Supported bucket policy conditions
The condition element is used to specify conditions that determine when a policy is in effect.
The following tables show the condition keys that are supported by ECS and that can be used in condition expressions.
Table 1. Supported generic AWS condition keys The table lists the supported generic AWS condition keys.
Key name
|
Description
|
Applicable operators
|
aws:CurrentTime
|
Used to check for date/time conditions
|
Date operator
|
aws:EpochTime
|
Used to check for date/time conditions using a date in epoch or UNIX time (see Date Condition Operators).
|
Date operator
|
aws:principalType
|
Used to check the type of principal (user, account, federated user, etc.) for the current request.
|
String operator
|
aws:SourceIp
|
Used to check the requester's IP address.
|
String operator
|
aws:UserAgent
|
Used to check the requester's client application.
|
String operator
|
aws:username
|
Used to check the requester's user name.
|
String operator
|
Table 2. Supported S3-specific condition keys for object operationsThe table lists the supported S3-specific condition keys for object operations
Key name
|
Description
|
Applicable permissions
|
s3:x-amz-acl
|
Sets a condition to require specific access permissions when the user uploads an object.
|
s3:PutObject, s3:PutObjectAcl, s3:PutObjectVersionAcl
|
s3:x-amz-grant-permission (for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control
|
Bucket owner can add conditions using these keys to require certain permissions.
|
s3:PutObject, s3:PutObjectAcl, s3:PutObjectVersionAcl
|
s3:x-amz-server-side-encryption
|
Requires the user to specify this header in the request.
|
s3:PutObject, s3:PutObjectAcl
|
s3:VersionId
|
Restrict the user to accessing data only for a specific version of the object
|
s3:PutObject, s3:PutObjectAcl, s3:DeleteObjectVersion
|
Table 3. Supported S3-specific condition keys for bucket operationsThe table lists the supported S3-specific condition keys for bucket operations
Key name
|
Description
|
Applicable permissions
|
s3:x-amz-acl
|
Set a condition to require specific access permissions when the user uploads an object
|
s3:CreateBucket, s3:PutBucketAcl
|
s3:x-amz-grant-permission (for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control
|
Bucket owner can add conditions using these keys to require certain permissions
|
s3:CreateBucket, s3:PutBucketAcl
|
s3:prefix
|
Retrieve only the object keys with a specific prefix.
|
s3:ListBucket, s3:ListBucketVersions
|
s3:delimiter
|
Require the user to specify the delimiter parameter in the Get Bucket (List Objects) request.
|
s3:ListBucket, s3:ListBucketVersions
|
s3:max-keys
|
Limit the number of keys ECS returns in response to the Get Bucket (List Objects) request by requiring the user to specify the max-keys parameter.
NOTE: In EXF900 systems, you can set the
max-keys parameter value up to 20000 per list request.
|
s3:ListBucket, s3:ListBucketVersions
|