Resource-based policies for S3 Tables
S3 Tables provides resource-based policies for managing access to table buckets and tables: table bucket policies and table policies. You can use a table bucket policy to grant API access permissions at the table bucket, namespace, or table-level. The permissions attached to the table bucket can apply to all tables in the bucket or to specific tables in the bucket, depending on the policy definition. You can use a table policy to grant permissions at the table-level.
When S3 Tables receives a request, it first verifies that the requester has the necessary
permissions. It evaluates all the relevant access policies, user policies, and
resource-based policies in deciding whether to authorize the request (IAM user policy,
IAM role policy, table bucket policy, and table policy). For example, if a table bucket
policy grants a user permissions to perform all actions on the tables in the bucket
(including DeleteTable), but an individual table has a table policy that denies
the DeleteTable action for all users, then the user cannot delete the
table.
The following topic includes examples of table and table bucket policies. To use these policies,
replace the user input placeholders with your own
information.
Note
-
Every policy that grants permissions to modify tables should include permissions for
GetTableMetadataLocationto access the table root file. For more information, seeGetTableMetadataLocation. -
Every time that you perform a write or delete activity on your table, include permissions to
UpdateTableMetadataLocationin your access policy. -
We recommend using a table bucket policy for governing access to bucket-level actions and a table policy for governing access to table-level actions. In cases where you want to define the same set of permissions across multiple tables, then we recommend using a table bucket policy.
Topics
Example 1: Table bucket policy allows access to PutBucketMaintenanceConfiguration for buckets in an account
The following example table bucket policy allows the IAM data steward to delete unreferenced objects for all the buckets in an account by allowing access to PutBucketMaintenanceConfiguration.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account_id:role/datasteward" }, "Action": ["s3tables:PutTableBucketMaintenanceConfiguration”], "Resource":"arn:aws:s3tables:region:account_id:bucket/*” }] }
Example 2: Table bucket policy allows access to tables stored in the ‘hr’ namespace
The following an example table bucket policy allows Jane, a user from
AWS account ID 123456789012 to read tables part of namespace hr in a
table bucket.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "Principal": { "AWS": "arn:aws:iam::123456789012:user/Jane" }, "Action": [ "s3tables:GetTableData", "s3tables:GetTableMetadataLocation" ], "Resource":{ "arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket1/table/*”} "Condition": { "StringLike": { "s3tables:namespace": "hr" } } ] }
Example 3: Table policy to allow user to delete a table
The following example table policy that allows the IAM role data steward to delete a table.
{ "Version": "2012-10-17", "Id": "DeleteTable", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account_id:role/datasteward" }, "Action": [ "s3tables:DeleteTable", "s3tables:UpdateTableMetadataLocation", "s3tables:PutTableData", "s3tables:GetTableMetadataLocation" ], "Resource":"arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket1/table/tableUUID" }] }
