Service: Amazon S3
Short Name:
s3
ARN Format:
arn:aws:s3:::${BucketName}/${KeyName}ARN Regex:
^arn:aws:s3:::.+CloudFrontFullAccess
…
AWSCodeStarServiceRoleAction | Access | Reference | Description |
|---|---|---|---|
| s3:ListAccessGrants | Docs | Grants permission to list Access Grant | |
| s3:ListAccessGrantsInstances | Docs | Grants permission to List Access Grants Instances | |
| s3:ListAccessGrantsLocations | Docs | Grants permission to list Access Grants locations | |
| s3:ListAccessPoints | Docs | Grants permission to list access points | |
| s3:ListAccessPointsForObjectLambda | Docs | Grants permission to list object lambda enabled accesspoints | |
| s3:ListAllMyBuckets | Docs | Grants permission to list all buckets owned by the authenticated sender of the request | |
| s3:ListBucket | Docs | Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000) | |
| s3:ListBucketMultipartUploads | Docs | Grants permission to list in-progress multipart uploads | |
| s3:ListBucketVersions | Docs | Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket | |
| s3:ListJobs | Docs | Grants permission to list current jobs and jobs that have ended recently | |
| s3:ListMultipartUploadParts | Docs | Grants permission to list the parts that have been uploaded for a specific multipart upload | |
| s3:ListMultiRegionAccessPoints | Docs | Grants permission to list Multi-Region Access Points | |
| s3:ListStorageLensConfigurations | Docs | Grants permission to list Amazon S3 Storage Lens configurations | |
| s3:ListStorageLensGroups | Docs | Grants permission to list S3 Storage Lens groups | |
| s3:ListTagsForResource | Docs | Grants permission to list the tags attached to the specified resource | |
| s3:BypassGovernanceRetention | Docs | Grants permission to allow circumvention of governance-mode object retention settings | |
| s3:DeleteAccessPointPolicy | Docs | Grants permission to delete the policy on a specified access point | |
| s3:DeleteAccessPointPolicyForObjectLambda | Docs | Grants permission to delete the policy on a specified object lambda enabled access point | |
| s3:DeleteBucketPolicy | Docs | Grants permission to delete the policy on a specified bucket | |
| s3:ObjectOwnerOverrideToBucketOwner | Docs | Grants permission to change replica ownership | |
| s3:PutAccessPointPolicy | Docs | Grants permission to associate an access policy with a specified access point | |
| s3:PutAccessPointPolicyForObjectLambda | Docs | Grants permission to associate an access policy with a specified object lambda enabled access point | |
| s3:PutAccessPointPublicAccessBlock | Docs | Grants permission to associate public access block configurations with a specified access point, while creating a access point | |
| s3:PutAccountPublicAccessBlock | Docs | Grants permission to create or modify the PublicAccessBlock configuration for an AWS account | |
| s3:PutBucketAcl | Docs | Grants permission to set the permissions on an existing bucket using access control lists (ACLs) | |
| s3:PutBucketPolicy | Docs | Grants permission to add or replace a bucket policy on a bucket | |
| s3:PutBucketPublicAccessBlock | Docs | Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket | |
| s3:PutMultiRegionAccessPointPolicy | Docs | Grants permission to associate an access policy with a specified Multi-Region Access Point | |
| s3:PutObjectAcl | Docs | Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket | |
| s3:PutObjectVersionAcl | Docs | Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket | |
| s3:DescribeJob | Docs | Grants permission to retrieve the configuration parameters and status for a batch operations job | |
| s3:DescribeMultiRegionAccessPointOperation | Docs | Grants permission to retrieve the configurations for a Multi-Region Access Point | |
| s3:GetAccelerateConfiguration | Docs | Grants permission to uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended | |
| s3:GetAccessGrant | Docs | Grants permission to read Access Grant | |
| s3:GetAccessGrantsInstance | Docs | Grants permission to Read Access Grants Instance | |
| s3:GetAccessGrantsInstanceForPrefix | Docs | Grants permission to Read Access Grants Instance by prefix | |
| s3:GetAccessGrantsInstanceResourcePolicy | Docs | Grants permission to read Access grants instance resource policy | |
| s3:GetAccessGrantsLocation | Docs | Grants permission to read Access Grants location | |
| s3:GetAccessPoint | Docs | Grants permission to return configuration information about the specified access point | |
| s3:GetAccessPointConfigurationForObjectLambda | Docs | Grants permission to retrieve the configuration of the object lambda enabled access point | |
| s3:GetAccessPointForObjectLambda | Docs | Grants permission to create an object lambda enabled accesspoint | |
| s3:GetAccessPointPolicy | Docs | Grants permission to returns the access point policy associated with the specified access point | |
