object.

DeleteObject

(Required) Either s3:DeleteObject or s3:DeleteObjectVersion

  • s3:DeleteObject – Required if you want to remove an object without specifying versionId in the request.

  • s3:DeleteObjectVersion – Required if you want to remove a specific version of an object by specifying versionId in the request.

(Conditionally required) s3:BypassGovernanceRetention

Required if you want to delete an object that's protected by governance mode for Object Lock retention.

DeleteObjects

(Required) Either s3:DeleteObject or s3:DeleteObjectVersion

  • s3:DeleteObject – Required if you want to remove an object without specifying versionId in the request.

  • s3:DeleteObjectVersion – Required if you want to remove a specific version of an object by specifying versionId in the request.

(Conditionally required) s3:BypassGovernanceRetention

Required if you want to delete objects that are protected by governance mode for Object Lock retention.

DeleteObjectTagging

(Required) Either s3:DeleteObjectTagging or s3:DeleteObjectVersionTagging

  • s3:DeleteObjectTagging – Required if you want to remove the entire tag set of an object without specifying versionId in the request.

  • s3:DeleteObjectVersionTagging – Required if you want to delete tags of a specific object version by specifying versionId in the request.

GetObject

(Required) Either s3:GetObject or s3:GetObjectVersion

  • s3:GetObject – Required if you want to get an object without specifying versionId in the request.

  • s3:GetObjectVersion – Required if you want to get a specific version of an object by specifying versionId in the request.

(Conditionally required) kms:Decrypt

Required if you want to get and decrypt an AWS KMS customer managed key encrypted object.

(Conditionally required) s3:GetObjectTagging

Required if you want to get the tag-set of an object when you make a GetObject request.

(Conditionally required) s3:GetObjectLegalHold

Required if you want to get an object's current Object Lock legal hold status.

(Conditionally required) s3:GetObjectRetention

Required if you want to retrieve the Object Lock retention settings for an object.

GetObjectAcl

(Required) Either s3:GetObjectAcl or s3:GetObjectVersionAcl

  • s3:GetObjectAcl – Required if you want to get the access control list (ACL) of an object without specifying versionId in the request.

  • s3:GetObjectVersionAcl – Required if you want to get the access control list (ACL) of an object by specifying versionId in the request.

GetObjectAttributes

(Required) Either s3:GetObject or s3:GetObjectVersion

  • s3:GetObject – Required if you want to retrieve attributes related to an object without specifying versionId in the request.

  • s3:GetObjectVersion – Required if you want to retrieve attributes related to a specific object version by specifying versionId in the request.

(Conditionally required) kms:Decrypt

Required if you want to retrieve attributes related to an AWS KMS customer managed key encrypted object.

GetObjectLegalHold

(Required) s3:GetObjectLegalHold

Required to get an object's current Object Lock legal hold status.

GetObjectRetention

(Required) s3:GetObjectRetention

Required to retrieve the Object Lock retention settings for an object.

GetObjectTagging

(Required) Either s3:GetObjectTagging or s3:GetObjectVersionTagging

  • s3:GetObjectTagging – Required if you want to get the tag set of an object without specifying versionId in the request.

  • s3:GetObjectVersionTagging – Required if you want to get the tags of a specific object version by specifying versionId in the request.

GetObjectTorrent

(Required) s3:GetObject

Required to return torrent files of an object.

HeadObject

(Required) s3:GetObject

Required to retrieve metadata from an object without returning the object itself.

(Conditionally required) s3:GetObjectLegalHold

Required if you want to get an object's current Object Lock legal hold status.

(Conditionally required) s3:GetObjectRetention

Required if you want to retrieve the Object Lock retention settings for an object.

ListMultipartUploads

(Required) s3:ListBucketMultipartUploads

Required to list in-progress multipart uploads in a bucket.

ListParts

(Required) s3:ListMultipartUploadParts

Required to list the parts that have been uploaded for a specific multipart upload.

(Conditionally required) kms:Decrypt

Required if you want to list parts of an AWS KMS customer managed key encrypted multipart upload.

PutObject

(Required) s3:PutObject

Required to put an object.

(Conditionally required) s3:PutObjectAcl

Required if you want to put the object access control list (ACL) when you make a PutObject request.

(Conditionally required) s3:PutObjectTagging

Required if you want to put object tagging when you make a PutObject request.

