Permissions for @turbot/aws-s3
Taking a look at permissions and associated grant levels for each permission for S3:
Permission | Grant Level | Help |
---|---|---|
s3:AbortMultipartUpload | Operator | |
s3:BypassGovernanceRetention | Admin | |
s3:CreateAccessPoint | Admin | |
s3:CreateAccessPointForObjectLambda | Admin | |
s3:CreateBucket | Operator | |
s3:CreateJob | Operator | |
s3:CreateMultiRegionAccessPoint | Admin | |
s3:DeleteAccessPoint | Admin | |
s3:DeleteAccessPointForObjectLambda | Admin | |
s3:DeleteAccessPointPolicy | Admin | |
s3:DeleteAccessPointPolicyForObjectLambda | Admin | |
s3:DeleteAccountPublicAccessBlock | Admin | |
s3:DeleteBucket | Operator | |
s3:DeleteBucketCors | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketEncryption | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketLifecycle | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketLifecycleConfiguration | Admin | |
s3:DeleteBucketOwnershipControls | Admin | |
s3:DeleteBucketPolicy | Admin | |
s3:DeleteBucketReplication | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketTagging | Operator | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketWebsite | Admin | Website management is safe but requires anonymous access to be granted to the bucket for it to work. |
s3:DeleteJobTagging | Admin | |
s3:DeleteMultiRegionAccessPoint | Admin | |
s3:DeleteObject | Operator | |
s3:DeleteObjectVersion | Operator | |
s3:DeleteObjectVersionTagging | Operator | |
s3:DeletePublicAccessBlock | Admin | |
s3:DeleteReplicationConfiguration | Whitelist | Admins can delete the replication configuration set for the bucket. |
s3:DeleteStorageLensConfiguration | Admin | |
s3:DeleteStorageLensConfigurationTagging | Admin | |
s3:DescribeJob | Metadata | |
s3:DescribeMultiRegionAccessPointOperation | Metadata | |
s3:GetAccelerateConfiguration | Metadata | |
s3:GetAccessPoint | Metadata | |
s3:GetAccessPointConfigurationForObjectLambda | Metadata | |
s3:GetAccessPointForObjectLambda | Metadata | |
s3:GetAccessPointPolicy | Metadata | |
s3:GetAccessPointPolicyForObjectLambda | Metadata | |
s3:GetAccessPointPolicyStatus | Metadata | |
s3:GetAccessPointPolicyStatusForObjectLambda | Metadata | |
s3:GetAccountPublicAccessBlock | Metadata | |
s3:GetAnalyticsConfiguration | Metadata | Covers ListAnalyticsConfigurations. |
s3:GetBucket | Metadata | |
s3:GetBucketAcl | Metadata | |
s3:GetBucketCORS | Metadata | |
s3:GetBucketIntelligentTieringConfiguration | Metadata | |
s3:GetBucketLocation | Metadata | |
s3:GetBucketLogging | Metadata | |
s3:GetBucketNotification | Metadata | |
s3:GetBucketObjectLockConfiguration | Metadata | |
s3:GetBucketOwnershipControls | Metadata | |
s3:GetBucketPolicy | Metadata | |
s3:GetBucketPolicyStatus | Metadata | |
s3:GetBucketPublicAccessBlock | Metadata | |
s3:GetBucketReplication | Metadata | |
s3:GetBucketRequestPayment | Metadata | |
s3:GetBucketTagging | Metadata | |
s3:GetBucketVersioning | Metadata | |
s3:GetBucketWebsite | Metadata | |
s3:GetEncryptionConfiguration | Metadata | |
s3:GetIntelligentTieringConfiguration | Metadata | |
s3:GetInventoryConfiguration | Metadata | Covers ListInventoryConfigurations. |
s3:GetJobTagging | Metadata | |
s3:GetLifecycleConfiguration | Metadata | |
s3:GetMetricsConfiguration | Metadata | Covers ListMetricsConfigurations. |
s3:GetMultiRegionAccessPoint | Metadata | |
s3:GetMultiRegionAccessPointPolicy | Metadata | |
s3:GetMultiRegionAccessPointPolicyStatus | Metadata | |
s3:GetMultiRegionAccessPointRoutes | Metadata | |
s3:GetObject | ReadOnly | |
s3:GetObjectAcl | Metadata | |
s3:GetObjectLegalHold | Metadata | |
s3:GetObjectLockConfiguration | Metadata | |
s3:GetObjectRetention | Metadata | |
s3:GetObjectTagging | Metadata | |
s3:GetObjectTorrent | ReadOnly | |
s3:GetObjectVersion | ReadOnly | |
s3:GetObjectVersionAcl | Metadata | |
s3:GetObjectVersionForReplication | ReadOnly | |
s3:GetObjectVersionTagging | Metadata | Retrieves tags of earlier object version. - http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGETtagging.html. |
s3:GetObjectVersionTorrent | ReadOnly | |