| s3:GetAccessPointPolicyForObjectLambda | Docs | Grants permission to returns the access point policy associated with the specified object lambda enabled access point | |
| s3:GetAccessPointPolicyStatus | Docs | Grants permission to return the policy status for a specific access point policy | |
| s3:GetAccessPointPolicyStatusForObjectLambda | Docs | Grants permission to return the policy status for a specific object lambda access point policy | |
| s3:GetAccountPublicAccessBlock | Docs | Grants permission to retrieve the PublicAccessBlock configuration for an AWS account | |
| s3:GetAnalyticsConfiguration | Docs | Grants permission to get an analytics configuration from an Amazon S3 bucket, identified by the analytics configuration ID | |
| s3:GetBucketAcl | Docs | Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket | |
| s3:GetBucketCORS | Docs | Grants permission to return the CORS configuration information set for an Amazon S3 bucket | |
| s3:GetBucketLocation | Docs | Grants permission to return the Region that an Amazon S3 bucket resides in | |
| s3:GetBucketLogging | Docs | Grants permission to return the logging status of an Amazon S3 bucket and the permissions users have to view or modify that status | |
| s3:GetBucketNotification | Docs | Grants permission to get the notification configuration of an Amazon S3 bucket | |
| s3:GetBucketObjectLockConfiguration | Docs | Grants permission to get the Object Lock configuration of an Amazon S3 bucket | |
| s3:GetBucketOwnershipControls | Docs | Grants permission to retrieve ownership controls on a bucket | |
| s3:GetBucketPolicy | Docs | Grants permission to return the policy of the specified bucket | |
| s3:GetBucketPolicyStatus | Docs | Grants permission to retrieve the policy status for a specific Amazon S3 bucket, which indicates whether the bucket is public | |
| s3:GetBucketPublicAccessBlock | Docs | Grants permission to retrieve the PublicAccessBlock configuration for an Amazon S3 bucket | |
| s3:GetBucketRequestPayment | Docs | Grants permission to return the request payment configuration for an Amazon S3 bucket | |
| s3:GetBucketTagging | Docs | Grants permission to return the tag set associated with an Amazon S3 bucket | |
| s3:GetBucketVersioning | Docs | Grants permission to return the versioning state of an Amazon S3 bucket | |
| s3:GetBucketWebsite | Docs | Grants permission to return the website configuration for an Amazon S3 bucket | |
| s3:GetDataAccess | Docs | Grants permission to get Access | |
| s3:GetEncryptionConfiguration | Docs | Grants permission to return the default encryption configuration an Amazon S3 bucket | |
| s3:GetIntelligentTieringConfiguration | Docs | Grants permission to get an or list all Amazon S3 Intelligent Tiering configuration in a S3 Bucket | |
| s3:GetInventoryConfiguration | Docs | Grants permission to return an inventory configuration from an Amazon S3 bucket, identified by the inventory configuration ID | |
| s3:GetJobTagging | Docs | Grants permission to return the tag set of an existing Amazon S3 Batch Operations job | |
| s3:GetLifecycleConfiguration | Docs | Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket | |
| s3:GetMetricsConfiguration | Docs | Grants permission to get a metrics configuration from an Amazon S3 bucket | |
| s3:GetMultiRegionAccessPoint | Docs | Grants permission to return configuration information about the specified Multi-Region Access Point | |
| s3:GetMultiRegionAccessPointPolicy | Docs | Grants permission to returns the access point policy associated with the specified Multi-Region Access Point | |
| s3:GetMultiRegionAccessPointPolicyStatus | Docs | Grants permission to return the policy status for a specific Multi-Region Access Point policy | |
| s3:GetMultiRegionAccessPointRoutes | Docs | Grants permission to return the route configuration for a Multi-Region Access Point | |
| s3:GetObject | Docs | Grants permission to retrieve objects from Amazon S3 | |
| s3:GetObjectAcl | Docs | Grants permission to return the access control list (ACL) of an object | |
| s3:GetObjectAttributes | Docs | Grants permission to retrieve attributes related to a specific object | |
| s3:GetObjectLegalHold | Docs | Grants permission to get an object's current Legal Hold status | |
| s3:GetObjectRetention | Docs | Grants permission to retrieve the retention settings for an object | |
| s3:GetObjectTagging | Docs | Grants permission to return the tag set of an object | |
| s3:GetObjectTorrent | Docs | Grants permission to return torrent files from an Amazon S3 bucket | |
| s3:GetObjectVersion | Docs | Grants permission to retrieve a specific version of an object | |
| s3:GetObjectVersionAcl | Docs | Grants permission to return the access control list (ACL) of a specific object version | |
