Identity and Bucket Policy Format
Identity and bucket policies support a subset of elements listed in Amazon's IAM JSON Policy Reference.
Both identity and bucket policies comprise a series of statements. Each statement allows or denies a set of S3 actions on a set of S3 resources.
The identity policy syntax is:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "<SID>",
("Action" | "NotAction"): (
"s3:<ACTION>" |
["s3:<ACTION1>", "s3:<ACTION2>", ...] |
"*"),
"Effect": (
"Allow" |
"Deny"),
("Resource" | "NotResource"): (
[<resource1>, <resource2>, ...] |
"*"),
"Condition": {"<operator>": {"<key>": "<value>"}}
}]
} The bucket policy syntax is:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "<SID>",
"Principal": (
"User": "<username@domainname>" |
"User": ["<username1@domainname1>", "<username2@domainname2>", ...] |
"Group": "<groupname@domainname>" |
"Group": ["<groupname1@domainname1>", "<groupname2@domainname2>", ...] |
"*")
("Action" | "NotAction"): (
"s3:<ACTION>" |
["s3:<ACTION1>", "s3:<ACTION2>", ...] |
"*"),
"Effect": (
"Allow" |
"Deny"),
("Resource" | "NotResource"): (
[<resource1>, <resource2>, ...] |
"*"),
"Condition": {"<operator>": {"<key>": "<value>"}}
}]
}
Syntax rules and conventions:
The following characters are JSON tokens and are included in policies:
{ } [ ] " , :The following characters are special characters in the grammar and are not included in policies:
= < > ( ) |If an element allows multiple values, it is indicated using repeated values, a comma delimiter, and an ellipsis (...). For example:
[<resource1>, <resource2>, ...]If multiple values are allowed, it is also valid to include only one value. For only one value, the trailing comma must be omitted. If the element takes an array (marked with [ and ]) but only one value is included, the brackets are optional.
For example, both of the following are valid, with and without the brackets:
"Action": [<action>]and"Action": <action>A vertical line (|) between elements indicates alternatives. Parentheses in the syntax define the scope of the alternatives, for example:
("Action" | "NotAction")Elements that must be literal strings are enclosed in double quotation marks ("). For example,
"Allow".
Supported Elements in Identity and Bucket Policies
Version(Required) Specifies the version of the policy language (language syntax rules that are to be used to process the policy).
"Version": "2012-10-17"
The only valid value is
2012-10-17.Statement(Optional) Acts as a container for one or more permission statements.
"Statement": [{ <...> }]Each permission statement under the
Statementelement must be enclosed in curly braces { }. For multiple statements, the array must be enclosed in square brackets [ ].Sid(Optional) An optional identifier that you can assign to each permission statement under the
Statementelement. The SID must be unique within a policy.Note
You can't retrieve a particular statement based on the SID value.
"Sid": "<SID>"
<SID>can include ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).Principal(Required in bucket policies, not used in identity policies) Lists one or more users or groups for which the specified actions are allowed or denied in a bucket policy.
"Principal": {( "User": "<username@domain>" | "User": ["<username1@domain1>", "<username2@domain2>", ...] | "Group": "<groupname@domain>" | "Group": ["<groupname1@domain1>", "<groupname2@domain2>", ...] | "*")}"*"denotes all principals.In addition to the formats shown above, you can also specify users and groups in the same statement:
"Principal": {"User": ["username1@domain1", "username2@domain2"], "Group": ["groupname1@domain1", "groupname2@domain2"]}If there are multiple authentication and authorization providers configured for a tenant, specifying the domain name is obligatory for non-local users. Otherwise, you can omit the
@domainpart.If a user or group exists on an Active Directory provider and is specified without the domain name, VAST Cluster matches the user or group against the joined domain.
ActionNotAction(Required) Determines which actions are allowed or denied, depending on the policy effect:
ActionNotActionEffectisAllowAny actions listed under
Actionare allowed.Any actions that are not listed under
NotActionare allowed.EffectisDenyAny actions listed under
Actionare denied.Any actions that are not listed under
NotActionare denied.Tip
Using
NotActioncan result in a shorter policy by listing only a few actions that should not match, rather than including a long list of actions that will match.("Action" | "NotAction"): ("s3:<ACTION>" | ["s3:<ACTION1>", "s3:<ACTION2>", ...] | "*")<ACTION>is the AWS S3 action name of any supported S3 action:"Action": "s3:GetObject"
Note
For supported actions and their Amazon S3 action names, see Supported S3 Requests.
