# Security in S3 on Outposts
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Amazon S3 on Outposts, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company's requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using S3 on Outposts. The following topics show you how to configure S3 on Outposts to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your S3 on Outposts resources.
**Topics**
+ [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md)
+ [Data encryption in S3 on Outposts](s3-outposts-data-encryption.md)
+ [AWS PrivateLink for S3 on Outposts](s3-outposts-privatelink-interface-endpoints.md)
+ [AWS Signature Version 4 (SigV4) authentication-specific policy keys](s3-outposts-bucket-policy-s3-sigv4-conditions.md)
+ [AWS managed policies for Amazon S3 on Outposts](s3-outposts-aws-manpol.md)
+ [Using service-linked roles for Amazon S3 on Outposts](S3OutpostsServiceLinkedRoles.md)
# Setting up IAM with S3 on Outposts
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 on Outposts resources. IAM is an AWS service that you can use with no additional charge. By default, users don't have permissions for S3 on Outposts resources and operations. To grant access permissions for S3 on Outposts resources and API operations, you can use IAM to create [users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html), [groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html), or [roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html#id_iam-roles) and attach permissions.
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
In addition to IAM identity-based policies, S3 on Outposts supports both bucket and access point policies. Bucket policies and access point policies are [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) that are attached to the S3 on Outposts resource.
+ A bucket policy is attached to the bucket and allows or denies requests to the bucket and the objects in it based on the elements in the policy.
+ In contrast, an access point policy is attached to the access point and allows or denies requests to the access point.
The access point policy works with the bucket policy that is attached to the underlying S3 on Outposts bucket. For an application or user to access objects in an S3 on Outposts bucket through an S3 on Outposts access point, both the access point policy and the bucket policy must permit the request.
Restrictions that you include in an access point policy apply only to requests made through that access point. For example, if an access point is attached to a bucket, you can't use the access point policy to allow or deny requests that are made directly to the bucket. However, restrictions that you apply to a bucket policy can allow or deny requests made directly to the bucket or through the access point.
In an IAM policy or a resource-based policy, you define which S3 on Outposts actions are allowed or denied. S3 on Outposts actions correspond to specific S3 on Outposts API operations. S3 on Outposts actions use the `s3-outposts:` namespace prefix. Requests made to the S3 on Outposts control API in an AWS Region and requests made to the object API endpoints on the Outpost are authenticated by using IAM and authorized against the `s3-outposts:` namespace prefix. To work with S3 on Outposts, configure your IAM users and authorize them against the `s3-outposts:` IAM namespace.
For more information, see [Actions, resources, and condition keys for Amazon S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html) in the *Service Authorization Reference*.
**Note**
Access control lists (ACLs) are not supported by S3 on Outposts.
S3 on Outposts defaults to the bucket owner as object owner to help ensure that the owner of a bucket can't be prevented from accessing or deleting objects.
S3 on Outposts always has S3 Block Public Access enabled to help ensure that objects can never have public access.
For more information about setting up IAM for S3 on Outposts, see the following topics.
**Topics**
+ [Principals for S3 on Outposts policies](#S3OutpostsPrincipal)
+ [Resource ARNs for S3 on Outposts](#S3OutpostsARN)
+ [Example policies for S3 on Outposts](#S3OutpostsPolicyExamples)
+ [Permissions for S3 on Outposts endpoints](#S3OutpostsEndpointPermissions)
+ [Service-linked roles for S3 on Outposts](#S3OutpostsUsingSLR)
## Principals for S3 on Outposts policies
When you create a resource-based policy to grant access to your S3 on Outposts bucket, you must use the `Principal` element to specify the person or application that can make a request for an action or operation on that resource. For S3 on Outposts policies, you can use one of the following principals:
+ An AWS account
+ An IAM user
+ An IAM role
+ All principals, by specifying a wildcard character (\$1) in a policy that uses a `Condition` element to limit access to a specific IP range
**Important**
You can't write a policy for an S3 on Outposts bucket that uses a wildcard character (`*`) in the `Principal` element unless the policy also includes a `Condition` that limits access to a specific IP address range. This restriction helps ensure that there is no public access to your S3 on Outposts bucket. For an example, see [Example policies for S3 on Outposts](#S3OutpostsPolicyExamples).