(Conditionally required) kms:GenerateDataKey

Required if you want to encrypt an object with an AWS KMS customer managed key.

(Conditionally required) s3:PutObjectRetention

Required if you want to set an Object Lock retention configuration on an object.

(Conditionally required) s3:PutObjectLegalHold

Required if you want to apply an Object Lock legal hold configuration to a specified object.

PutObjectAcl

(Required) Either s3:PutObjectAcl or s3:PutObjectVersionAcl

  • s3:PutObjectAcl – Required if you want to set the access control list (ACL) permissions for a new or existing object without specifying versionId in the request.

  • s3:PutObjectVersionAcl – Required if you want to set the access control list (ACL) permissions for a new or existing object by specifying versionId in the request.

PutObjectLegalHold

(Required) s3:PutObjectLegalHold

Required to apply an Object Lock legal hold configuration to an object.

PutObjectRetention

(Required) s3:PutObjectRetention

Required to apply an Object Lock retention configuration to an object.

(Conditionally required) s3:BypassGovernanceRetention

Required if you want to bypass the governance mode of an Object Lock retention configuration.

PutObjectTagging

(Required) Either s3:PutObjectTagging or s3:PutObjectVersionTagging

  • s3:PutObjectTagging – Required if you want to set the supplied tag set to an object that already exists in a bucket without specifying versionId in the request.

  • s3:PutObjectVersionTagging – Required if you want to set the supplied tag set to an object that already exists in a bucket by specifying versionId in the request.

RestoreObject

(Required) s3:RestoreObject

Required to restore a copy of an archived object.

SelectObjectContent

(Required) s3:GetObject

Required to filter the contents of an S3 object based on a simple structured query language (SQL) statement.

(Conditionally required) kms:Decrypt

Required if you want to filter the contents of an S3 object that's encrypted with an AWS KMS customer managed key.

UploadPart

(Required) s3:PutObject

Required to upload a part in a multipart upload.

(Conditionally required) kms:GenerateDataKey

Required if you want to put an upload part and encrypt it with an AWS KMS customer managed key.

UploadPartCopy

For source object:

For source object:

(Required) Either s3:GetObject or s3:GetObjectVersion

  • s3:GetObject – Required if you want to copy an object from the source bucket without specifying versionId in the request.

  • s3:GetObjectVersion – Required if you want to copy a specific version of an object from the source bucket by specifying versionId in the request.

(Conditionally required) kms:Decrypt

Required if you want to copy an AWS KMS customer managed key encrypted object from the source bucket.

For destination part:

For destination part:

(Required) s3:PutObject

Required to upload a multipart upload part to the destination bucket.

(Conditionally required) kms:GenerateDataKey

Required if you want to encrypt a part with an AWS KMS customer managed key when you upload the part to the destination bucket.

Access point operations are S3 API operations that operate on the accesspoint resource type. You must specify S3 policy actions for access point operations in IAM identity-based policies, not in bucket policies or access point policies.

In the policies, the Resource element must be the accesspoint ARN. For more information about the Resource element format and example policies, see Access point operations.

Note

If you want to use access points to control access to bucket or object operations, note the following:

The following is the mapping of access point operations and required policy actions.

API operations Policy actions Description of policy actions

CreateAccessPoint

(Required) s3:CreateAccessPoint

Required to create an access point that's associated with an S3 bucket.

DeleteAccessPoint

(Required) s3:DeleteAccessPoint

Required to delete an access point.

DeleteAccessPointPolicy

(Required) s3:DeleteAccessPointPolicy

Required to delete an access point policy.

GetAccessPointPolicy

(Required) s3:GetAccessPointPolicy

Required to retrieve an access point policy.

GetAccessPointPolicyStatus

(Required) s3:GetAccessPointPolicyStatus

Required to retrieve the information on whether the specified access point currently has a policy that allows public access.

PutAccessPointPolicy

(Required) s3:PutAccessPointPolicy

Required to put an access point policy.

Object Lambda Access Point operations are S3 API operations that operate on the objectlambdaaccesspoint resource type. For more information about how to configure policies for Object Lambda Access Point operations, see Configuring IAM policies for Object Lambda Access Points.

The following is the mapping of Object Lambda Access Point operations and required policy actions.

