Amazon S3 features supported by bucket policies
The Virtuozzo Infrastructure implementation of the Amazon S3 bucket policies supports the following S3 actions, condition keys, and condition comparators:
Supported S3 actions
| Action | Access level | Resource | Description | Condition keys |
|---|---|---|---|---|
s3:GetObject
|
Read | Object | Grants permission to retrieve objects from a bucket |
|
s3:GetObjectAcl
|
Read | Object | Grants permission to return the access control list (ACL) of an object |
|
s3:GetObjectVersion
|
Read | Object | Grants permission to retrieve a specific version of an object |
|
s3:GetObjectVersionAcl
|
Read | Object | Grants permission to return the access control list (ACL) of a specific object version |
|
| s3:GetObjectTagging | Read | Object | Retrieves the tag set associated with an object |
|
| s3:GetObjectVersionTagging | Read | Object | Retrieves the tag set associated with a specific object version |
|
s3:ListMultipartUploadParts
|
List | Object | Grants permission to list the parts that have been uploaded for a specific multipart upload |
|
s3:ListBucket
|
List | Bucket | Grants permission to list some or all of the objects in a bucket (up to 1000). |
|
s3:ListBucketMultipartUploads
|
List | Bucket | Grants permission to list in-progress multipart uploads |
|
s3:ListBucketVersions
|
List | Bucket | Grants permission to list metadata about all the versions of objects in a bucket |
|
s3:GetBucketAcl
|
Read | Bucket | Grants permission to use the acl subresource to return the access control list (ACL) of a bucket |
|
s3:GetBucketCORS
|
Read | Bucket | Grants permission to return the CORS configuration information set for a bucket |
|
s3:GetBucketLocation
|
Read | Bucket | Grants permission to return the region that a bucket resides in |
|
s3:GetBucketLogging
|
Read | Bucket | Grants permission to return the logging status of a bucket and the permissions users have to view or modify that status |
|
s3:GetBucketNotification
|
Read | Bucket | Grants permission to get the notification configuration of a bucket |
|
s3:GetBucketPolicy
|
Read | Bucket | Grants permission to return the policy of the specified bucket |
|
s3:GetBucketVersioning
|
Read | Bucket | Grants permission to return the versioning state of a bucket |
|
s3:GetBucketWebsite
|
Read | Bucket | Grants permission to return the website configuration for a bucket |
|
s3:GetLifecycleConfiguration
|
Read | Bucket | Grants permission to return the lifecycle configuration information set on a bucket |
|
s3:GetReplicationConfiguration
|
Read | Bucket | Grants permission to get the replication configuration information set on a bucket |
|
s3:PutObject
|
Write | Object | Grants permission to add an object to a bucket |
|
s3:DeleteObject
|
Write | Object | Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object |
|
s3:DeleteObjectVersion
|
Write | Object | Grants permission to remove a specific version of an object |
|
| s3:CopyObject | Write | Object | Copies an object and optionally sets object tags |
|
| s3:PutObjectTagging | Write | Object | Replaces the tag set for an existing object |
|
| s3:CreateMultipartUpload | Write | Object | Initiates a multipart upload and optionally includes object tags |
|
s3:AbortMultipartUpload
|
Write | Object | Grants permission to abort a multipart upload |
|
s3:DeleteBucket
|
Write | Bucket | Grants permission to delete the bucket named in the URI |
|
s3:PutBucketCORS
|
Write | Bucket | Grants permission to set the CORS configuration for a bucket |
|
s3:PutBucketLogging
|
Write | Bucket | Grants permission to set the logging parameters for a bucket |
|
s3:PutBucketNotification
|
Write | Bucket | Grants permission to receive notifications when certain events happen in a bucket |
|
s3:PutBucketRequestPayment
|
Write | Bucket | Grants permission to set the request payment configuration of a bucket |
|
s3:PutBucketVersioning
|
Write | Bucket | Grants permission to set the versioning state of an existing bucket |
|
s3:PutBucketWebsite
|
Write | Bucket | Grants permission to set the configuration of the website that is specified in the website subresource |
|
s3:PutLifecycleConfiguration
|
Write | Bucket | Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration |
|
s3:PutReplicationConfiguration
|
Write | Bucket | Grants permission to create a new replication configuration or replace an existing one |
|
s3:PutBucketPolicy
|
Access management | Bucket | Grants permission to add or replace a bucket policy on a bucket |
|
s3:DeleteBucketPolicy
|
Access management | Bucket | Grants permission to delete the policy on a specified bucket |
|
s3:PutObjectAcl
|
Access management | Object | Grants permission to set the access control list (ACL) permissions for new or existing objects in a bucket |
|
s3:PutObjectVersionAcl
|
Access management | Object | Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket |
|
s3:PutBucketAcl
|
Access management | Bucket | Grants permission to set the permissions on an existing bucket using access control lists (ACLs) |
|
Supported condition keys
Condition keys can be used to restrict access based on request parameters, object metadata, authentication properties, and object tags.