For more information about the `Principal` element, see [AWS JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
## Resource ARNs for S3 on Outposts
Amazon Resource Names (ARNs) for S3 on Outposts contain the Outpost ID in addition to the AWS Region that the Outpost is homed to, the AWS account ID, and the resource name. To access and perform actions on your Outposts buckets and objects, you must use one of the ARN formats shown in the following table.
The `partition` value in the ARN refers to a group of AWS Regions. Each AWS account is scoped to one partition. The following are the supported partitions:
+ `aws` – AWS Regions
+ `aws-us-gov` – AWS GovCloud (US) Regions
The following table shows S3 on Outposts ARN formats.
| Amazon S3 on Outposts ARN | ARN format | Example |
| --- | --- | --- |
| Bucket ARN | arn:partition:s3-outposts:region:account\$1id:outpost/outpost\$1id/bucket/bucket\$1name | arn:aws:s3-outposts:us-west-2:123456789012:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket1 |
| Access point ARN | arn:partition:s3-outposts:region:account\$1id:outpost/outpost\$1id/accesspoint/accesspoint\$1name | arn:aws:s3-outposts:us-west-2:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/access-point-name |
| Object ARN | arn:partition:s3-outposts:region:account\$1id:outpost/outpost\$1id/bucket/bucket\$1name/object/object\$1key | arn:aws:s3-outposts:us-west-2:123456789012:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket1/object/myobject |
| S3 on Outposts access point object ARN (used in policies) | arn:partition:s3-outposts:region:account\$1id:outpost/outpost\$1id/accesspoint/accesspoint\$1name/object/object\$1key | arn:aws:s3-outposts:us-west-2:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/access-point-name/object/myobject |
| S3 on Outposts ARN | arn:partition:s3-outposts:region:account\$1id:outpost/outpost\$1id | arn:aws:s3-outposts:us-west-2:123456789012:outpost/op-01ac5d28a6a232904 |
## Example policies for S3 on Outposts
**Example : S3 on Outposts bucket policy with an AWS account principal**
The following bucket policy uses an AWS account principal to grant access to an S3 on Outposts bucket. To use this bucket policy, replace the `user input placeholders` with your own information.
**Example : S3 on Outposts bucket policy with a wildcard principal (`*`) and condition key to limit access to a specific IP address range**
The following bucket policy uses a wildcard principal (`*`) with the `aws:SourceIp` condition to limit access to a specific IP address range. To use this bucket policy, replace the `user input placeholders` with your own information.
## Permissions for S3 on Outposts endpoints
S3 on Outposts requires its own permissions in IAM to manage S3 on Outposts endpoint actions.
**Note**
For endpoints that use the customer-owned IP address pool (CoIP pool) access type, you also must have permissions to work with IP addresses from your CoIP pool, as described in the following table.
For shared accounts that access S3 on Outposts by using AWS Resource Access Manager, users in these shared accounts can't create their own endpoints on a shared subnet. If a user in a shared account wants to manage their own endpoints, the shared account must create its own subnet on the Outpost. For more information, see [Sharing S3 on Outposts by using AWS RAM](outposts-sharing-with-ram.md).
