Specifying permissions in a policy

In a policy, the Action element is used to allow/deny permissions to a resource. There are a set of permissions that you can specify in a policy, which are denoted by the element "Action," or alternatively, "NotAction" for exclusion. Each of these elements maps to specific S3 REST API operations.

The tables lists the permissions that apply to buckets and the permissions that apply to objects.

Permissions that apply to buckets

Permissions	S3 REST API operations	Custom for StorageGRID
s3:CreateBucket	PUT Bucket
s3:DeleteBucket	DELETE Bucket
s3:DeleteBucketMetadataNotification	DELETE Bucket metadata notification configuration	Yes
s3:DeleteBucketPolicy	DELETE Bucket policy
s3:DeleteReplicationConfiguration	DELETE Bucket replication	Yes, separate permissions for PUT and DELETE*
s3:GetBucketAcl	GET Bucket ACL
s3:GetBucketCompliance	GET Bucket compliance	Yes
s3:GetBucketConsistency	GET Bucket consistency	Yes
s3:GetBucketCORS	GET Bucket cors
s3:GetBucketLastAccessTime	GET Bucket last access time	Yes
s3:GetBucketLocation	GET Bucket location
s3:GetBucketMetadataNotification	GET Bucket metadata notification configuration	Yes
s3:GetBucketNotification	GET Bucket notification
s3:GetBucketPolicy	GET Bucket policy
s3:GetBucketTagging	GET Bucket tagging
s3:GetBucketVersioning	GET Bucket versioning
s3:GetLifecycleConfiguration	GET Bucket lifecycle
s3:GetReplicationConfiguration	GET Bucket replication
s3:ListAllMyBuckets	GET Service GET Storage Usage	Yes, for GET Storage Usage
s3:ListBucket	GET Bucket (List Objects) HEAD Bucket POST Object restore
s3:ListBucketMultipartUploads	List Multipart Uploads POST Object restore
s3:ListBucketVersions	GET Bucket versions
s3:PutBucketCompliance	PUT Bucket compliance	Yes
s3:PutBucketConsistency	PUT Bucket consistency	Yes
s3:PutBucketCORS	DELETE Bucket cors† PUT Bucket cors
s3:PutBucketLastAccessTime	PUT Bucket last access time	Yes
s3:PutBucketMetadataNotification	PUT Bucket metadata notification configuration	Yes
s3:PutBucketNotification	PUT Bucket notification
s3:PutBucketPolicy	PUT Bucket policy
s3:PutBucketTagging	DELETE Bucket tagging† PUT Bucket tagging
s3:PutBucketVersioning	PUT Bucket versioning
s3:PutLifecycleConfiguration	DELETE Bucket lifecycle† PUT Bucket lifecycle
s3:PutReplicationConfiguration	PUT Bucket replication	Yes, separate permissions for PUT and DELETE*

* Amazon S3 now uses the s3:PutReplicationConfiguration permission for both the PUT and DELETE Bucket replication actions. StorageGRID uses separate permissions for each action, which matches the original Amazon S3 specification.

† A DELETE is performed when a PUT is used to overwrite an existing value.

Permissions that apply to objects

Permissions	S3 REST API operations	Custom for StorageGRID
s3:AbortMultipartUpload	Abort Multipart Upload POST Object restore
s3:DeleteObject	DELETE Object DELETE Multiple Objects POST Object restore
s3:DeleteObjectTagging	DELETE Object Tagging
s3:DeleteObjectVersionTagging	DELETE Object Tagging (a specific version of the object)
s3:DeleteObjectVersion	DELETE Object (a specific version of the object)
s3:GetObject	GET Object HEAD Object POST Object restore
s3:GetObjectAcl	GET Object ACL
s3:GetObjectTagging	GET Object Tagging
s3:GetObjectVersionTagging	GET Object Tagging (a specific version of the object)
s3:GetObjectVersion	GET Object (a specific version of the object)
s3:ListMultipartUploadParts	List Parts, POST Object restore
s3:PutObject	PUT Object PUT Object - Copy POST Object restore Initiate Multipart Upload Complete Multipart Upload Upload Part Upload Part - Copy
s3:PutObjectTagging	PUT Object Tagging
s3:PutObjectVersionTagging	PUT Object Tagging (a specific version of the object)
s3:PutOverwriteObject	PUT Object PUT Object - Copy PUT Object tagging DELETE Object tagging Complete Multipart Upload	Yes
s3:RestoreObject	POST Object restore