| s3:GetObjectVersionAttributes | Docs | Grants permission to retrieve attributes related to a specific version of an object | |
| s3:GetObjectVersionForReplication | Docs | Grants permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS | |
| s3:GetObjectVersionTagging | Docs | Grants permission to return the tag set for a specific version of the object | |
| s3:GetObjectVersionTorrent | Docs | Grants permission to get Torrent files about a different version using the versionId subresource | |
| s3:GetReplicationConfiguration | Docs | Grants permission to get the replication configuration information set on an Amazon S3 bucket | |
| s3:GetStorageLensConfiguration | Docs | Grants permission to get an Amazon S3 Storage Lens configuration | |
| s3:GetStorageLensConfigurationTagging | Docs | Grants permission to get the tag set of an existing Amazon S3 Storage Lens configuration | |
| s3:GetStorageLensDashboard | Docs | Grants permission to get an Amazon S3 Storage Lens dashboard | |
| s3:GetStorageLensGroup | Docs | Grants permission to get an Amazon S3 Storage Lens group | |
| s3:DeleteJobTagging | Docs | Grants permission to remove tags from an existing Amazon S3 Batch Operations job | |
| s3:DeleteObjectTagging | Docs | Grants permission to use the tagging subresource to remove the entire tag set from the specified object | |
| s3:DeleteObjectVersionTagging | Docs | Grants permission to remove the entire tag set for a specific version of the object | |
| s3:DeleteStorageLensConfigurationTagging | Docs | Grants permission to remove tags from an existing Amazon S3 Storage Lens configuration | |
| s3:PutBucketTagging | Docs | Grants permission to add a set of tags to an existing Amazon S3 bucket | |
| s3:PutJobTagging | Docs | Grants permission to replace tags on an existing Amazon S3 Batch Operations job | |
| s3:PutObjectTagging | Docs | Grants permission to set the supplied tag-set to an object that already exists in a bucket | |
| s3:PutObjectVersionTagging | Docs | Grants permission to set the supplied tag-set for a specific version of an object | |
| s3:PutStorageLensConfigurationTagging | Docs | Grants permission to put or replace tags on an existing Amazon S3 Storage Lens configuration | |
| s3:ReplicateTags | Docs | Grants permission to replicate object tags to the destination bucket | |
| s3:TagResource | Docs | Grants permission to add tags to the specified resource | |
| s3:UntagResource | Docs | Grants permission to remove tags from the specified resource | |
| s3:AbortMultipartUpload | Docs | Grants permission to abort a multipart upload | |
| s3:AssociateAccessGrantsIdentityCenter | Docs | Grants permission to associate Access Grants identity center | |
| s3:CreateAccessGrant | Docs | Grants permission to create Access Grant | |
| s3:CreateAccessGrantsInstance | Docs | Grants permission to Create Access Grants Instance | |
| s3:CreateAccessGrantsLocation | Docs | Grants permission to create Access Grants location | |
| s3:CreateAccessPoint | Docs | Grants permission to create a new access point | |
| s3:CreateAccessPointForObjectLambda | Docs | Grants permission to create an object lambda enabled accesspoint | |
| s3:CreateBucket | Docs | Grants permission to create a new bucket | |
| s3:CreateJob | Docs | Grants permission to create a new Amazon S3 Batch Operations job | |
| s3:CreateMultiRegionAccessPoint | Docs | Grants permission to create a new Multi-Region Access Point | |
| s3:CreateStorageLensGroup | Docs | Grants permission to create an Amazon S3 Storage Lens group | |
| s3:DeleteAccessGrant | Docs | Grants permission to delete Access Grant | |
| s3:DeleteAccessGrantsInstance | Docs | Grants permission to Delete Access Grants Instance | |
| s3:DeleteAccessGrantsInstanceResourcePolicy | Docs | Grants permission to read Access grants instance resource policy | |
| s3:DeleteAccessGrantsLocation | Docs | Grants permission to delete Access Grants location | |
| s3:DeleteAccessPoint | Docs | Grants permission to delete the access point named in the URI | |
| s3:DeleteAccessPointForObjectLambda | Docs | Grants permission to delete the object lambda enabled access point named in the URI | |
| s3:DeleteBucket | Docs | Grants permission to delete the bucket named in the URI | |
| s3:DeleteBucketWebsite | Docs | Grants permission to remove the website configuration for a bucket | |
| s3:DeleteMultiRegionAccessPoint | Docs | Grants permission to delete the Multi-Region Access Point named in the URI | |
| s3:DeleteObject | Docs | Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object | |
| s3:DeleteObjectVersion | Docs | Grants permission to remove a specific version of an object | |
| s3:DeleteStorageLensConfiguration | Docs | Grants permission to delete an existing Amazon S3 Storage Lens configuration | |
| s3:DeleteStorageLensGroup | Docs | Grants permission to delete an existing S3 Storage Lens group | |