The following table shows S3 on Outposts endpoint-related IAM permissions.
| Action | IAM permissions |
| --- | --- |
| CreateEndpoint | `s3-outposts:CreateEndpoint` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:DescribeVpcs` `ec2:DescribeSecurityGroups` `ec2:DescribeSubnets` `ec2:CreateTags` `iam:CreateServiceLinkedRole` For endpoints that are using the on-premises customer-owned IP address pool (CoIP pool) access type, the following additional permissions are required: `s3-outposts:CreateEndpoint` `ec2:DescribeCoipPools` `ec2:GetCoipPoolUsage` `ec2:AllocateAddress` `ec2:AssociateAddress` `ec2:DescribeAddresses` `ec2:DescribeLocalGatewayRouteTableVpcAssociations` |
| DeleteEndpoint | `s3-outposts:DeleteEndpoint` `ec2:DeleteNetworkInterface` `ec2:DescribeNetworkInterfaces` For endpoints that are using the on-premises customer-owned IP address pool (CoIP pool) access type, the following additional permissions are required: `s3-outposts:DeleteEndpoint` `ec2:DisassociateAddress` `ec2:DescribeAddresses` `ec2:ReleaseAddress` |
| ListEndpoints | `s3-outposts:ListEndpoints` |
**Note**
You can use resource tags in an IAM policy to manage permissions.
## Service-linked roles for S3 on Outposts
S3 on Outposts uses IAM service-linked roles to create some network resources on your behalf. For more information, see [Using service-linked roles for Amazon S3 on Outposts](S3OutpostsServiceLinkedRoles.md).
# Data encryption in S3 on Outposts
By default, all data stored in Amazon S3 on Outposts is encrypted by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3). For more information, see [Using server-side encryption with Amazon S3 managed keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the *Amazon S3 User Guide*.
You can optionally use server-side encryption with customer-provided encryption keys (SSE-C). To use SSE-C, specify an encryption key as part of your object API requests. Server-side encryption encrypts only the object data, not the object metadata. For more information, see [Using server-side encryption with customer-provided keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html) in the *Amazon S3 User Guide*.
**Note**
S3 on Outposts doesn't support server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).
# AWS PrivateLink for S3 on Outposts
S3 on Outposts supports AWS PrivateLink, which provides direct management access to your S3 on Outposts storage through a private endpoint within your virtual private network. This allows you to simplify your internal network architecture and perform management operations on your Outposts object storage by using private IP addresses in your Virtual Private Cloud (VPC). Using AWS PrivateLink eliminates the need to use public IP addresses or proxy servers.
With AWS PrivateLink for Amazon S3 on Outposts, you can provision *interface VPC endpoints* in your virtual private cloud (VPC) to access your S3 on Outposts [bucket management](S3OutpostsAPI.md#S3OutpostsAPIsBucket) and [endpoint management](S3OutpostsAPI.md#S3OutpostsAPIs) APIs. Interface VPC endpoints are directly accessible from applications deployed in your VPC or on premises over your virtual private network (VPN) or AWS Direct Connect. You can access the bucket and endpoint management APIs through AWS PrivateLink. AWS PrivateLink doesn't support [data transfer](S3OutpostsAPI.md#S3OutpostsAPIsObject) API operations, such as GET, PUT, and similar APIs. These operations are already transferred privately through the S3 on Outposts endpoint and access point configuration. For more information, see [Networking for S3 on Outposts](S3OutpostsNetworking.md).
Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests made to interface endpoints for S3 on Outposts are automatically routed to S3 on Outposts bucket and endpoint management APIs on the AWS network. You can also access interface endpoints in your VPC from on-premises applications through AWS Direct Connect or AWS Virtual Private Network (Site-to-Site VPN). For more information about how to connect your VPC with your on-premises network, see the [https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) and the [https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html).
Interface endpoints route requests for S3 on Outposts bucket and endpoint management APIs over the AWS network and through AWS PrivateLink, as illustrated in the following diagram.
![\[Data flow diagram shows how interface endpoints route requests for S3 on Outposts bucket and endpoint management APIs.\]](http://docs.aws.amazon.com/AmazonS3/latest/s3-outposts/images/s3-outposts-interface-endpoints.png)
For general information about interface endpoints, see [Interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) in the *AWS PrivateLink Guide*.