You can use wildcards, for example:
To specify all actions beginning with Get, such as GetBucket, GetObject :
"Action": "s3:Get*"
To specify all actions that include the string Object, such as GetObject, DeleteObject, ListObjects:
"Action": "S3:*Object*"
To specify all actions:
"Action": "S3:*"
"Action": "*"
Effect(Required) Determines whether the statement results in an allow or an explicit deny of the actions.
"Effect": ("Allow" | "Deny")ResourceNotResource(Required) Lists buckets and/or objects to which the policy statement applies.
With
Resource, the policy statement applies to the specified buckets and/or objects.With
NotResource, the policy statement applies to any buckets and/or objects except those specified.
("Resource" | "NotResource"): ( [<resource1>, <resource2>, ...] | "*")You can specify one or more resource elements in a statement.
You can use wildcards, for example:
To specify a bucket:
"Resource": "arn:aws:s3:::<bucketname>"
To specify all objects in a bucket:
"Resource": "arn:aws:s3:::<bucketname>/*"
To specify all objects in a bucket that have a certain prefix:
"Resource": "arn:aws:s3:::<bucketname>/<prefix>*"
To specify an object in a bucket:
"Resource": "arn:aws:s3:::<bucketname>/<objectname>"
To specify all buckets and objects:
"Resource": "*"
Note
A bucket policy must explicitly specify the name of the bucket to which it applies.
The
<resource>string can include supported variables.Condition(Optional) Lists conditions to limit the effect of the policy to only those requests that match the conditions specified. A condition statement includes a supported operator, a condition key and a key value.
"Condition": {"<operator>": {"<key>": "<value>"}}To evaluate keys with multiple values, include a supported condition key qualifier:
"Condition": {"<qualifier>:<operator>": {"<key>": ["<value1>", "<value2>", ...]}}String values (
<value>) can include supported variables.
Supported Condition Operators
The following AWS IAM JSON policy condition operators are supported in identity and bucket policies.
The IfExists suffix means that if the condition key is not present in the request context, the policy statement is evaluated as a match (true) and the policy effect applies.
Type | Operator | Description |
|---|---|---|
General |
| If the value is true ( If the value is false ( |
String |
| The policy is in effect when the condition key matches the string specified as the value. The value can include supported variables. The comparison is case-sensitive. |
| The policy is in effect when the condition key does not match the string specified as the value. The value can include supported variables. The comparison is case-sensitive. | |
| The policy is in effect when the condition key matches the string specified as the value. The value can include supported variables. The comparison is case-insensitive. | |
| The policy is in effect when the condition key does not match the string specified as the value. The value can include supported variables. The comparison is case-insensitive. | |
| The policy is in effect when the condition key matches the string specified as the value, which can include the following wildcards:
The value can include supported variables. The comparison is case-sensitive. | |
| The policy is in effect when the condition key does not match the string specified as the value, which can include the following wildcards:
The value can include supported variables. The comparison is case-sensitive. | |
Numeric |
| The policy is in effect when the condition key equals the number specified as the value. |
| The policy is in effect when the condition key does not equal the number specified as the value. | |
| The policy is in effect when the condition key is less than the number specified as the value. | |
| The policy is in effect when the condition key is less than or equals the number specified as the value. | |
| The policy is in effect when the condition key is greater than the value specified as the number. | |
| The policy is in effect when the condition key is greater than or equals the value specified as the number. | |
Boolean |
| The policy is in effect when the condition key matches the value. The value can be True or False. |
Binary |
| The policy is in effect when the condition key equals the binary number specified as the value. |
IP address |
| The policy is in effect when the condition key matches the IP address or a range of IP addresses specified as the value. |
| The policy is in effect when the condition key does not match the IP address or a range of IP addresses specified as the value. |
Supported Condition Keys per S3 Action
The following AWS IAM JSON policy condition keys can be included in the Condition element of an identity or bucket policy to compare a value from the request to the value specified in the policy:
General conditions
Condition Key
Description
Action(s)
aws:SourceIpRequester's IP address
Any action
aws:UserAgentRequester's client application
Any action
aws:CurrentTimeDate and time (UTC) of the request
Any action
aws:EpochTimeDate and time (UTC) of the request in epoch or Unix time
Any action
aws:useridRequester's principal ID
Any action
s3:authTypeAuthentication method:
REST-HEADER,REST-QUERY-STRINGorPOST.Any action
s3:TlsVersionClient's TLS version
Any action
vast:protocolStorage access protocol (NFSv3, NFSv4, SMB, S3)
Any action
Request signing
Condition Key
Description
Action(s)
s3:signatureAgeHow long the signature is valid in a authenticated request (in milliseconds).
