IAM policy document syntax
A policy document is a JSON format document that contains Version and Statement objects. For example,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}Supported Version in policy document:
Only "2012-10-17" is supported.
Supported Action:
Table: Supported Action
Action | Description | Permissive APIs |
|---|---|---|
s3:* | Any S3 and IAM operations. This is an administrator permission. | All S3 and IAM APIs. Note: CreateBucket API requires this permission. The permission s3:BypassGovernanceRetention is only applied to the action s3:*. |
s3:Put* | S3 write operations. | UploadPart CompleteMultipartUpload CreateMultipartUpload AbortMultipartUpload PutObject DeleteObject DeleteObjects PutBucketVersioning DeleteBucket CopyObject PutObjectLockConfiguration PutObjectRetention |
s3:Get* | S3 read operations. | HeadObject GetObject GetBucketVersioning GetBucketLocation GetBucketEncryption HeadBucket CopyObject GetObjectLockConfiguration GetObjectRetention |
s3:List* | S3 list operations. | ListBuckets ListObjects ListObjectsV2 ListObjectVersions ListMultipartUploads |
Supported Effect:
Only "Allow" effect is supported.
Note:
root user has embedded administrator permission, so you cannot attach a policy to root user.
Supported Resource patterns:
Table: Supported Resource patterns
Resource pattern | Description |
|---|---|
arn:aws:s3:::* | All S3 resources. Note: If this resource pattern is used with action s3:*, it means that the user has all permissions for all S3 resources, which are same as a root user. The permission s3:BypassGovernanceRetention is only applied to the action s3:*. |
arn:aws:s3:::<BUCKET_NAME>/* | All objects within <BUCKET_NAME>. And the bucket itself. The permission s3:BypassGovernanceRetention is not applied to the current resource. |