| s3:DissociateAccessGrantsIdentityCenter | Docs | Grants permission to disassociate Access Grants identity center | |
| s3:InitiateReplication | Docs | Grants permission to initiate the replication process by setting replication status of an object to pending | |
| s3:PutAccelerateConfiguration | Docs | Grants permission to use the accelerate subresource to set the Transfer Acceleration state of an existing S3 bucket | |
| s3:PutAccessGrantsInstanceResourcePolicy | Docs | Grants permission to put Access grants instance resource policy | |
| s3:PutAccessPointConfigurationForObjectLambda | Docs | Grants permission to set the configuration of the object lambda enabled access point | |
| s3:PutAnalyticsConfiguration | Docs | Grants permission to set an analytics configuration for the bucket, specified by the analytics configuration ID | |
| s3:PutBucketCORS | Docs | Grants permission to set the CORS configuration for an Amazon S3 bucket | |
| s3:PutBucketLogging | Docs | Grants permission to set the logging parameters for an Amazon S3 bucket | |
| s3:PutBucketNotification | Docs | Grants permission to receive notifications when certain events happen in an Amazon S3 bucket | |
| s3:PutBucketObjectLockConfiguration | Docs | Grants permission to put Object Lock configuration on a specific bucket | |
| s3:PutBucketOwnershipControls | Docs | Grants permission to add, replace or delete ownership controls on a bucket | |
| s3:PutBucketRequestPayment | Docs | Grants permission to set the request payment configuration of a bucket | |
| s3:PutBucketVersioning | Docs | Grants permission to set the versioning state of an existing Amazon S3 bucket | |
| s3:PutBucketWebsite | Docs | Grants permission to set the configuration of the website that is specified in the website subresource | |
| s3:PutEncryptionConfiguration | Docs | Grants permission to set the encryption configuration for an Amazon S3 bucket | |
| s3:PutIntelligentTieringConfiguration | Docs | Grants permission to create new or update or delete an existing Amazon S3 Intelligent Tiering configuration | |
| s3:PutInventoryConfiguration | Docs | Grants permission to add an inventory configuration to the bucket, identified by the inventory ID | |
| s3:PutLifecycleConfiguration | Docs | Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration | |
| s3:PutMetricsConfiguration | Docs | Grants permission to set or update a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket | |
| s3:PutObject | Docs | Grants permission to add an object to a bucket | |
| s3:PutObjectLegalHold | Docs | Grants permission to apply a Legal Hold configuration to the specified object | |
| s3:PutObjectRetention | Docs | Grants permission to place an Object Retention configuration on an object | |
| s3:PutReplicationConfiguration | Docs | Grants permission to create a new replication configuration or replace an existing one | |
| s3:PutStorageLensConfiguration | Docs | Grants permission to create or update an Amazon S3 Storage Lens configuration | |
| s3:ReplicateDelete | Docs | Grants permission to replicate delete markers to the destination bucket | |
| s3:ReplicateObject | Docs | Grants permission to replicate objects and object tags to the destination bucket | |
| s3:RestoreObject | Docs | Grants permission to restore an archived copy of an object back into Amazon S3 | |
| s3:SubmitMultiRegionAccessPointRoutes | Docs | Grants permission to submit a route configuration update for a Multi-Region Access Point | |
| s3:UpdateAccessGrantsLocation | Docs | Grants permission to update Access Grants location | |
| s3:UpdateJobPriority | Docs | Grants permission to update the priority of an existing job | |
| s3:UpdateJobStatus | Docs | Grants permission to update the status for the specified job | |
| s3:UpdateStorageLensGroup | Docs | Grants permission to update an existing S3 Storage Lens group |
aws:RequestTag/${TagKey}aws:ResourceTag/${TagKey}aws:TagKeyss3:AccessGrantsInstanceArns3:AccessPointNetworkOrigins3:DataAccessPointAccounts3:DataAccessPointArns3:ExistingJobOperations3:ExistingJobPrioritys3:ExistingObjectTag/<key>s3:JobSuspendedCauses3:RequestJobOperations3:RequestJobPrioritys3:RequestObjectTag/<key>s3:RequestObjectTagKeyss3:ResourceAccounts3:TlsVersions3:authTypes3:delimiters3:locationconstraints3:max-keyss3:object-lock-legal-holds3:object-lock-modes3:object-lock-remaining-retention-dayss3:object-lock-retain-until-dates3:prefixs3:signatureAges3:signatureversions3:versionids3:x-amz-acls3:x-amz-content-sha256s3:x-amz-copy-sources3:x-amz-grant-full-controls3:x-amz-grant-reads3:x-amz-grant-read-acps3:x-amz-grant-writes3:x-amz-grant-write-acps3:x-amz-metadata-directives3:x-amz-object-ownerships3:x-amz-server-side-encryptions3:x-amz-server-side-encryption-aws-kms-key-ids3:x-amz-server-side-encryption-customer-algorithms3:x-amz-storage-classs3:x-amz-website-redirect-location