**Topics**
+ [Restrictions and limitations](#s3-outposts-privatelink-restrictions)
+ [Accessing S3 on Outposts interface endpoints](#s3-outposts-accessing-s3-interface-endpoints)
+ [Updating an on-premises DNS configuration](#s3-outposts-updating-on-premises-dns-config)
+ [Creating a VPC endpoint for S3 on Outposts](#s3-outposts-creating-vpc)
+ [Creating bucket policies and VPC endpoint policies for S3 on Outposts](#s3-outposts-creating-vpc-endpoint-policy)
## Restrictions and limitations
When you access S3 on Outposts bucket and endpoint management APIs through AWS PrivateLink, VPC limitations apply. For more information, see [Interface endpoint properties and limitations](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#vpce-interface-limitations) and [AWS PrivateLink quotas](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-limits-endpoints.html) in the *AWS PrivateLink Guide*.
In addition, AWS PrivateLink doesn't support the following:
+ [Federal Information Processing Standard (FIPS) endpoints](https://aws.amazon.com/compliance/fips/)
+ [S3 on Outposts data transfer APIs](S3OutpostsAPI.md#S3OutpostsAPIsObject), for example, GET, PUT, and similar object API operations.
+ Private DNS
## Accessing S3 on Outposts interface endpoints
To access S3 on Outposts bucket and endpoint management APIs using AWS PrivateLink, you *must* update your applications to use endpoint-specific DNS names. When you create an interface endpoint, AWS PrivateLink generates two types of endpoint-specific S3 on Outposts names: *Regional* and *zonal*.
+ **Regional DNS names** – include a unique VPC endpoint ID, a service identifier, the AWS Region, and `vpce.amazonaws.com`, for example, `vpce-1a2b3c4d-5e6f.s3-outposts.us-east-1.vpce.amazonaws.com`.
+ **Zonal DNS names** – include a unique VPC endpoint ID, the Availability Zone, a service identifier, the AWS Region, and `vpce.amazonaws.com`, for example, `vpce-1a2b3c4d-5e6f-us-east-1a.s3-outposts.us-east-1.vpce.amazonaws.com`. You might use this option if your architecture isolates Availability Zones. For example, you could use zonal DNS names for fault containment or to reduce Regional data transfer costs.
**Important**
S3 on Outposts interface endpoints are resolved from the public DNS domain. S3 on Outposts does not support private DNS. Use the `--endpoint-url` parameter for all bucket and endpoint management APIs.
### AWS CLI examples
Use the `--region` and `--endpoint-url` parameters to access bucket management and endpoint management APIs through S3 on Outposts interface endpoints.
**Example : Use the endpoint URL to list buckets with the S3 control API**
In the following example, replace the Region `us-east-1`, VPC endpoint URL `vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com`, and account ID `111122223333` with appropriate information.
```
aws s3control list-regional-buckets --region us-east-1 --endpoint-url https://vpce-1a2b3c4d-5e6f.s3-outposts.us-east-1.vpce.amazonaws.com --account-id 111122223333
```
### AWS SDK examples
Update your SDKs to the latest version, and configure your clients to use an endpoint URL for accessing the S3 control API for S3 on Outposts interface endpoints.
------
#### [ SDK for Python (Boto3) ]
**Example : Use an endpoint URL to access the S3 control API**
In the following example, replace the Region `us-east-1` and VPC endpoint URL `vpce-1a2b3c4d-5e6f.s3-outposts.us-east-1.vpce.amazonaws.com` with appropriate information.
```
control_client = session.client(
service_name='s3control',
region_name='us-east-1',
endpoint_url='https://vpce-1a2b3c4d-5e6f.s3-outposts.us-east-1.vpce.amazonaws.com'
)
```
For more information, see [AWS PrivateLink for Amazon S3](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-example-privatelink.html) in the *Boto3 developer guide*.
------
#### [ SDK for Java 2.x ]
**Example : Use an endpoint URL to access the S3 control API**
In the following example, replace the VPC endpoint URL `vpce-1a2b3c4d-5e6f.s3-outposts.us-east-1.vpce.amazonaws.com` and the Region `Region.US_EAST_1` with appropriate information.
