Required permissions for Amazon S3 API operations
Note
This page is about Amazon S3 policy actions for general purpose buckets. To learn more about Amazon S3 policy actions for directory buckets, see Actions for directory buckets.
To perform an S3 API operation, you must have the right permissions. This page maps S3 API operations to the required permissions. To grant permissions to
perform an S3 API operation, you must compose a valid policy (such as an S3 bucket
policy or IAM identity-based policy), and specify corresponding actions in the
Action
element of the policy. These actions are called policy actions.
Not every S3 API operation is represented by a single permission (a single policy action), and some permissions (some policy actions) are required for many different API operations.
When you compose policies, you must specify the Resource
element based on the correct resource type required by the corresponding Amazon S3 policy actions. This page categorizes permissions to S3 API operations by the resource types.
For more information about the resource types, see
Resource types defined by Amazon S3 in the Service Authorization
Reference. For a full list of Amazon S3 policy actions, resources, and condition keys for use in policies, see
Actions, resources, and condition keys for Amazon S3 in the Service Authorization
Reference. For a complete list of Amazon S3 API operations, see Amazon S3 API Actions in the Amazon Simple Storage Service API Reference.
Topics
- Bucket operations and permissions
- Object operations and permissions
- Access point operations and permissions
- Object Lambda Access Point operations and permissions
- Multi-Region Access Point operations and permissions
- Batch job operations and permissions
- S3 Storage Lens configuration operations and permissions
- S3 Storage Lens groups operations and permissions
- Account operations and permissions
Bucket operations and permissions
Bucket operations are S3 API operations that operate on the bucket resource type. You must specify S3 policy actions for bucket operations in bucket policies or IAM identity-based policies.
In the policies, the Resource
element must be the bucket Amazon Resource Name (ARN). For more information about the Resource
element format and
example policies, see Bucket operations.
Note
To grant permissions to bucket operations in access point policies, note the following:
-
Permissions granted for bucket operations in an access point policy are effective only if the underlying bucket allows the same permissions. When you use an access point, you must delegate access control from the bucket to the access point or add the same permissions in the access point policy to the underlying bucket's policy.
-
In access point policies that grant permissions to bucket operations, the
Resource
element must be theaccesspoint
ARN. For more information about theResource
element format and example policies, see Bucket operations in access point policies. For more information about access point policies, see Configuring IAM policies for using access points. Not all bucket operations are supported by access points. For more information, see Access point compatibility with S3 operations.
The following is the mapping of bucket operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to create a new s3 bucket. |
|
(Conditionally required) |
Required if you want to use access control list (ACL) to specify permissions on a bucket when you make a |
|
(Conditionally required) |
Required if you want to enable Object Lock when you create a bucket. |
|
(Conditionally required) |
Required if you want to specify S3 Object Ownership when you create a bucket. |
|
(Required) |
Required to create a metadata table configuration on a general purpose bucket. To create the metadata table in the table bucket that's specified in your
metadata table configuration, you must have the specified If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see Integrating Amazon S3 Tables with AWS analytics services. |
|
(Required) |
Required to delete an S3 bucket. |
|
(Required) |
Required to delete an S3 analytics configuration from an S3 bucket. |
|
(Required) |
Required to delete the cross-origin resource sharing (CORS) configuration for an bucket. |
|
(Required) |
Required to reset the default encryption configuration for an S3 bucket as server-side encryption with Amazon S3 managed keys (SSE-S3). |
|
(Required) |
Required to delete the existing S3 Intelligent-Tiering configuration from an S3 bucket. |
|
(Required) |
Required to delete an S3 Inventory configuration from an S3 bucket. |
|
(Required) |
Required to delete the S3 Lifecycle configuration for an S3 bucket. |
|
(Required) |
Required to delete a metadata table configuration from a general purpose bucket. |
|
(Required) |
Required to delete a metrics configuration for the Amazon CloudWatch request metrics from an S3 bucket. |
|
(Required) |
Required to remove the Object Ownership setting for an S3 bucket. After removal, the Object Ownership setting becomes |
|
(Required) |
Required to delete the policy of an S3 bucket. |
|
(Required) |
Required to delete the replication configuration of an S3 bucket. |
|
(Required) |
Required to delete tags from an S3 bucket. |
|
(Required) |
Required to remove the website configuration for an S3 bucket. |
|
DeletePublicAccessBlock (Bucket-level) |
(Required) |
Required to remove the block public access configuration for an S3 bucket. |
