Product logo
DocsBlogPricing

Permissions for @turbot/aws-s3

Taking a look at permissions and associated grant levels for each permission for S3:

PermissionGrant LevelHelp
s3:AbortMultipartUploadOperator
s3:BypassGovernanceRetentionAdmin
s3:CreateAccessPointAdmin
s3:CreateAccessPointForObjectLambdaAdmin
s3:CreateBucketOperator
s3:CreateJobOperator
s3:CreateMultiRegionAccessPointAdmin
s3:DeleteAccessPointAdmin
s3:DeleteAccessPointForObjectLambdaAdmin
s3:DeleteAccessPointPolicyAdmin
s3:DeleteAccessPointPolicyForObjectLambdaAdmin
s3:DeleteAccountPublicAccessBlockAdmin
s3:DeleteBucketOperator
s3:DeleteBucketCorsAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketEncryptionAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketLifecycleAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketLifecycleConfigurationAdmin
s3:DeleteBucketOwnershipControlsAdmin
s3:DeleteBucketPolicyAdmin
s3:DeleteBucketReplicationAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketTaggingOperatorTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketWebsiteAdminWebsite management is safe but requires anonymous access to be granted to the bucket for it to work.
s3:DeleteJobTaggingAdmin
s3:DeleteMultiRegionAccessPointAdmin
s3:DeleteObjectOperator
s3:DeleteObjectVersionOperator
s3:DeleteObjectVersionTaggingOperator
s3:DeletePublicAccessBlockAdmin
s3:DeleteReplicationConfigurationWhitelistAdmins can delete the replication configuration set for the bucket.
s3:DeleteStorageLensConfigurationAdmin
s3:DeleteStorageLensConfigurationTaggingAdmin
s3:DescribeJobMetadata
s3:DescribeMultiRegionAccessPointOperationMetadata
s3:GetAccelerateConfigurationMetadata
s3:GetAccessPointMetadata
s3:GetAccessPointConfigurationForObjectLambdaMetadata
s3:GetAccessPointForObjectLambdaMetadata
s3:GetAccessPointPolicyMetadata
s3:GetAccessPointPolicyForObjectLambdaMetadata
s3:GetAccessPointPolicyStatusMetadata
s3:GetAccessPointPolicyStatusForObjectLambdaMetadata
s3:GetAccountPublicAccessBlockMetadata
s3:GetAnalyticsConfigurationMetadataCovers ListAnalyticsConfigurations.
s3:GetBucketMetadata
s3:GetBucketAclMetadata
s3:GetBucketCORSMetadata
s3:GetBucketIntelligentTieringConfigurationMetadata
s3:GetBucketLocationMetadata
s3:GetBucketLoggingMetadata
s3:GetBucketNotificationMetadata
s3:GetBucketObjectLockConfigurationMetadata
s3:GetBucketOwnershipControlsMetadata
s3:GetBucketPolicyMetadata
s3:GetBucketPolicyStatusMetadata
s3:GetBucketPublicAccessBlockMetadata
s3:GetBucketReplicationMetadata
s3:GetBucketRequestPaymentMetadata
s3:GetBucketTaggingMetadata
s3:GetBucketVersioningMetadata
s3:GetBucketWebsiteMetadata
s3:GetEncryptionConfigurationMetadata
s3:GetIntelligentTieringConfigurationMetadata
s3:GetInventoryConfigurationMetadataCovers ListInventoryConfigurations.
s3:GetJobTaggingMetadata
s3:GetLifecycleConfigurationMetadata
s3:GetMetricsConfigurationMetadataCovers ListMetricsConfigurations.
s3:GetMultiRegionAccessPointMetadata
s3:GetMultiRegionAccessPointPolicyMetadata
s3:GetMultiRegionAccessPointPolicyStatusMetadata
s3:GetMultiRegionAccessPointRoutesMetadata
s3:GetObjectReadOnly
s3:GetObjectAclMetadata
s3:GetObjectLegalHoldMetadata
s3:GetObjectLockConfigurationMetadata
s3:GetObjectRetentionMetadata
s3:GetObjectTaggingMetadata
s3:GetObjectTorrentReadOnly
s3:GetObjectVersionReadOnly
s3:GetObjectVersionAclMetadata
s3:GetObjectVersionForReplicationReadOnly
s3:GetObjectVersionTaggingMetadataRetrieves tags of earlier object version. - http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGETtagging.html.
s3:GetObjectVersionTorrentReadOnly
s3:GetPublicAccessBlockMetadata
s3:GetReplicationConfigurationMetadata