```
// control client
Region region = Region.US_EAST_1;
s3ControlClient = S3ControlClient.builder().region(region)
.endpointOverride(URI.create("https://vpce-1a2b3c4d-5e6f.s3-outposts.us-east-1.vpce.amazonaws.com"))
.build()
```
For more information, see [https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/s3control/S3ControlClient.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/s3control/S3ControlClient.html) in the *AWS SDK for Java API Reference*.
------
## Updating an on-premises DNS configuration
When using endpoint-specific DNS names to access the interface endpoints for S3 on Outposts bucket management and endpoint management APIs, you don’t have to update your on-premises DNS resolver. You can resolve the endpoint-specific DNS name with the private IP address of the interface endpoint from the public S3 on Outposts DNS domain.
## Creating a VPC endpoint for S3 on Outposts
To create a VPC interface endpoint for S3 on Outposts, see [ Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *AWS PrivateLink Guide*.
## Creating bucket policies and VPC endpoint policies for S3 on Outposts
You can attach an endpoint policy to your VPC endpoint that controls access to S3 on Outposts. You can also use the `aws:sourceVpce` condition in S3 on Outposts bucket policies to restrict access to specific buckets from a specific VPC endpoint. With VPC endpoint policies, you can control access to S3 on Outposts bucket management APIs and endpoint management APIs. With bucket policies, you can control access to the S3 on Outposts bucket management APIs. However, you can't manage access to object actions for S3 on Outposts using `aws:sourceVpce`.
Access policies for S3 on Outposts specify the following information:
+ The AWS Identity and Access Management (IAM) principal for which actions are allowed or denied.
+ The S3 control actions that are allowed or denied.
+ The S3 on Outposts resources on which actions are allowed or denied.
The following examples show policies that restrict access to a bucket or to an endpoint. For more information about VPC connectivity, see [Network-to-VPC connectivity options](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html) in the AWS whitepaper [Amazon Virtual Private Cloud Connectivity Options](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/welcome.html).
**Important**
When you apply the example policies for VPC endpoints described in this section, you might block your access to the bucket without intending to do so. Bucket permissions that limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket. For information about how to fix this issue, see [My bucket policy has the wrong VPC or VPC endpoint ID. How can I fix the policy so that I can access the bucket?](https://aws.amazon.com/premiumsupport/knowledge-center/s3-regain-access/) in the *Support Knowledge Center*.
Before using the following example bucket policies, replace the VPC endpoint ID with an appropriate value for your use case. Otherwise, you won't be able to access your bucket.
If your policy only allows access to an S3 on Outposts bucket from a specific VPC endpoint, it disables console access for that bucket because console requests don't originate from the specified VPC endpoint.
**Topics**
+ [Example: Restricting access to a specific bucket from a VPC endpoint](#privatelink-example-restrict-access-to-bucket)
+ [Example: Denying access from a specific VPC endpoint in an S3 on Outposts bucket policy](#s3-outposts-privatelink-example-deny-access-from-vpc-endpoint)
### Example: Restricting access to a specific bucket from a VPC endpoint
You can create an endpoint policy that restricts access to specific S3 on Outposts buckets only. The following policy restricts access for the GetBucketPolicy action only to the `example-outpost-bucket`. To use this policy, replace the example values with your own.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Policy1415115909151",
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": {
"AWS": "111122223333"
},
"Action": "s3-outposts:GetBucketPolicy",
"Effect": "Allow",
"Resource": "arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket"
}
]
}
```
------
### Example: Denying access from a specific VPC endpoint in an S3 on Outposts bucket policy
The following S3 on Outposts bucket policy denies access to GetBucketPolicy on the `example-outpost-bucket` bucket through the `vpce-1a2b3c4d` VPC endpoint.