(Required) |
Required to use the accelerate subresource to return the Amazon S3 Transfer Acceleration state of a bucket, which is either Enabled or Suspended. |
|
(Required) |
Required to return the access control list (ACL) of an S3 bucket. |
|
(Required) |
Required to return an analytics configuration that's identified by the analytics configuration ID from an S3 bucket. |
|
(Required) |
Required to return the cross-origin resource sharing (CORS) configuration for an S3 bucket. |
|
(Required) |
Required to return the default encryption configuration for an S3 bucket. |
|
(Required) |
Required to get the S3 Intelligent-Tiering configuration of an S3 bucket. |
|
(Required) |
Required to return an inventory configuration that's identified by the inventory configuration ID from the bucket. |
|
(Required) |
Required to return the S3 Lifecycle configuration of the bucket. |
|
(Required) |
Required to return the AWS Region that an S3 bucket resides in. |
|
(Required) |
Required to return the logging status of an S3 bucket and the permissions that users have to view and modify that status. |
|
(Required) |
Required to retrieve a metadata table configuration for a general purpose bucket. |
|
(Required) |
Required to get a metrics configuration that's specified by the metrics configuration ID from the bucket. |
|
(Required) |
Required to return the notification configuration of an S3 bucket. |
|
(Required) |
Required to retrieve the Object Ownership setting for an S3 bucket. |
|
(Required) |
Required to return the policy of an S3 bucket. |
|
(Required) |
Required to retrieve the policy status for an S3 bucket, indicating whether the bucket is public. |
|
(Required) |
Required to return the replication configuration of an S3 bucket. |
|
(Required) |
Required to return the request payment configuration for an S3 bucket. |
|
(Required) |
Required to return the versioning state of an S3 bucket. |
|
(Required) |
Required to return the tag set that's associated with an S3 bucket. |
|
(Required) |
Required to return the website configuration for an S3 bucket. |
|
(Required) |
Required to get the Object Lock configuration for an S3 bucket. |
|
GetPublicAccessBlock (Bucket-level) |
(Required) |
Required to retrieve the block public access configuration for an S3 bucket. |
(Required) |
Required to determine if a bucket exists and if you have permission to access it. |
|
(Required) |
Required to list the analytics configurations for an S3 bucket. |
|
(Required) |
Required to list the S3 Intelligent-Tiering configurations of an S3 bucket. |
|
(Required) |
Required to return a list of inventory configurations for an S3 bucket. |
|
(Required) |
Required to list the metrics configurations for an S3 bucket. |
|
(Required) |
Required to list some or all (up to 1,000) of the objects in an S3 bucket. |
|
(Conditionally required) |
Required if you want to display object owner information. |
|
(Required) |
Required to list some or all (up to 1,000) of the objects in an S3 bucket. |
|
(Conditionally required) |
Required if you want to display object owner information. |
|
(Required) |
Required to get metadata about all the versions of objects in an S3 bucket. |
|
(Required) |
Required to set the accelerate configuration of an existing bucket. |
|
(Required) |
Required to use access control lists (ACLs) to set the permissions on an existing bucket. |
|
(Required) |
Required to set an analytics configuration for an S3 bucket. |
|
(Required) |
Required to set the cross-origin resource sharing (CORS) configuration for an S3 bucket. |
|
(Required) |
Required to configure the default encryption for an S3 bucket. |
|
(Required) |
Required to put the S3 Intelligent-Tiering configuration to an S3 bucket. |
|
(Required) |
Required to add an inventory configuration to an S3 bucket. |
|
(Required) |
Required to create a new S3 Lifecycle configuration or replace an existing lifecycle configuration for an S3 bucket. |
|
(Required) |
Required to set the logging parameters for an S3 bucket and specify permissions for who can view and modify the logging parameters. |
|
(Required) |
Required to set or update a metrics configuration for the Amazon CloudWatch request metrics of an S3 bucket. |
|
(Required) |
Required to enable notifications of specified events for an S3 bucket. |
|
(Required) |
Required to create or modify the Object Ownership setting for an S3 bucket. |
|
(Required) |
Required to apply an S3 bucket policy to a bucket. |
|
(Required) |
Required to create a new replication configuration or replace an existing one for an S3 bucket. |
|
(Required) |
Required to set the request payment configuration for a bucket. |
|
(Required) |
Required to add a set of tags to an S3 bucket. |
|
(Required) |
Required to set the versioning state of an S3 bucket. |
|
(Required) |
Required to configure a bucket as a website and set the configuration of the website. |
|
(Required) |
Required to put Object Lock configuration on an S3 bucket. |
|
PutPublicAccessBlock (Bucket-level) |
(Required) |
Required to create or modify the block public access configuration for an S3 bucket. |
Object operations and permissions
Object operations are S3 API operations that operate on the object resource type. You must specify S3 policy actions for object operations in resource-based policies (such as bucket policies, access point policies, Multi-Region Access Point policies, VPC endpoint policies) or IAM identity-based policies.
