Authenticating and authorizing for directory buckets in Local Zones - Amazon Simple Storage Service
ResourcesCondition keys for directory buckets in Local ZonesExample policies

Authenticating and authorizing for directory buckets in Local Zones

Directory buckets in Local Zones support both AWS Identity and Access Management (IAM) authorization and session-based authorization. For more information about authentication and authorization for directory buckets, see Authenticating and authorizing requests.

Resources

Amazon Resource Names (ARNs) for directory buckets contain the s3express namespace, the AWS parent Region, the AWS account ID, and the directory bucket name which includes the Zone ID. To access and perform actions on your directory bucket, you must use the following ARN format:

arn:aws:s3express:region-code:account-id:bucket/bucket-base-name--ZoneID--x-s3

For directory buckets in a Local Zone, the Zone ID is the ID of the Local Zone. For more information about directory buckets in Local Zones, see Concepts for directory buckets in Local Zones. For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide. For more information about resources, see IAM JSON Policy Elements: Resource in the IAM User Guide.

Condition keys for directory buckets in Local Zones

In Local Zones, you can use all the Condition keys for directory buckets in your IAM policies. Additionally, to create a data perimeter around your Local Zone network border groups, you can use the condition key s3express:AllAccessRestrictedToLocalZoneGroup to deny all requests from outside the groups.

The following condition key can be used to further refine the conditions under which an IAM policy statement applies. For a complete list of API operations, policy actions, and condition keys that are supported by directory buckets, see Policy actions for directory buckets.

Note

The following condition key only applies to Local Zones and isn't supported in Availability Zones and AWS Regions.

API operations Policy actions Description Condition key Description Type
Zonal endpoint API operations s3express:CreateSession

Grants permission to create a session token, which is used for granting access to all Zonal endpoint API operations, such as CreateSession, HeadBucket, CopyObject, PutObject, and GetObject.

 s3express:AllAccessRestrictedToLocalZoneGroup

Filters all access to the bucket unless the request originates from the AWS Local Zone network border groups provided in this condition key.

Values: Local Zone network border group value

String

Example policies

To restrict object access to requests from within a data residency boundary that you define (specifically, a Local Zone Group which is a set of Local Zones parented to the same AWS Region), you can set any of the following policies:

Note

The condition key s3express:AllAccessRestrictedToLocalZoneGroup doesn't support access from an on-premises environment. To support the access from an on-premises environment, you must add the source IP to the policies. For more information, see aws:SourceIp in the IAM User Guide.

Example – SCP policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Access-to-specific-LocalZones-only",
            "Effect": "Deny",
            "Action": [
                "s3express:*",
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEqualsIfExists": {
                    "s3express:AllAccessRestrictedToLocalZoneGroup": [
                        "local-zone-network-border-group-value"
                    ]
                }
            }
        }
    ]
}
Example – IAM identity-based policy (attached to IAM role)

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "s3express:CreateSession",
        "Resource": "*",
        "Condition": {
            "StringNotEqualsIfExists": {
                "s3express:AllAccessRestrictedToLocalZoneGroup": [
                    "local-zone-network-border-group-value"
                ]              
            }
        }
    }
}
Example – VPC endpoint policy

{
    "Version": "2012-10-17",
    "Statement": [
        {       
            "Sid": "Access-to-specific-LocalZones-only",
            "Principal": "*",
            "Action": "s3express:CreateSession",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
                 "StringNotEqualsIfExists": {
                     "s3express:AllAccessRestrictedToLocalZoneGroup": [
                         "local-zone-network-border-group-value"
                     ]
                 }   
            }
        }
    ]
}
Example – bucket policy

{
    "Version": "2012-10-17",
    "Statement": [
        {       
            "Sid": "Access-to-specific-LocalZones-only",
            "Principal": "*",
            "Action": "s3express:CreateSession",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
                 "StringNotEqualsIfExists": {
                     "s3express:AllAccessRestrictedToLocalZoneGroup": [
                         "local-zone-network-border-group-value"
                     ]
                 }   
            }
        }
    ]
}