Change log of AWS IAM permissions

2023-12-02

7 new actions, 1 new resource, 8 new conditions

Additions

Actions

CreateBucket
- Description: Grants permission to create a new bucket
- Access: Write
- Resources:
  Name: bucket
  
  Required: Yes
- Conditions:
  s3express:authType
  
  s3express:LocationName
  
  s3express:ResourceAccount
  
  s3express:signatureversion
  
  s3express:TlsVersion
  
  s3express:x-amz-content-sha256
CreateSession
- Description: Grants permission to Create Session token which is used for object APIs such as PutObject, GetObject, ect
- Access: Read
- Resources:
  Name: bucket
  
  Required: Yes
- Conditions:
  s3express:authType
  
  s3express:ResourceAccount
  
  s3express:SessionMode
  
  s3express:signatureAge
  
  s3express:signatureversion
  
  s3express:TlsVersion
  
  s3express:x-amz-content-sha256
DeleteBucket
- Description: Grants permission to delete the bucket named in the URI
- Access: Write
- Resources:
  Name: bucket
  
  Required: Yes
- Conditions:
  s3express:authType
  
  s3express:ResourceAccount
  
  s3express:signatureversion
  
  s3express:TlsVersion
  
  s3express:x-amz-content-sha256
DeleteBucketPolicy
- Description: Grants permission to delete the policy on a specified bucket
- Access: Permissions management
- Resources:
  Name: bucket
  
  Required: Yes
- Conditions:
  s3express:authType
  
  s3express:ResourceAccount
  
  s3express:signatureversion
  
  s3express:TlsVersion
  
  s3express:x-amz-content-sha256
GetBucketPolicy
- Description: Grants permission to return the policy of the specified bucket
- Access: Read
- Resources:
  Name: bucket
  
  Required: Yes
- Conditions:
  s3express:authType
  
  s3express:ResourceAccount
  
  s3express:signatureversion
  
  s3express:TlsVersion
  
  s3express:x-amz-content-sha256
ListAllMyDirectoryBuckets
- Description: Grants permission to list all directory buckets owned by the authenticated sender of the request
- Access: List
- Conditions:
  s3express:authType
  
  s3express:ResourceAccount
  
  s3express:signatureversion
  
  s3express:TlsVersion
  
  s3express:x-amz-content-sha256
PutBucketPolicy
- Description: Grants permission to add or replace a bucket policy on a bucket
- Access: Permissions management
- Resources:
  Name: bucket
  
  Required: Yes
- Conditions:
  s3express:authType
  
  s3express:ResourceAccount
  
  s3express:signatureversion
  
  s3express:TlsVersion
  
  s3express:x-amz-content-sha256

Resources

bucket
- Arn: arn:${Partition}:s3express:${Region}:${Account}:bucket/${BucketName}

Conditions

s3express:LocationName
- Description: Filters access by a specific Availability Zone ID
- Type: String
s3express:ResourceAccount
- Description: Filters access by the resource owner AWS account ID
- Type: String
s3express:SessionMode
- Description: Filters access by the permission requested by CreateSession API, such as ReadOnly and ReadWrite
- Type: String
s3express:TlsVersion
- Description: Filters access by the TLS version used by the client
- Type: Numeric
s3express:authType
- Description: Filters access by authentication method
- Type: String
s3express:signatureAge
- Description: Filters access by the age in milliseconds of the request signature
- Type: Numeric
s3express:signatureversion
- Description: Filters access by the AWS Signature Version used on the request
- Type: String
s3express:x-amz-content-sha256
- Description: Filters access by unsigned content in your bucket
- Type: String

Amazon S3 Express (s3express)

Additions