In the policies, the Resource
element must be the object ARN. For more information about the Resource
element format and
example policies, see Object operations.
Note
AWS KMS policy actions (
kms:GenerateDataKey
andkms:Decrypt
) are only applicable for the AWS KMS resource type and must be specified in IAM identity-based policies and AWS KMS resource-based policies (AWS KMS key policies). You can't specify AWS KMS policy actions in S3 resource-based policies, such as S3 bucket policies.-
When you use access points to control access to object operations, you can use access point policies. To grant permissions to object operations in access point policies, note the following:
-
In access point policies that grant permissions to object operations, the
Resource
element must be the ARNs for objects accessed through an access point. For more information about theResource
element format and example policies, see Object operations in access point policies. Not all object operations are supported by access points. For more information, see Access point compatibility with S3 operations.
-
Not all object operations are supported by Multi-Region Access Points. For more information, see Multi-Region Access Point compatibility with S3 operations.
The following is the mapping of object operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to abort a multipart upload. |
|
(Required) |
Required to complete a multipart upload. |
|
(Conditionally required) |
Required if you want to complete a multipart upload for an AWS KMS customer managed key encrypted object. |
|
For source object: |
For source object: |
|
(Required) Either |
|
|
(Conditionally required) |
Required if you want to copy an AWS KMS customer managed key encrypted object from the source bucket. |
|
For destination object: |
For destination object: |
|
(Required) |
Required to put the copied object in the destination bucket. |
|
(Conditionally required) |
Required if you want to put the copied object with the object access control list (ACL) to the destination bucket when you make a |
|
(Conditionally required) |
Required if you want to put the copied object with object tagging to the destination bucket when you make a |
|
(Conditionally required) |
Required if you want to encrypt the copied object with an AWS KMS customer managed key and put it to the destination bucket. |
|
(Conditionally required) |
Required if you want to set an Object Lock retention configuration for the new object. |
|
(Conditionally required) |
Required if you want to place an Object Lock legal hold on the new object. |
|
(Required) |
Required to create multipart upload. |
|
(Conditionally required) |
Required if you want to set the object access control list (ACL) permissions for the uploaded object. |
|
(Conditionally required) |
Required if you want to add object tagging(s) to the uploaded object. |
|
(Conditionally required) |
Required if you want to use an AWS KMS customer managed key to encrypt an object when you initiate a multipart upload. |
|
(Conditionally required) |
Required if you want to set an Object Lock retention configuration for the uploaded object. |
|
(Conditionally required) |
Required if you want to apply an Object Lock legal hold to the uploaded object. |
|
(Required) Either |
|
|
(Conditionally required) |
Required if you want to delete an object that's protected by governance mode for Object Lock retention. |
|
(Required) Either |
|
|
(Conditionally required) |
Required if you want to delete objects that are protected by governance mode for Object Lock retention. |
|
(Required) Either |
|
|
(Required) Either |
|
|
(Conditionally required) |
Required if you want to get and decrypt an AWS KMS customer managed key encrypted object. |
|
(Conditionally required) |
Required if you want to get the tag-set of an object when you make a |
|
(Conditionally required) |
Required if you want to get an object's current Object Lock legal hold status. |
|
(Conditionally required) |
Required if you want to retrieve the Object Lock retention settings for an object. |
|
(Required) Either |
|
|
(Required) Either |
|
|
(Conditionally required) |
Required if you want to retrieve attributes related to an AWS KMS customer managed key encrypted object. |
|
(Required) |
Required to get an object's current Object Lock legal hold status. |
|
(Required) |
Required to retrieve the Object Lock retention settings for an object. |
|
(Required) Either |
|
|
(Required) |
Required to return torrent files of an object. |
|
(Required) |
Required to retrieve metadata from an object without returning the object itself. |
|
(Conditionally required) |
Required if you want to get an object's current Object Lock legal hold status. |
|
(Conditionally required) |
Required if you want to retrieve the Object Lock retention settings for an object. |
|
(Required) |
Required to list in-progress multipart uploads in a bucket. |
|
(Required) |
Required to list the parts that have been uploaded for a specific multipart upload. |
|
(Conditionally required) |
