Resource-based policies for S3 Tables - Amazon Simple Storage Service

Resource-based policies for S3 Tables

S3 Tables provides resource-based policies for managing access to table buckets and tables: table bucket policies and table policies. You can use a table bucket policy to grant API access permissions at the table bucket, namespace, or table-level. The permissions attached to the table bucket can apply to all tables in the bucket or to specific tables in the bucket, depending on the policy definition. You can use a table policy to grant permissions at the table-level.

When S3 Tables receives a request, it first verifies that the requester has the necessary permissions. It evaluates all the relevant access policies, user policies, and resource-based policies in deciding whether to authorize the request (IAM user policy, IAM role policy, table bucket policy, and table policy). For example, if a table bucket policy grants a user permissions to perform all actions on the tables in the bucket (including DeleteTable), but an individual table has a table policy that denies the DeleteTable action for all users, then the user cannot delete the table.

The following topic includes examples of table and table bucket policies. To use these policies, replace the user input placeholders with your own information.

Note
  • Every policy that grants permissions to modify tables should include permissions for GetTableMetadataLocation to access the table root file. For more information, see GetTableMetadataLocation.

  • Every time that you perform a write or delete activity on your table, include permissions to UpdateTableMetadataLocation in your access policy.

  • We recommend using a table bucket policy for governing access to bucket-level actions and a table policy for governing access to table-level actions. In cases where you want to define the same set of permissions across multiple tables, then we recommend using a table bucket policy.

Example 1: Table bucket policy allows access to PutBucketMaintenanceConfiguration for buckets in an account

The following example table bucket policy allows the IAM data steward to delete unreferenced objects for all the buckets in an account by allowing access to PutBucketMaintenanceConfiguration.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account_id:role/datasteward" }, "Action": ["s3tables:PutTableBucketMaintenanceConfiguration”], "Resource":"arn:aws:s3tables:region:account_id:bucket/*” }] }

Example 2: Table bucket policy to allows read (SELECT) access to tables stored in the hrnamespace

The following an example table bucket policy allows Jane, a user from AWS account ID 123456789012 to access tables stored in the hr namespace in a table bucket.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "Principal": { "AWS": "arn:aws:iam::123456789012:user/Jane" }, "Action": [ "s3tables:GetTableData", "s3tables:GetTableMetadataLocation" ], "Resource":{ "arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket1/table/*”} "Condition": { "StringLike": { "s3tables:namespace": "hr" } } ] }

Example 3: Table policy to allow user to delete a table

The following example table policy that allows the IAM role data steward to delete a table.

{ "Version": "2012-10-17", "Id": "DeleteTable", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account_id:role/datasteward" }, "Action": [ "s3tables:DeleteTable", "s3tables:UpdateTableMetadataLocation", "s3tables:PutTableData", "s3tables:GetTableMetadataLocation" ], "Resource":"arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket1/table/tableUUID" }] }