AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-05-28 · Documentation low

File: AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.md

Summary

Added example IAM policy with least-privilege guidance for S3 Express One Zone

Security assessment

Proactively provides security best practices (least privilege) and sample policy for new service, but doesn't address specific vulnerabilities or incidents.

Diff

diff --git a/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.md b/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.md
index 69851ca5e..2ffd2b92b 100644
--- a//AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.md
+++ b//AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.md
@@ -10,0 +11,51 @@ Before you can create directory buckets, you must grant the necessary permission
+###### Note
+
+As a best practice, grant only the permissions required to perform a task (least-privilege). Remove any actions from this policy that are not needed for your use case. For a complete list of S3 Express One Zone actions, see [Actions, resources, and condition keys for S3 Express One Zone](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3express.html) in the _Service Authorization Reference_.
+
+###### Example— Identity-based policy for directory bucket access
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowRegionalEndpointAPIs",
+                "Effect": "Allow",
+                "Action": [
+                    "s3express:CreateBucket",
+                    "s3express:DeleteBucket",
+                    "s3express:DeleteBucketPolicy",
+                    "s3express:GetBucketPolicy",
+                    "s3express:PutBucketPolicy",
+                    "s3express:GetEncryptionConfiguration",
+                    "s3express:PutEncryptionConfiguration",
+                    "s3express:GetLifecycleConfiguration",
+                    "s3express:PutLifecycleConfiguration",
+                    "s3express:GetInventoryConfiguration",
+                    "s3express:PutInventoryConfiguration",
+                    "s3express:GetMetricsConfiguration",
+                    "s3express:PutMetricsConfiguration"
+                ],
+                "Resource": "arn:aws:s3express:region:account-id:bucket/bucket-base-name--zone-id--x-s3"
+            },
+            {
+                "Sid": "AllowListAndCreateSession",
+                "Effect": "Allow",
+                "Action": [
+                    "s3express:ListAllMyDirectoryBuckets",
+                    "s3express:CreateSession"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+
+This policy has two statements:
+
+  * The first statement grants permissions for Regional endpoint (bucket-level) API operations on a specific directory bucket. You can remove actions that you don't need for your use case.
+
+  * The second statement grants permissions for `ListAllMyDirectoryBuckets` and `CreateSession`. These actions don't support resource-level permissions, so the `Resource` is `"*"`. The `CreateSession` permission enables all Zonal endpoint (object-level) API operations, such as `PutObject`, `GetObject`, and `DeleteObject`.
+
+
+
+