The `aws:sourceVpce` condition specifies the endpoint and does not require an Amazon Resource Name (ARN) for the VPC endpoint resource, only the endpoint ID. To use this policy, replace the example values with your own.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Deny-access-to-specific-VPCE",
"Principal": {
"AWS": "111122223333"
},
"Action": "s3-outposts:GetBucketPolicy",
"Effect": "Deny",
"Resource": "arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
```
------
# AWS Signature Version 4 (SigV4) authentication-specific policy keys
The following table shows the condition keys related to AWS Signature Version 4 (SigV4) authentication that you can use with Amazon S3 on Outposts. In a bucket policy, you can add these conditions to enforce specific behavior when requests are authenticated by using Signature Version 4. For example policies, see [Bucket policy examples that use Signature Version 4-related condition keys](#s3-outposts-bucket-policy-sig-v4-condition-key-example). For more information about authenticating requests using Signature Version 4, see [Authenticating requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon Simple Storage Service API Reference*
| Applicable keys | Description |
| --- | --- |
| `s3-outposts:authType` | S3 on Outposts supports various methods of authentication. To restrict incoming requests to use a specific authentication method, you can use this optional condition key. For example, you can use this condition key to allow only the HTTP `Authorization` header to be used in request authentication. Valid values: `REST-HEADER` `REST-QUERY-STRING` |
| `s3-outposts:signatureAge` | The length of time, in milliseconds, that a signature is valid in an authenticated request. This condition works only for presigned URLs. In Signature Version 4, the signing key is valid for up to seven days. Therefore, the signatures are also valid for up to seven days. For more information, see [Introduction to signing requests](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html#signing-request-intro) in the *Amazon Simple Storage Service API Reference*. You can use this condition to further limit the signature age. Example value: `600000` |
| `s3-outposts:x-amz-content-sha256` | You can use this condition key to disallow unsigned content in your bucket. When you use Signature Version 4, for requests that use the `Authorization` header, you add the `x-amz-content-sha256` header in the signature calculation and then set its value to the hash payload. You can use this condition key in your bucket policy to deny any uploads where the payloads are not signed. For example: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonS3/latest/s3-outposts/s3-outposts-bucket-policy-s3-sigv4-conditions.html) Valid value: `UNSIGNED-PAYLOAD` |
## Bucket policy examples that use Signature Version 4-related condition keys
To use the following examples, replace the *`user input placeholders`* with your own information.
**Example : `s3-outposts:signatureAge`**
The following bucket policy denies any S3 on Outposts presigned URL request on objects in `example-outpost-bucket` if the signature is more than 10 minutes old.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Deny a presigned URL request if the signature is more than 10 minutes old",
"Effect": "Deny",
"Principal": {"AWS":"444455556666"},
"Action": "s3-outposts:*",
"Resource": "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket/object/*",
"Condition": {
"NumericGreaterThan": {"s3-outposts:signatureAge": 600000},
"StringEquals": {"s3-outposts:authType": "REST-QUERY-STRING"}
}
}
]
}
```
**Example : `s3-outposts:authType`**
The following bucket policy allows only requests that use the `Authorization` header for request authentication. Any presigned URL requests will be denied since presigned URLs use query parameters to provide request and authentication information. For more information, see [Authentication methods](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon Simple Storage Service API Reference*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow only requests that use the Authorization header for request authentication. Deny presigned URL requests.",
"Effect": "Deny",
"Principal": {"AWS":"111122223333"},
"Action": "s3-outposts:*",
"Resource": "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket/object/*",
"Condition": {
"StringNotEquals": {
"s3-outposts:authType": "REST-HEADER"
}
}
}
]
}
```
**Example : `s3-outposts:x-amz-content-sha256`**
The following bucket policy denies any uploads with unsigned payloads, such as uploads that are using presigned URLs. For more information, see [Authenticating requests ](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html#query-string-auth-v4-signing) and [Authentication methods](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon Simple Storage Service API Reference*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Deny uploads with unsigned payloads.",
"Effect": "Deny",
"Principal": {"AWS":"111122223333"},
"Action": "s3-outposts:*",
"Resource": "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/example-outpost-bucket/object/*",
"Condition": {
"StringEquals": {
"s3-outposts:x-amz-content-sha256": "UNSIGNED-PAYLOAD"
}
}
}
]
}
```
# AWS managed policies for Amazon S3 on Outposts
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AWSS3OnOutpostsServiceRolePolicy
Helps manage network resources for you as part of the service-linked role `AWSServiceRoleForS3OnOutposts`.
