Amazon S3 features supported by bucket policies

The Virtuozzo Hybrid Infrastructure implementation of the Amazon S3 bucket policies supports the following S3 actions, condition keys, and condition comparators:

Supported S3 actions

Action Access level Resource Description Condition keys
s3:GetObject Read Object Grants permission to retrieve objects from a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetObjectAcl Read Object Grants permission to return the access control list (ACL) of an object
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetObjectVersion Read Object Grants permission to retrieve a specific version of an object
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:versionid
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetObjectVersionAcl Read Object Grants permission to return the access control list (ACL) of a specific object version
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:versionid
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:ListMultipartUploadParts List Object Grants permission to list the parts that have been uploaded for a specific multipart upload
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:versionid
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:ListBucket List Bucket Grants permission to list some or all of the objects in a bucket (up to 1000).
  • s3:authType
  • s3:max-keys
  • s3:prefix
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:ListBucketMultipartUploads List Bucket Grants permission to list in-progress multipart uploads
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:ListBucketVersions List Bucket Grants permission to list metadata about all the versions of objects in a bucket
  • s3:authType
  • s3:max-keys
  • s3:prefix
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketAcl Read Bucket Grants permission to use the acl subresource to return the access control list (ACL) of a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketCORS Read Bucket Grants permission to return the CORS configuration information set for a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketLocation Read Bucket Grants permission to return the region that a bucket resides in
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketLogging Read Bucket Grants permission to return the logging status of a bucket and the permissions users have to view or modify that status
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketNotification Read Bucket Grants permission to get the notification configuration of a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketPolicy Read Bucket Grants permission to return the policy of the specified bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketVersioning Read Bucket Grants permission to return the versioning state of a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetBucketWebsite Read Bucket Grants permission to return the website configuration for a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetLifecycleConfiguration Read Bucket Grants permission to return the lifecycle configuration information set on a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:GetReplicationConfiguration Read Bucket Grants permission to get the replication configuration information set on a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutObject Write Object Grants permission to add an object to a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-acl
  • s3:x-amz-content-sha256
  • s3:x-amz-copy-source
  • s3:x-amz-grant-full-control
  • s3:x-amz-grant-read
  • s3:x-amz-grant-read-acp
  • s3:x-amz-grant-write
  • s3:x-amz-grant-write-acp
  • s3:x-amz-storage-class
  • s3:x-amz-website-redirect-location
  • s3:object-lock-mode
  • s3:object-lock-retain-until-date
  • s3:object-lock-remaining-retention-days
  • s3:object-lock-legal-hold
  • aws:SourceIp
s3:DeleteObject Write Object Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:DeleteObjectVersion Write Object Grants permission to remove a specific version of an object
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:versionid
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:AbortMultipartUpload Write Object Grants permission to abort a multipart upload
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:DeleteBucket Write Bucket Grants permission to delete the bucket named in the URI
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutBucketCORS Write Bucket Grants permission to set the CORS configuration for a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutBucketLogging Write Bucket Grants permission to set the logging parameters for a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutBucketNotification Write Bucket Grants permission to receive notifications when certain events happen in a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutBucketRequestPayment Write Bucket Grants permission to set the request payment configuration of a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutBucketVersioning Write Bucket Grants permission to set the versioning state of an existing bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutBucketWebsite Write Bucket Grants permission to set the configuration of the website that is specified in the website subresource
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutLifecycleConfiguration Write Bucket Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutReplicationConfiguration Write Bucket Grants permission to create a new replication configuration or replace an existing one
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutBucketPolicy Access management Bucket Grants permission to add or replace a bucket policy on a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:DeleteBucketPolicy Access management Bucket Grants permission to delete the policy on a specified bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-content-sha256
  • aws:SourceIp
s3:PutObjectAcl Access management Object Grants permission to set the access control list (ACL) permissions for new or existing objects in a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-acl
  • s3:x-amz-content-sha256
  • s3:x-amz-grant-full-control
  • s3:x-amz-grant-read
  • s3:x-amz-grant-read-acp
  • s3:x-amz-grant-write
  • s3:x-amz-grant-write-acp
  • s3:x-amz-storage-class
  • aws:SourceIp
s3:PutObjectVersionAcl Access management Object Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:versionid
  • s3:x-amz-acl
  • s3:x-amz-content-sha256
  • s3:x-amz-grant-full-control
  • s3:x-amz-grant-read
  • s3:x-amz-grant-read-acp
  • s3:x-amz-grant-write
  • s3:x-amz-grant-write-acp
  • s3:x-amz-storage-class
  • aws:SourceIp
s3:PutBucketAcl Access management Bucket Grants permission to set the permissions on an existing bucket using access control lists (ACLs)
  • s3:authType
  • s3:signatureAge
  • s3:signatureversion
  • s3:TlsVersion
  • s3:x-amz-acl
  • s3:x-amz-content-sha256
  • s3:x-amz-grant-full-control
  • s3:x-amz-grant-read
  • s3:x-amz-grant-read-acp
  • s3:x-amz-grant-write
  • s3:x-amz-grant-write-acp
  • aws:SourceIp

