Example directory bucket policies for S3 Express One Zone
This section provides example directory bucket policies for use with the
Amazon S3 Express One Zone storage class. To use these policies, replace the user input
placeholders
The following example bucket policy allows AWS account ID
111122223333CreateSession API operation with the default ReadWrite session
for the specified directory bucket. This policy grants access to the Zonal endpoint (object
level) API operations.
Example – Bucket policy to allow CreateSession calls with the default
ReadWrite session
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadWriteAccess", "Effect": "Allow", "Resource": "arn:aws:s3express:us-west-2:account-id:bucket/bucket-base-name--azid--x-s3", "Principal": { "AWS": [ "111122223333" ] }, "Action": [ "s3express:CreateSession" ] } ] }
Example – Bucket policy to allow CreateSession calls with a
ReadOnly session
The following example bucket policy allows AWS account ID
111122223333CreateSession API operation. This policy uses the
s3express:SessionMode condition key with the ReadOnly
value to set a read-only session.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccess", "Effect": "Allow", "Principal": { "AWS": "111122223333" }, "Action": "s3express:CreateSession", "Resource": "*", "Condition": { "StringEquals": { "s3express:SessionMode": "ReadOnly" } } } ] }
Example – Bucket policy to allow cross-account access for CreateSession
calls
The following example bucket policy allows AWS account ID
111122223333CreateSession API operation for the specified directory bucket that's
owned by AWS account ID
444455556666
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CrossAccount", "Effect": "Allow", "Principal": { "AWS": "111122223333" }, "Action": [ "s3express:CreateSession" ], "Resource": "arn:aws:s3express:us-west-2:444455556666:bucket/bucket-base-name--azid--x-s3" } ] }