To view the permissions for this policy, see [AWSS3OnOutpostsServiceRolePolicy](S3OutpostsServiceLinkedRoles.md).
## S3 on Outposts updates to AWS managed policies
View details about updates to AWS managed policies for S3 on Outposts since this service began tracking these changes.
| Change | Description | Date |
| --- | --- | --- |
| S3 on Outposts added `AWSS3OnOutpostsServiceRolePolicy` | S3 on Outposts added `AWSS3OnOutpostsServiceRolePolicy` as part of the service-linked role `AWSServiceRoleForS3OnOutposts`, which helps manage network resources for you. | October 3, 2023 |
| S3 on Outposts started tracking changes | S3 on Outposts started tracking changes for its AWS managed policies. | October 3, 2023 |
# Using service-linked roles for Amazon S3 on Outposts
Amazon S3 on Outposts uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to S3 on Outposts. Service-linked roles are predefined by S3 on Outposts and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up S3 on Outposts easier because you don’t have to manually add the necessary permissions. S3 on Outposts defines the permissions of its service-linked roles, and unless defined otherwise, only S3 on Outposts can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your S3 on Outposts resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for S3 on Outposts
S3 on Outposts uses the service-linked role named **AWSServiceRoleForS3OnOutposts** to help manage network resources for you.
The `AWSServiceRoleForS3OnOutposts` service-linked role trusts the following services to assume the role:
+ `s3-outposts.amazonaws.com`
The role permissions policy named `AWSS3OnOutpostsServiceRolePolicy` allows S3 on Outposts to complete the following actions on the specified resources:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeCoipPools",
"ec2:GetCoipPoolUsage",
"ec2:DescribeAddresses",
"ec2:DescribeLocalGatewayRouteTableVpcAssociations"
],
"Resource": "*",
"Sid": "DescribeVpcResources"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Sid": "CreateNetworkInterface"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "S3 On Outposts"
}
},
"Sid": "CreateTagsForCreateNetworkInterface"
},
{
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress"
],
"Resource": [
"arn:aws:ec2:*:*:ipv4pool-ec2/*"
],
"Sid": "AllocateIpAddress"
},
{
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress"
],
"Resource": [
"arn:aws:ec2:*:*:elastic-ip/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "S3 On Outposts"
}
},
"Sid": "CreateTagsForAllocateIpAddress"
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:AssociateAddress"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/CreatedBy": "S3 On Outposts"
}
},
"Sid": "ReleaseVpcResources"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateNetworkInterface",
"AllocateAddress"
],
"aws:RequestTag/CreatedBy": [
"S3 On Outposts"
]
}
},
"Sid": "CreateTags"
}
]
}
```
------
You must configure permissions to allow an IAM entity (such as a role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for S3 on Outposts
You don't need to manually create a service-linked role. When you create an S3 on Outposts endpoint in the AWS Management Console, the AWS CLI, or the AWS API, S3 on Outposts creates the service-linked role for you.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create an S3 on Outposts endpoint, S3 on Outposts creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **S3 on Outposts** use case. In the AWS CLI or the AWS API, create a service-linked role with the `s3-outposts.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for S3 on Outposts
S3 on Outposts does not allow you to edit the `AWSServiceRoleForS3OnOutposts` service-linked role. This includes the name of the role because various entities might reference it. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for S3 on Outposts
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the S3 on Outposts service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete S3 on Outposts resources used by the AWSServiceRoleForS3OnOutposts role**
1. [Delete the S3 on Outposts endpoints](S3OutpostsDeleteEndpoints.md) in your AWS account across all AWS Regions.
1. Delete the service-linked role using IAM.
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForS3OnOutposts` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for S3 on Outposts service-linked roles
S3 on Outposts supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see [S3 on Outposts Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/outposts_region.html#outposts_region_s3).