Specifying permissions in a policy

In a policy, the Action element is used to allow/deny permissions to a resource. There are a set of permissions that you can specify in a policy, which are denoted by the element "Action," or alternatively, "NotAction" for exclusion. Each of these elements maps to specific S3 REST API operations.

The tables lists the permissions that apply to buckets and the permissions that apply to objects.

Permissions that apply to buckets

Permissions S3 REST API operations Custom for StorageGRID
s3:CreateBucket PUT Bucket  
s3:DeleteBucket DELETE Bucket  
s3:DeleteBucketMetadataNotification DELETE Bucket metadata notification configuration Yes
s3:DeleteBucketPolicy DELETE Bucket policy  
s3:DeleteReplicationConfiguration DELETE Bucket replication Yes, separate permissions for PUT and DELETE*
s3:GetBucketAcl GET Bucket ACL  
s3:GetBucketCompliance GET Bucket compliance (deprecated) Yes
s3:GetBucketConsistency GET Bucket consistency Yes
s3:GetBucketCORS GET Bucket cors  
s3:GetEncryptionConfiguration GET Bucket encryption  
s3:GetBucketLastAccessTime GET Bucket last access time Yes
s3:GetBucketLocation GET Bucket location  
s3:GetBucketMetadataNotification GET Bucket metadata notification configuration Yes
s3:GetBucketNotification GET Bucket notification  
s3:GetBucketObjectLockConfiguration GET Object Lock Configuration  
s3:GetBucketPolicy GET Bucket policy  
s3:GetBucketTagging GET Bucket tagging  
s3:GetBucketVersioning GET Bucket versioning  
s3:GetLifecycleConfiguration GET Bucket lifecycle  
s3:GetReplicationConfiguration GET Bucket replication  
s3:ListAllMyBuckets
  • GET Service
  • GET Storage Usage
Yes, for GET Storage Usage
s3:ListBucket
  • GET Bucket (List Objects)
  • HEAD Bucket
  • POST Object restore
 
s3:ListBucketMultipartUploads
  • List Multipart Uploads
  • POST Object restore
 
s3:ListBucketVersions GET Bucket versions  
s3:PutBucketCompliance PUT Bucket compliance (deprecated) Yes
s3:PutBucketConsistency PUT Bucket consistency Yes
s3:PutBucketCORS
  • DELETE Bucket cors†
  • PUT Bucket cors
 
s3:PutEncryptionConfiguration
  • DELETE Bucket encryption
  • PUT Bucket encryption
 
s3:PutBucketLastAccessTime PUT Bucket last access time Yes
s3:PutBucketMetadataNotification PUT Bucket metadata notification configuration Yes
s3:PutBucketNotification PUT Bucket notification  
s3:PutBucketObjectLockConfiguration PUT Bucket with the x-amz-bucket-object-lock-enabled: true request header (also requires the s3:CreateBucket permission)  
s3:PutBucketPolicy PUT Bucket policy  
s3:PutBucketTagging
  • DELETE Bucket tagging†
  • PUT Bucket tagging
 
s3:PutBucketVersioning PUT Bucket versioning  
s3:PutLifecycleConfiguration
  • DELETE Bucket lifecycle†
  • PUT Bucket lifecycle
 
s3:PutReplicationConfiguration PUT Bucket replication Yes, separate permissions for PUT and DELETE*
* Amazon S3 now uses the s3:PutReplicationConfiguration permission for both the PUT and DELETE Bucket replication actions. StorageGRID uses separate permissions for each action, which matches the original Amazon S3 specification.
† A DELETE is performed when a PUT is used to overwrite an existing value.

Permissions that apply to objects

Permissions S3 REST API operations Custom for StorageGRID
s3:AbortMultipartUpload
  • Abort Multipart Upload
  • POST Object restore
 
s3:DeleteObject
  • DELETE Object
  • DELETE Multiple Objects
  • POST Object restore
 
s3:DeleteObjectTagging DELETE Object Tagging  
s3:DeleteObjectVersionTagging DELETE Object Tagging (a specific version of the object)  
s3:DeleteObjectVersion DELETE Object (a specific version of the object)  
s3:GetObject
  • GET Object
  • HEAD Object
  • POST Object restore
 
s3:GetObjectAcl GET Object ACL  
s3:GetObjectLegalHold GET Object legal hold  
s3:GetObjectRetention GET Object retention  
s3:GetObjectTagging GET Object Tagging  
s3:GetObjectVersionTagging GET Object Tagging (a specific version of the object)  
s3:GetObjectVersion GET Object (a specific version of the object)  
s3:ListMultipartUploadParts List Parts, POST Object restore  
s3:PutObject
  • PUT Object
  • PUT Object - Copy
  • POST Object restore
  • Initiate Multipart Upload
  • Complete Multipart Upload
  • Upload Part
  • Upload Part - Copy
 
s3:PutObjectLegalHold PUT Object legal hold  
s3:PutObjectRetention PUT Object retention  
s3:PutObjectTagging PUT Object Tagging  
s3:PutObjectVersionTagging PUT Object Tagging (a specific version of the object)  
s3:PutOverwriteObject
  • PUT Object
  • PUT Object - Copy
  • PUT Object tagging
  • DELETE Object tagging
  • Complete Multipart Upload
Yes
s3:RestoreObject POST Object restore