API operations Policy actions Description of policy actions

CreateAccessPointForObjectLambda

(Required) s3:CreateAccessPointForObjectLambda

Required to create an Object Lambda Access Point.

DeleteAccessPointForObjectLambda

(Required) s3:DeleteAccessPointForObjectLambda

Required to delete a specified Object Lambda Access Point.

DeleteAccessPointPolicyForObjectLambda

(Required) s3:DeleteAccessPointPolicyForObjectLambda

Required to delete the policy on a specified Object Lambda Access Point.

GetAccessPointConfigurationForObjectLambda

(Required) s3:GetAccessPointConfigurationForObjectLambda

Required to retrieve the configuration of the Object Lambda Access Point.

GetAccessPointForObjectLambda

(Required) s3:GetAccessPointForObjectLambda

Required to retrieve information about the Object Lambda Access Point.

GetAccessPointPolicyForObjectLambda

(Required) s3:GetAccessPointPolicyForObjectLambda

Required to return the access point policy that's associated with the specified Object Lambda Access Point.

GetAccessPointPolicyStatusForObjectLambda

(Required) s3:GetAccessPointPolicyStatusForObjectLambda

Required to return the policy status for a specific Object Lambda Access Point policy.

PutAccessPointConfigurationForObjectLambda

(Required) s3:PutAccessPointConfigurationForObjectLambda

Required to set the configuration of the Object Lambda Access Point.

PutAccessPointPolicyForObjectLambda

(Required) s3:PutAccessPointPolicyForObjectLambda

Required to associate an access policy with a specified Object Lambda Access Point.

Multi-Region Access Point operations are S3 API operations that operate on the multiregionaccesspoint resource type. For more information about how to configure policies for Multi-Region Access Point operations, see Multi-Region Access Point policy examples.

The following is the mapping of Multi-Region Access Point operations and required policy actions.

API operations Policy actions Description of policy actions

CreateMultiRegionAccessPoint

(Required) s3:CreateMultiRegionAccessPoint

Required to create a Multi-Region Access Point and associate it with S3 buckets.

DeleteMultiRegionAccessPoint

(Required) s3:DeleteMultiRegionAccessPoint

Required to delete a Multi-Region Access Point.

DescribeMultiRegionAccessPointOperation

(Required) s3:DescribeMultiRegionAccessPointOperation

Required to retrieve the status of an asynchronous request to manage a Multi-Region Access Point.

GetMultiRegionAccessPoint

(Required) s3:GetMultiRegionAccessPoint

Required to return configuration information about the specified Multi-Region Access Point.

GetMultiRegionAccessPointPolicy

(Required) s3:GetMultiRegionAccessPointPolicy

Required to return the access control policy of the specified Multi-Region Access Point.

GetMultiRegionAccessPointPolicyStatus

(Required) s3:GetMultiRegionAccessPointPolicyStatus

Required to return the policy status for a specific Multi-Region Access Point about whether the specified Multi-Region Access Point has an access control policy that allows public access.

GetMultiRegionAccessPointRoutes

(Required) s3:GetMultiRegionAccessPointRoutes

Required to return the routing configuration for a Multi-Region Access Point.

PutMultiRegionAccessPointPolicy

(Required) s3:PutMultiRegionAccessPointPolicy

Required to update the access control policy of the specified Multi-Region Access Point.

SubmitMultiRegionAccessPointRoutes

(Required) s3:SubmitMultiRegionAccessPointRoutes

Required to submit an updated route configuration for a Multi-Region Access Point.

(Batch Operations) job operations are S3 API operations that operate on the job resource type. You must specify S3 policy actions for job operations in IAM identity-based policies, not in bucket policies.

In the policies, the Resource element must be the job ARN. For more information about the Resource element format and example policies, see Batch job operations.

The following is the mapping of batch job operations and required policy actions.

API operations Policy actions Description of policy actions

DeleteJobTagging

(Required) s3:DeleteJobTagging

Required to remove tags from an existing S3 Batch Operations job.

DescribeJob

(Required) s3:DescribeJob

Required to retrieve the configuration parameters and status for a Batch Operations job.

GetJobTagging

(Required) s3:GetJobTagging

Required to return the tag set of an existing S3 Batch Operations job.

PutJobTagging

(Required) s3:PutJobTagging

Required to put or replace tags on an existing S3 Batch Operations job.

UpdateJobPriority

(Required) s3:UpdateJobPriority

Required to update the priority of an existing job.