This condition applies to presigned URLs and presigned POST requests.
With AWS Signature 4, the maximum allowed signature age is 7 days, which can be further limited using this condition. With AWS Signature 2, the signature age is always 0.
Any action
s3:signatureversionAWS Signature version:
AWSfor version 2,AWS4-HMAC-SHA256for version 4.Any action
s3:x-amz-content-sha256Unsigned content
AbortMultipartUpload
CreateBucket
DeleteBucket
DeleteBucketPolicy
DeleteObjectVersion
GetBucketAcl
GetBucketLocation
GetBucketOwnershipControls
GetBucketPolicy
GetLifecycleConfiguration
GetObject
GetObjectAcl
GetObjectTagging
GetObjectVersion
GetObjectVersionAcl
DeleteObject
DeleteObjectTagging
DeleteObjectVersionTagging
GetObjectLegalHold
GetObjectRetention
GetObjectVersionTagging
ListAllMyBuckets
ListBucket
ListBucketMultiparUploads
ListBucketVersions
ListMultipartUploadPart
PutBucketAcl
PutBucketOwnershipControls
PutBucketPolicy
PutBucketTagging
PutBucketVersioning
PutLifecycleConfiguration
PutObject
PutObjectAcl
PutObjectLegalHold
PutObjectRetention
PutObjectTagging
PutObjectVersionTagging
Object tagging
Condition Key
Description
Action(s)
s3:RequestObjectTag/<key>Tag keys and values to be added to objects
BypassGovernanceRetention
DeleteObjectTagging
DeleteObjectVersionTagging
GetObject
GetObjectAcl
GetObjectTagging
GetObjectVersion
GetObjectVersionAcl
GetObjectVersionTagging
PutObject
PutObjectAcl
PutObjectTagging
PutObjectVersionTagging
s3:RequestObjectTagKeysTag keys to be added to objects
BypassGovernanceRetention
PutObject
PutObjectTagging
PutObjectVersionTagging
Permissions
Condition Key
Description
Action(s)
s3:x-amz-aclAn
x-amz-aclheader with a canned ACL. Valid values:privatepublic-readpublic-read-writeaws-exec-readauthenticated-readbucket-owner-readbucket-owner-full-controllog-delivery-write
BypassGovernanceRetention
CreateBucket
PutBucketAcl
PutObject
PutObjectAcl
s3:x-amz-grant-full-controlRequires that the S3 request includes a header that provides full control permissions to the bucket owner.
BypassGovernanceRetention
CreateBucket
PutBucketAcl
PutObject
PutObjectAcl
s3:x-amz-grant-readRequires that the S3 request includes a header that provides read permissions to the bucket owner.
BypassGovernanceRetention
CreateBucket
PutBucketAcl
PutObject
PutObjectAcl
s3:x-amz-grant-read-acpRequires that the S3 request includes a header that provides permissions to read ACL to the bucket owner.
BypassGovernanceRetention
CreateBucket
PutBucketAcl
PutObject
PutObjectAcl
s3:x-amz-grant-writeRequires that the S3 request includes a header that provides write permissions to the bucket owner.
BypassGovernanceRetention
CreateBucket
PutBucketAcl
PutObject
PutObjectAcl
s3:x-amz-grant-write-acpRequires that the S3 request includes a header that provides permissions to write ACL to the bucket owner.
