ポリシーでの権限の指定

ポリシーでは、Action要素を使用してリソースに対する権限を許可または拒否します。ポリシーで指定できる一連の権限が用意されており、それらを「Action」要素または「NotAction」要素(除外の場合)で指定します。それぞれがS3 REST APIの特定の処理に対応しています。

次の表に、バケットに適用される権限とオブジェクトに適用される権限を示します。

バケットに適用される権限

権限 S3 REST APIの処理 StorageGRIDのカスタム設定
s3:CreateBucket PUT Bucket  
s3:DeleteBucket DELETE Bucket  
s3:DeleteBucketMetadataNotification DELETE Bucket metadata notification configuration
s3:DeleteBucketPolicy DELETE Bucket policy  
s3:DeleteReplicationConfiguration DELETE Bucket replication ○(PUTとDELETEに別々の権限*)
s3:GetBucketAcl GET Bucket ACL  
s3:GetBucketCompliance GET Bucket compliance
s3:GetBucketConsistency GET Bucket consistency
s3:GetBucketCORS GET Bucket cors  
s3:GetBucketLastAccessTime GET Bucket last access time
s3:GetBucketLocation GET Bucket location  
s3:GetBucketMetadataNotification GET Bucket metadata notification configuration
s3:GetBucketNotification GET Bucket notification  
s3:GetBucketPolicy GET Bucket policy  
s3:GetBucketTagging GET Bucket tagging  
s3:GetBucketVersioning GET Bucket versioning  
s3:GetLifecycleConfiguration GET Bucket lifecycle  
s3:GetReplicationConfiguration GET Bucket replication  
s3:ListAllMyBuckets
  • GET Service
  • GET Storage Usage
○(GET Storage Usage)
s3:ListBucket
  • GET Bucket (List Objects)
  • HEAD Bucket
  • POST Object restore
 
s3:ListBucketMultipartUploads
  • List Multipart Uploads
  • POST Object restore
 
s3:ListBucketVersions GET Bucket versions  
s3:PutBucketCompliance PUT Bucket compliance
s3:PutBucketConsistency PUT Bucket consistency
s3:PutBucketCORS
  • DELETE Bucket cors†
  • PUT Bucket cors
 
s3:PutBucketLastAccessTime PUT Bucket last access time
s3:PutBucketMetadataNotification PUT Bucket metadata notification configuration
s3:PutBucketNotification PUT Bucket notification  
s3:PutBucketPolicy PUT Bucket policy  
s3:PutBucketTagging
  • DELETE Bucket tagging†
  • PUT Bucket tagging
 
s3:PutBucketVersioning PUT Bucket versioning  
s3:PutLifecycleConfiguration
  • DELETE Bucket lifecycle†
  • PUT Bucket lifecycle
 
s3:PutReplicationConfiguration PUT Bucket replication ○(PUTとDELETEに別々の権限*)

*Amazon S3では、PUT Bucket replicationとDELETE Bucket replicationの両方のアクションにs3:PutReplicationConfiguration権限が使用されるようになりました。StorageGRIDでは、それぞれのアクションに別々の権限が使用されます(Amazon S3の元の仕様)。

†DELETEは、PUTを使用して既存の値が上書きされた場合に実行されます。

オブジェクトに適用される権限

権限 S3 REST APIの処理 StorageGRIDのカスタム設定
s3:AbortMultipartUpload
  • Abort Multipart Upload
  • POST Object restore
 
s3:DeleteObject
  • DELETE Object
  • DELETE Multiple Objects
  • POST Object restore
 
s3:DeleteObjectTagging DELETE Object Tagging  
s3:DeleteObjectVersionTagging DELETE Object Tagging(オブジェクトの特定のバージョン)  
s3:DeleteObjectVersion DELETE Object(オブジェクトの特定のバージョン)  
s3:GetObject
  • GET Object
  • HEAD Object
  • POST Object restore
 
s3:GetObjectAcl GET Object ACL  
s3:GetObjectTagging GET Object Tagging  
s3:GetObjectVersionTagging GET Object Tagging(オブジェクトの特定のバージョン)  
s3:GetObjectVersion GET Object(オブジェクトの特定のバージョン)  
s3:ListMultipartUploadParts List Parts、POST Object restore  
s3:PutObject
  • PUT Object
  • PUT Object - Copy
  • POST Object restore
  • Initiate Multipart Upload
  • Complete Multipart Upload
  • Upload Part
  • Upload Part - Copy
 
s3:PutObjectTagging PUT Object Tagging  
s3:PutObjectVersionTagging PUT Object Tagging(オブジェクトの特定のバージョン)  
s3:PutOverwriteObject
  • PUT Object
  • PUT Object - Copy
  • PUT Object tagging
  • DELETE Object tagging
  • Complete Multipart Upload
s3:RestoreObject POST Object restore