UpdateJobStatus

(Required) s3:UpdateJobStatus

Required to update the status for the specified job.

S3 Storage Lens configuration operations are S3 API operations that operate on the storagelensconfiguration resource type. For more information about how to configure S3 Storage Lens configuration operations, see Setting Amazon S3 Storage Lens permissions.

The following is the mapping of S3 Storage Lens configuration operations and required policy actions.

API operations Policy actions Description of policy actions

DeleteStorageLensConfiguration

(Required) s3:DeleteStorageLensConfiguration

Required to delete the S3 Storage Lens configuration.

DeleteStorageLensConfigurationTagging

(Required) s3:DeleteStorageLensConfigurationTagging

Required to delete the S3 Storage Lens configuration tags.

GetStorageLensConfiguration

(Required) s3:GetStorageLensConfiguration

Required to get the S3 Storage Lens configuration.

GetStorageLensConfigurationTagging

(Required) s3:GetStorageLensConfigurationTagging

Required to get the tags of S3 Storage Lens configuration.

PutStorageLensConfigurationTagging

(Required) s3:PutStorageLensConfigurationTagging

Required to put or replace tags on an existing S3 Storage Lens configuration.

S3 Storage Lens groups operations are S3 API operations that operate on the storagelensgroup resource type. For more information about how to configure S3 Storage Lens groups permissions, see Storage Lens groups permissions.

The following is the mapping of S3 Storage Lens groups operations and required policy actions.

API operations Policy actions Description of policy actions

DeleteStorageLensGroup

(Required) s3:DeleteStorageLensGroup

Required to delete an existing S3 Storage Lens group.

GetStorageLensGroup

(Required) s3:GetStorageLensGroup

Required to retrieve the S3 Storage Lens group configuration details.

UpdateStorageLensGroup

(Required) s3:UpdateStorageLensGroup

Required to update the existing S3 Storage Lens group.

Account operations are S3 API operations that operate on the account level. Account isn't a resource type defined by Amazon S3. You must specify S3 policy actions for account operations in IAM identity-based policies, not in bucket policies.

In the policies, the Resource element must be "*". For more information about example policies, see Account operations.

The following is the mapping of account operations and required policy actions.

API operations Policy actions Description of policy actions

CreateJob

(Required) s3:CreateJob

Required to create a new S3 Batch Operations job.

CreateStorageLensGroup

(Required) s3:CreateStorageLensGroup

Required to create a new S3 Storage Lens group and associate it with the specified AWS account ID.

(Conditionally required) s3:TagResource

Required if you want to create an S3 Storage Lens group with AWS resource tags.

DeletePublicAccessBlock (Account-level)

(Required) s3:PutAccountPublicAccessBlock

Required to remove the block public access configuration from an AWS account.

GetAccessPoint

(Required) s3:GetAccessPoint

Required to retrieve configuration information about the specified access point.

GetAccessPointPolicy (Account-level)

(Required) s3:GetAccountPublicAccessBlock

Required to retrieve the block public access configuration for an AWS account.

ListAccessPoints

(Required) s3:ListAccessPoints

Required to list access points of an S3 bucket that are owned by an AWS account.

ListAccessPointsForObjectLambda

(Required) s3:ListAccessPointsForObjectLambda

Required to list the Object Lambda Access Points.

ListBuckets

(Required) s3:ListAllMyBuckets

Required to return a list of all buckets that are owned by the authenticated sender of the request.

ListJobs

(Required) s3:ListJobs

Required to list current jobs and jobs that have ended recently.

ListMultiRegionAccessPoints

(Required) s3:ListMultiRegionAccessPoints

Required to return a list of the Multi-Region Access Points that are currently associated with the specified AWS account.

ListStorageLensConfigurations

(Required) s3:ListStorageLensConfigurations

Required to get a list of S3 Storage Lens configurations for an AWS account.

ListStorageLensGroups

(Required) s3:ListStorageLensGroups

Required to list all the S3 Storage Lens groups in the specified home AWS Region.

PutPublicAccessBlock (Account-level)

(Required) s3:PutAccountPublicAccessBlock

Required to create or modify the block public access configuration for an AWS account.

PutStorageLensConfiguration

(Required) s3:PutStorageLensConfiguration

Required to put an S3 Storage Lens configuration.