Required if you want to list parts of an AWS KMS customer managed key encrypted multipart upload. |
|
(Required) |
Required to put an object. |
|
(Conditionally required) |
Required if you want to put the object access control list (ACL) when you make a |
|
(Conditionally required) |
Required if you want to put object tagging when you make a |
|
(Conditionally required) |
Required if you want to encrypt an object with an AWS KMS customer managed key. |
|
(Conditionally required) |
Required if you want to set an Object Lock retention configuration on an object. |
|
(Conditionally required) |
Required if you want to apply an Object Lock legal hold configuration to a specified object. |
|
(Required) Either |
|
|
(Required) |
Required to apply an Object Lock legal hold configuration to an object. |
|
(Required) |
Required to apply an Object Lock retention configuration to an object. |
|
(Conditionally required) |
Required if you want to bypass the governance mode of an Object Lock retention configuration. |
|
(Required) Either |
|
|
(Required) |
Required to restore a copy of an archived object. |
|
(Required) |
Required to filter the contents of an S3 object based on a simple structured query language (SQL) statement. |
|
(Conditionally required) |
Required if you want to filter the contents of an S3 object that's encrypted with an AWS KMS customer managed key. |
|
(Required) |
Required to upload a part in a multipart upload. |
|
(Conditionally required) |
Required if you want to put an upload part and encrypt it with an AWS KMS customer managed key. |
|
For source object: |
For source object: |
|
(Required) Either |
|
|
(Conditionally required) |
Required if you want to copy an AWS KMS customer managed key encrypted object from the source bucket. |
|
For destination part: |
For destination part: |
|
(Required) |
Required to upload a multipart upload part to the destination bucket. |
|
(Conditionally required) |
Required if you want to encrypt a part with an AWS KMS customer managed key when you upload the part to the destination bucket. |
Access point operations and permissions
Access point operations are S3 API operations that operate on the accesspoint
resource type. You must specify S3
policy actions for access point operations in IAM identity-based
policies, not in bucket policies or access point policies.
In the policies, the Resource
element must be the accesspoint
ARN. For more information about the Resource
element format and
example policies, see Access point operations.
Note
If you want to use access points to control access to bucket or object operations, note the following:
-
For using access points to control access to bucket operations, see Bucket operations in access point policies.
-
For using access points to control access to object operations, see Object operations in access point policies.
For more information about how to configure access point policies, see Configuring IAM policies for using access points.
The following is the mapping of access point operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to create an access point that's associated with an S3 bucket. |
|
(Required) |
Required to delete an access point. |
|
(Required) |
Required to delete an access point policy. |
|
(Required) |
Required to retrieve an access point policy. |
|
(Required) |
Required to retrieve the information on whether the specified access point currently has a policy that allows public access. |
|
(Required) |
Required to put an access point policy. |
Object Lambda Access Point operations and permissions
Object Lambda Access Point operations are S3 API operations that operate on the objectlambdaaccesspoint
resource type. For more information about how to configure policies for Object Lambda Access Point operations, see Configuring IAM policies for Object Lambda Access Points.
The following is the mapping of Object Lambda Access Point operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to create an Object Lambda Access Point. |
|
(Required) |
Required to delete a specified Object Lambda Access Point. |
|
(Required) |
Required to delete the policy on a specified Object Lambda Access Point. |
|
(Required) |
Required to retrieve the configuration of the Object Lambda Access Point. |
|
(Required) |
Required to retrieve information about the Object Lambda Access Point. |
|
(Required) |
Required to return the access point policy that's associated with the specified Object Lambda Access Point. |
|
(Required) |
Required to return the policy status for a specific Object Lambda Access Point policy. |
|
(Required) |
Required to set the configuration of the Object Lambda Access Point. |
|
(Required) |
Required to associate an access policy with a specified Object Lambda Access Point. |
Multi-Region Access Point operations and permissions
Multi-Region Access Point operations are S3 API operations that operate on the multiregionaccesspoint
resource type.
For more information about how to configure policies for Multi-Region Access Point operations, see Multi-Region Access Point policy examples.