Supported condition keys

Condition key Description Value
s3:x-amz-storage-class Filters access by storage class String
s3:x-amz-acl Filters access by canned ACL in the request's x-amz-acl header String
s3:x-amz-grant-full-control Filters access by x-amz-grant-full-control (full control) header String
s3:x-amz-grant-read Filters access by x-amz-grant-read (read access) header String
s3:x-amz-grant-read-acp Filters access by the x-amz-grant-read-acp (read permissions for the ACL) header String
s3:x-amz-grant-write Filters access by the x-amz-grant-write (write access) header String
s3:x-amz-grant-write-acp Filters access by the x-amz-grant-write-acp (write permissions for the ACL) header String
s3:x-amz-copy-source Filters access by copy source bucket, prefix, or object in the copy object requests String
s3:TlsVersion Filters access by the TLS version used by the client Valid values: 1.2, 1.1, and 1.0
s3:x-amz-content-sha256 Filters access by unsigned content in your bucket Valid value: UNSIGNED-PAYLOAD
s3:signatureversion Filters access by the version of AWS Signature used on the request

Valid values:

  • AWS identifies Signature Version 2
  • AWS4-HMAC-SHA256 identifies Signature Version 4
s3:signatureAge Filters access by the age in milliseconds of the request signature Numeric
s3:authType Filters access by authentication method Valid values: REST-HEADER, REST-QUERY-STRING, and POST
s3:x-amz-website-redirect-location Filters access by a specific website redirect location for buckets that are configured as static websites String
s3:object-lock-mode Filters access by object retention mode Valid values: COMPLIANCE and GOVERNANCE
s3:object-lock-retain-until-date Filters access by object retain-until date Date
s3:object-lock-legal-hold Filters access by object legal hold status String
s3:object-lock-remaining-retention-days Filters access by remaining object retention days Numeric
s3:prefix Filters access by key name prefix String
s3:versionid Filters access by a specific object version String
s3:max-keys Filters access by maximum number of keys returned in a ListBucket request Numeric
aws:SourceIp Filters access by IP range String

Supported condition operators

Condition operator Description
StringEquals Exact matching, case sensitive
StringNotEquals Negated matching, case sensitive
StringEqualsIgnoreCase Exact matching, ignoring case
StringNotEqualsIgnoreCase Negated matching, ignoring case
StringLike Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. Specify wildcards to achieve partial string matches.
StringNotLike Negated case-sensitive matching. The values can include multi-character match wildcards (*) or single-character match wildcards (?) anywhere in the string.
NumericEquals Exact matching
NumericNotEquals Negated matching
NumericLessThan "Less than" matching
NumericLessThanEquals "Less than or equals" matching
NumericGreaterThan "Greater than" matching
NumericGreaterThanEquals "Greater than or equals" matching
DateEquals Matching a specific date
DateNotEquals Negated matching
DateLessThan Matching before a specific date and time
DateLessThanEquals Matching at or before a specific date and time
DateGreaterThan Matching after a specific a date and time
DateGreaterThanEquals Matching at or after a specific date and time
BinaryEquals Matching in binary format. It compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value. If the specified key is not present in the request context, the values do not match.
IpAddress Matching the specified IP address or range
NotIpAddress Matching all IP addresses except the specified IP address or range

To learn more about condition operators, refer to the AWS Identity and Access Management User Guide.