| Condition key | Description | Value |
|---|---|---|
| Request and header-based condition keys | ||
| s3:x-amz-storage-class | Filters access by storage class | String |
| s3:x-amz-acl | Filters access by canned ACL in the request's x-amz-acl header |
String |
| s3:x-amz-grant-full-control | Filters access by x-amz-grant-full-control (full control) header |
String |
| s3:x-amz-grant-read | Filters access by x-amz-grant-read (read access) header |
String |
| s3:x-amz-grant-read-acp | Filters access by the x-amz-grant-read-acp (read permissions for the ACL) header |
String |
| s3:x-amz-grant-write | Filters access by the x-amz-grant-write (write access) header |
String |
| s3:x-amz-grant-write-acp | Filters access by the x-amz-grant-write-acp (write permissions for the ACL) header |
String |
| s3:x-amz-copy-source | Filters access by copy source bucket, prefix, or object in the copy object requests | String |
| s3:x-amz-content-sha256 | Filters access by unsigned content in your bucket | Valid value: UNSIGNED-PAYLOAD |
| s3:x-amz-website-redirect-location | Filters access by a specific website redirect location for buckets that are configured as static websites | String |
|
Authentication and transport condition keys |
||
| s3:TlsVersion | Filters access by the TLS version used by the client | Valid values: 1.2, 1.1, and 1.0 |
| s3:signatureversion | Filters access by the version of AWS Signature used on the request |
Valid values:
|
| s3:signatureAge | Filters access by the age in milliseconds of the request signature | Numeric |
| s3:authType | Filters access by authentication method | Valid values:
REST-HEADER,
REST-QUERY-STRING,
and POST |
| aws:SourceIp | Filters access by IP range | String |
| Object and bucket attribute condition keys | ||
| s3:object-lock-mode | Filters access by object retention mode | Valid values:
COMPLIANCE and GOVERNANCE |
| s3:object-lock-retain-until-date | Filters access by object retain-until date | Date |
| s3:object-lock-legal-hold | Filters access by object legal hold status | String |
| s3:object-lock-remaining-retention-days | Filters access by remaining object retention days | Numeric |
| s3:prefix | Filters access by key name prefix | String |
| s3:versionid | Filters access by a specific object version | String |
| s3:max-keys | Filters access by maximum number of keys returned in a ListBucket request |
Numeric |
| Tag-based condition keys | ||
| s3:ExistingObjectTag/<tag-key> | Filters access based on tags already attached to an object | String |
| s3:RequestObjectTag/<tag-key> | Filters access based on tag key-value pairs included in the request | String |
| s3:RequestObjectTagKeys | Filters access based on the set of tag keys included in the request | String (set operators supported) |
Supported condition operators
Condition operators define how policy conditions are evaluated against request context values, object attributes, and object tags.
| Operator | Description |
|---|---|
| String operators | |
StringEquals
|
Exact matching, case sensitive |
StringNotEquals
|
Negated matching, case sensitive |
StringEqualsIgnoreCase
|
Exact matching, ignoring case |
StringNotEqualsIgnoreCase
|
Negated matching, ignoring case |
StringLike
|
Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. Specify wildcards to achieve partial string matches. |
StringNotLike
|
Negated case-sensitive matching. The values can include multi-character match wildcards (*) or single-character match wildcards (?) anywhere in the string. |
| Numeric operators | |
NumericEquals
|
Exact matching |
NumericNotEquals
|
Negated matching |
NumericLessThan
|
"Less than" matching |
NumericLessThanEquals
|
"Less than or equals" matching |
NumericGreaterThan
|
"Greater than" matching |
NumericGreaterThanEquals
|
"Greater than or equals" matching |
| Date operators | |
DateEquals
|
Matching a specific date |
DateNotEquals
|
Negated matching |
DateLessThan
|
Matching before a specific date and time |
DateLessThanEquals
|
Matching at or before a specific date and time |
DateGreaterThan
|
Matching after a specific a date and time |
DateGreaterThanEquals
|
Matching at or after a specific date and time |
| Binary operator | |
BinaryEquals
|
Matching in binary format. It compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value. If the specified key is not present in the request context, the values do not match. |
| IP address operators | |
IpAddress
|
Matching the specified IP address or range |
NotIpAddress
|
Matching all IP addresses except the specified IP address or range |
| Set operators (for multi-value condition keys) | |
ForAllValues:*
|
All values in the request must satisfy the condition |
ForAnyValue:*
|
At least one value in the request must satisfy the condition |
| Null operator | |
Null
|
Evaluates whether the specified condition key is absent ("true") or present ("false"). This operator is commonly used together with set operators to enforce mandatory tagging requirements. |
To learn more about condition operators, refer to the AWS Identity and Access Management User Guide.
See also