The following is the mapping of Multi-Region Access Point operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to create a Multi-Region Access Point and associate it with S3 buckets. |
|
(Required) |
Required to delete a Multi-Region Access Point. |
|
(Required) |
Required to retrieve the status of an asynchronous request to manage a Multi-Region Access Point. |
|
(Required) |
Required to return configuration information about the specified Multi-Region Access Point. |
|
(Required) |
Required to return the access control policy of the specified Multi-Region Access Point. |
|
(Required) |
Required to return the policy status for a specific Multi-Region Access Point about whether the specified Multi-Region Access Point has an access control policy that allows public access. |
|
(Required) |
Required to return the routing configuration for a Multi-Region Access Point. |
|
(Required) |
Required to update the access control policy of the specified Multi-Region Access Point. |
|
(Required) |
Required to submit an updated route configuration for a Multi-Region Access Point. |
Batch job operations and permissions
(Batch Operations) job operations are S3 API operations that operate on the job
resource type.
You must specify S3 policy
actions for job operations in IAM identity-based policies,
not in bucket policies.
In the policies, the Resource
element must be the job
ARN. For more information about the Resource
element format and
example policies, see Batch job operations.
The following is the mapping of batch job operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to remove tags from an existing S3 Batch Operations job. |
|
(Required) |
Required to retrieve the configuration parameters and status for a Batch Operations job. |
|
(Required) |
Required to return the tag set of an existing S3 Batch Operations job. |
|
(Required) |
Required to put or replace tags on an existing S3 Batch Operations job. |
|
(Required) |
Required to update the priority of an existing job. |
|
(Required) |
Required to update the status for the specified job. |
S3 Storage Lens configuration operations and permissions
S3 Storage Lens configuration operations are S3 API operations that operate on the storagelensconfiguration
resource type.
For more information about how to configure S3 Storage Lens configuration operations, see Setting Amazon S3 Storage Lens permissions.
The following is the mapping of S3 Storage Lens configuration operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to delete the S3 Storage Lens configuration. |
|
(Required) |
Required to delete the S3 Storage Lens configuration tags. |
|
(Required) |
Required to get the S3 Storage Lens configuration. |
|
(Required) |
Required to get the tags of S3 Storage Lens configuration. |
|
(Required) |
Required to put or replace tags on an existing S3 Storage Lens configuration. |
S3 Storage Lens groups operations and permissions
S3 Storage Lens groups operations are S3 API operations that operate on the storagelensgroup
resource type.
For more information about how to configure S3 Storage Lens groups permissions, see Storage Lens groups permissions.
The following is the mapping of S3 Storage Lens groups operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to delete an existing S3 Storage Lens group. |
|
(Required) |
Required to retrieve the S3 Storage Lens group configuration details. |
|
(Required) |
Required to update the existing S3 Storage Lens group. |
Account operations and permissions
Account operations are S3 API operations that operate on the account level. Account isn't a resource type defined by Amazon S3. You must specify S3 policy actions for account operations in IAM identity-based policies, not in bucket policies.
In the policies, the Resource
element must be "*"
.
For more information about example policies, see Account operations.
The following is the mapping of account operations and required policy actions.
API operations | Policy actions | Description of policy actions |
---|---|---|
(Required) |
Required to create a new S3 Batch Operations job. |
|
(Required) |
Required to create a new S3 Storage Lens group and associate it with the specified AWS account ID. |
|
(Conditionally required) |
Required if you want to create an S3 Storage Lens group with AWS resource tags. |
|
DeletePublicAccessBlock (Account-level) |
(Required) |
Required to remove the block public access configuration from an AWS account. |
(Required) |
Required to retrieve configuration information about the specified access point. |
|
GetAccessPointPolicy (Account-level) |
(Required) |
Required to retrieve the block public access configuration for an AWS account. |
(Required) |
Required to list access points of an S3 bucket that are owned by an AWS account. |
|
(Required) |
Required to list the Object Lambda Access Points. |
|
(Required) |
Required to return a list of all buckets that are owned by the authenticated sender of the request. |
|
(Required) |
Required to list current jobs and jobs that have ended recently. |
|
(Required) |
Required to return a list of the Multi-Region Access Points that are currently associated with the specified AWS account. |
|
(Required) |
Required to get a list of S3 Storage Lens configurations for an AWS account. |
|
(Required) |
Required to list all the S3 Storage Lens groups in the specified home AWS Region. |
|
PutPublicAccessBlock (Account-level) |
(Required) |
Required to create or modify the block public access configuration for an AWS account. |
(Required) |
Required to put an S3 Storage Lens configuration. |