s3:GetPublicAccessBlock | Metadata | |
s3:GetReplicationConfiguration | Metadata | |
s3:GetStorageLensConfiguration | Metadata | |
s3:GetStorageLensConfigurationTagging | Metadata | |
s3:GetStorageLensDashboard | Metadata | |
s3:HeadBucket | Metadata | Helps to determine if a bucket exists and you have permission to access it. |
s3:HeadObject | ReadOnly | The HEAD operation retrieves metadata from an object without returning the object itself. This depends in s3:GetObject permission. This operation is useful if you're only interested in an object's metadata. |
s3:ListAccessPoints | Metadata | |
s3:ListAccessPointsForObjectLambda | Metadata | |
s3:ListAllMyBuckets | Metadata | |
s3:ListBucket | Metadata | |
s3:ListBucketByTags | Metadata | |
s3:ListBucketIntelligentTieringConfigurations | Metadata | |
s3:ListBucketMultipartUploads | Metadata | |
s3:ListBucketVersions | Metadata | |
s3:ListJobs | Metadata | |
s3:ListMultipartUploadParts | Metadata | |
s3:ListMultiRegionAccessPoints | Metadata | |
s3:ListRegionalBuckets | Metadata | |
s3:ListStorageLensConfigurations | Metadata | |
s3:ObjectOwnerOverrideToBucketOwner | Admin | |
s3:PutAccelerateConfiguration | Admin | Admins can manage transfer acceleration for buckets. |
s3:PutAccessPointConfigurationForObjectLambda | Admin | |
s3:PutAccessPointPolicy | Admin | |
s3:PutAccessPointPolicyForObjectLambda | Admin | |
s3:PutAccessPointPublicAccessBlock | Admin | |
s3:PutAccountPublicAccessBlock | Admin | |
s3:PutAnalyticsConfiguration | Admin | Covers DeleteAnalyticsConfiguration. |
s3:PutBucketAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
s3:PutBucketCORS | Whitelist | Can be used for cross-account access. |
s3:PutBucketIntelligentTieringConfiguration | Admin | |
s3:PutBucketLogging | Whitelist | Turbot automates logging settings. |
s3:PutBucketNotification | Operator | |
s3:PutBucketObjectLockConfiguration | Admin | |
s3:PutBucketOwnershipControls | Admin | |
s3:PutBucketPolicy | Admin | |
s3:PutBucketPublicAccessBlock | Admin | |
s3:PutBucketReplication | Whitelist | |
s3:PutBucketRequestPayment | None | Can be used for cross-account access. |
s3:PutBucketTagging | Operator | Covers DeleteBucketTagging. |
s3:PutBucketVersioning | Operator | |
s3:PutBucketWebsite | Admin | Website management is safe but requires anonymous access to be granted to the bucket for it to work. |
s3:PutEncryptionConfiguration | Admin | |
s3:PutIntelligentTieringConfiguration | Admin | |
s3:PutInventoryConfiguration | Admin | Covers DeleteInventoryConfiguration. |
s3:PutJobTagging | Admin | |
s3:PutLifecycleConfiguration | Admin | Bucket management is restricted to Admins. Covers PutBucketLifecycle; PutBucketLifecycleConfiguration; DeleteBucketLifecycle. |
s3:PutMetricsConfiguration | Admin | Covers DeleteMetricsConfiguration. |
s3:PutMultiRegionAccessPointPolicy | Admin | |
s3:PutObject | Operator | Covers CompleteMultipartUpload; CreateMultipartUpload; UploadPart; UploadPartCopy. |
s3:PutObjectAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
s3:PutObjectLegalHold | Admin | |
s3:PutObjectLockConfiguration | Admin | |
s3:PutObjectRetention | Operator | |
s3:PutObjectTagging | Operator | Covers DeleteObjectTagging. |
s3:PutObjectVersionAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
s3:PutObjectVersionTagging | Operator | Enables to associate tag to object based on versionId. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTtagging.html. |
s3:PutPublicAccessBlock | Admin | |
s3:PutReplicationConfiguration | Whitelist | In a versioning-enabled bucket Admins can create a replication configuration (or replace an existing one if present) and can also be used for cross-account access. |
s3:PutStorageLensConfiguration | Admin | |
s3:PutStorageLensConfigurationTagging | Admin | |
s3:ReplicateDelete | Whitelist | |
s3:ReplicateObject | Whitelist | |
s3:ReplicateTags | Whitelist | |
s3:RestoreObject | Operator | |
s3:SelectObjectContent | ReadOnly | |
s3:SubmitMultiRegionAccessPointRoutes | Admin | |
s3:UpdateJobPriority | Operator | |
s3:UpdateJobStatus | Operator | |
s3:WriteGetObjectResponse | Admin |