BypassGovernanceRetention
CreateBucket
PutBucketAcl
PutObject
PutObjectAcl
Object ownership
Condition Key
Description
Action(s)
s3:x-amz-object-ownershipObject ownership:
BucketOwnerEnforcedorObjectWriterCreateBucket
Object versioning
Condition Key
Description
Action(s)
s3:versionidObject version
DeleteObjectVersion
DeleteObjectVersionTagging
GetObjectVersion
GetObjectVersionAcl
GetObjectVersionTagging
PutObjectAcl
PutObjectVersionTagging
Object retention
Condition Key
Description
Action(s)
s3:object-lock-modeObject retention mode (COMPLIANCE or GOVERNANCE)
BypassGovernanceRetention
PutObject
PutObjectRetention
s3:object-lock-retain-until-dateObject retain-until date
BypassGovernanceRetention
PutObject
PutObjectRetention
s3:object-lock-remaining-retention-daysRemaining object retention days
BypassGovernanceRetention
PutObject
PutObjectRetention
s3:object-lock-legal-holdObject legal hold status
BypassGovernanceRetention
PutObject
PutObjectLegalHold
PutObjectRetention
Copying objects
Condition Key
Description
Action(s)
s3:x-amz-copy-sourceA specific source bucket, prefix or object in copy object requests
BypassGovernanceRetention
PutObject
s3:x-amz-metadata-directiveObject metadata processing mode (copy or replace) for copy object requests
BypassGovernanceRetention
PutObject
Listing buckets
Condition Key
Description
Action(s)
s3:delimiterDelimiter specified in the request. The only supported delimiter is a forward slash (/).
ListBucket
ListBucketVersions
s3:max-keysMaximum number of keys returned per ListBucket request
ListBucket
ListBucketVersions
s3:prefixKey name prefix
ListBucket
ListBucketVersions
Supported Condition Key Qualifiers for Keys with Multiple Values
The ForAllValues and ForAnyValue qualifiers let you compare request context keys with multiple values against a set of multiple values in a policy condition statement.
Qualifier | Description |
|---|---|
| The policy is in effect when each key value in the request matches at least one of the multiple values for the key in the policy, and also when the request key is empty or does not exist. |
| The policy is in effect when at least one key value in the request matches one of the multiple values for the key in the policy. When the request key is empty or does not exist, the policy is not in effect. |
Supported Variables
The following AWS IAM JSON policy variables can be included in the resource names under the Resource and element and in condition values under the Condition element:
${BucketName}${ObjectName}${username}
For example:
"Condition" : {
"StringEquals" : {
"s3:x-amz-grant-read"; : "id=${BucketName}"
},Identity Policy Examples
The following identity policy grants a user access to one of your buckets, bucket1, and allows the user to add, update and delete objects.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListObjects","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::bucket1"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucket1/*"
}
]
}The following identity policy grants permission to perform the GetObject action on all objects in the bucket dev:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow All GetObject in dev Bucket",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::dev/*"
}
]
}The following identity policy grants permission for multiple actions on the bucket product and on all objects in the same bucket, while also denying delete permission on the same bucket and objects.
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow multiple actions on product bucket and its objects",
"Action": [
"s3:Get*",
"s3:Put*",
"s3:Head*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::product",
"arn:aws:s3:::product/*"
]
},
{
"Sid": "Deny delete product bucket and objects",
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::product",
"arn:aws:s3:::product/*"
]
}
]}Bucket Policy Examples
The following bucket policy allows users from the students group to read objects in bucket bucket1:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Let students read",
"Effect": "Allow",
"Principal": {"Group": "students@example.com"},
"Action": [ "s3:GetObject", "s3:ListBucket" ],
"Resource": ["arn:aws:s3:::bucket1","arn:aws:s3:::bucket1/*"]
}
]
}The following bucket policy prohibits users Kevin and Martin from reading objects object with an object tag of 'category' with a value 'reports':
{
"Version":"2012-10-17",
"Statement":[{
"Principal":{ "User": ["kevin@example.com", "martin@example.com"]},
"Effect":"Deny",
"Action":["s3:GetObject", "s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::bucket1/*"],
"Condition":{"StringEquals":{"s3:ExistingObjectTag/category":"reports"}}
}]
}