Authenticating and authorizing for directory buckets in Local Zones (original) (raw)

Directory buckets in Local Zones support both AWS Identity and Access Management (IAM) authorization and session-based authorization. For more information about authentication and authorization for directory buckets, see Authenticating and authorizing requests.

Resources

Amazon Resource Names (ARNs) for directory buckets contain thes3express namespace, the AWS parent Region, the AWS account ID, and the directory bucket name which includes the Zone ID. To access and perform actions on your directory bucket, you must use the following ARN format:

arn:aws:s3express:region-code:account-id:bucket/bucket-base-name--ZoneID--x-s3

For directory buckets in a Local Zone, the Zone ID is the ID of the Local Zone. For more information about directory buckets in Local Zones, see Concepts for directory buckets in Local Zones. For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide. For more information about resources, seeIAM JSON Policy Elements: Resource in the_IAM User Guide_.

Condition keys for directory buckets in Local Zones

In Local Zones, you can use all the Condition keys for directory buckets in your IAM policies. Additionally, to create a data perimeter around your Local Zone network border groups, you can use the condition key s3express:AllAccessRestrictedToLocalZoneGroup to deny all requests from outside the groups.

The following condition key can be used to further refine the conditions under which an IAM policy statement applies. For a complete list of API operations, policy actions, and condition keys that are supported by directory buckets, see Policy actions for directory buckets.

Note

The following condition key only applies to Local Zones and isn't supported in Availability Zones and AWS Regions.

API operations	Policy actions	Description	Condition key	Description	Type
Zonal endpoint API operations	s3express:CreateSession	Grants permission to create a session token, which is used for granting access to all Zonal endpoint API operations, such asCreateSession, HeadBucket,CopyObject, PutObject, andGetObject.	s3express:AllAccessRestrictedToLocalZoneGroup	Filters all access to the bucket unless the request originates from the AWS Local Zone network border groups provided in this condition key. Values: Local Zone network border group value	String

Example policies

To restrict object access to requests from within a data residency boundary that you define (specifically, a Local Zone Group which is a set of Local Zones parented to the same AWS Region), you can set any of the following policies:

The service control policy (SCP). For information about SCPs, see Service control policies (SCPs) in the_AWS Organizations User Guide_.
The IAM identity-based policy for the IAM role.
The VPC endpoint policy. For more information about the VPC endpoint policies, see Control access to VPC endpoints using endpoint policies in the_AWS PrivateLink Guide_.
The S3 bucket policy.

Note

The condition key s3express:AllAccessRestrictedToLocalZoneGroup doesn't support access from an on-premises environment. To support the access from an on-premises environment, you must add the source IP to the policies. For more information, see aws:SourceIp in the IAM User Guide.

Example – SCP policy


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Access-to-specific-LocalZones-only",
            "Effect": "Deny",
            "Action": [
                "s3express:*",
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEqualsIfExists": {
                    "s3express:AllAccessRestrictedToLocalZoneGroup": [
                        "local-zone-network-border-group-value"
                    ]
                }
            }
        }
    ]
}

Example – IAM identity-based policy (attached to IAM role)


{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "s3express:CreateSession",
        "Resource": "*",
        "Condition": {
            "StringNotEqualsIfExists": {
                "s3express:AllAccessRestrictedToLocalZoneGroup": [
                    "local-zone-network-border-group-value"
                ]              
            }
        }
    }
}

Example – VPC endpoint policy


{
    "Version": "2012-10-17",
    "Statement": [
        {       
            "Sid": "Access-to-specific-LocalZones-only",
            "Principal": "*",
            "Action": "s3express:CreateSession",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
                 "StringNotEqualsIfExists": {
                     "s3express:AllAccessRestrictedToLocalZoneGroup": [
                         "local-zone-network-border-group-value"
                     ]
                 }   
            }
        }
    ]
}

Example – bucket policy


{
    "Version": "2012-10-17",
    "Statement": [
        {       
            "Sid": "Access-to-specific-LocalZones-only",
            "Principal": "*",
            "Action": "s3express:CreateSession",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
                 "StringNotEqualsIfExists": {
                     "s3express:AllAccessRestrictedToLocalZoneGroup": [
                         "local-zone-network-border-group-value"
                     ]
                 }   
            }
        }
    ]
}