s3:GetStorageLensConfigurationMetadata
s3:GetStorageLensConfigurationTaggingMetadata
s3:GetStorageLensDashboardMetadata
s3:HeadBucketMetadataHelps to determine if a bucket exists and you have permission to access it.
s3:HeadObjectReadOnlyThe HEAD operation retrieves metadata from an object without returning the object itself. This depends in s3:GetObject permission. This operation is useful if you're only interested in an object's metadata.
s3:ListAccessPointsMetadata
s3:ListAccessPointsForObjectLambdaMetadata
s3:ListAllMyBucketsMetadata
s3:ListBucketMetadata
s3:ListBucketByTagsMetadata
s3:ListBucketIntelligentTieringConfigurationsMetadata
s3:ListBucketMultipartUploadsMetadata
s3:ListBucketVersionsMetadata
s3:ListJobsMetadata
s3:ListMultipartUploadPartsMetadata
s3:ListMultiRegionAccessPointsMetadata
s3:ListRegionalBucketsMetadata
s3:ListStorageLensConfigurationsMetadata
s3:ObjectOwnerOverrideToBucketOwnerAdmin
s3:PutAccelerateConfigurationAdminAdmins can manage transfer acceleration for buckets.
s3:PutAccessPointConfigurationForObjectLambdaAdmin
s3:PutAccessPointPolicyAdmin
s3:PutAccessPointPolicyForObjectLambdaAdmin
s3:PutAccessPointPublicAccessBlockAdmin
s3:PutAccountPublicAccessBlockAdmin
s3:PutAnalyticsConfigurationAdminCovers DeleteAnalyticsConfiguration.
s3:PutBucketAclWhitelistPer AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
s3:PutBucketCORSWhitelistCan be used for cross-account access.
s3:PutBucketIntelligentTieringConfigurationAdmin
s3:PutBucketLoggingWhitelistTurbot automates logging settings.
s3:PutBucketNotificationOperator
s3:PutBucketObjectLockConfigurationAdmin
s3:PutBucketOwnershipControlsAdmin
s3:PutBucketPolicyAdmin
s3:PutBucketPublicAccessBlockAdmin
s3:PutBucketReplicationWhitelist
s3:PutBucketRequestPaymentNoneCan be used for cross-account access.
s3:PutBucketTaggingOperatorCovers DeleteBucketTagging.
s3:PutBucketVersioningOperator
s3:PutBucketWebsiteAdminWebsite management is safe but requires anonymous access to be granted to the bucket for it to work.
s3:PutEncryptionConfigurationAdmin
s3:PutIntelligentTieringConfigurationAdmin
s3:PutInventoryConfigurationAdminCovers DeleteInventoryConfiguration.
s3:PutJobTaggingAdmin
s3:PutLifecycleConfigurationAdminBucket management is restricted to Admins. Covers PutBucketLifecycle; PutBucketLifecycleConfiguration; DeleteBucketLifecycle.
s3:PutMetricsConfigurationAdminCovers DeleteMetricsConfiguration.
s3:PutMultiRegionAccessPointPolicyAdmin
s3:PutObjectOperatorCovers CompleteMultipartUpload; CreateMultipartUpload; UploadPart; UploadPartCopy.
s3:PutObjectAclWhitelistPer AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
s3:PutObjectLegalHoldAdmin
s3:PutObjectLockConfigurationAdmin
s3:PutObjectRetentionOperator
s3:PutObjectTaggingOperatorCovers DeleteObjectTagging.
s3:PutObjectVersionAclWhitelistPer AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
s3:PutObjectVersionTaggingOperatorEnables to associate tag to object based on versionId. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTtagging.html.
s3:PutPublicAccessBlockAdmin
s3:PutReplicationConfigurationWhitelistIn a versioning-enabled bucket Admins can create a replication configuration (or replace an existing one if present) and can also be used for cross-account access.
s3:PutStorageLensConfigurationAdmin
s3:PutStorageLensConfigurationTaggingAdmin
s3:ReplicateDeleteWhitelist
s3:ReplicateObjectWhitelist
s3:ReplicateTagsWhitelist
s3:RestoreObjectOperator
s3:SelectObjectContentReadOnly
s3:SubmitMultiRegionAccessPointRoutesAdmin
s3:UpdateJobPriorityOperator
s3:UpdateJobStatusOperator
s3:WriteGetObjectResponseAdmin