# Using tags with S3 Access Points for directory buckets
An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 Access Points for directory buckets. You can tag access points when you create them or manage tags on existing access points. For general information about tags, see [Tagging for cost allocation or attribute-based access control (ABAC)](tagging.md).
**Note**
There is no additional charge for using tags on access points for directory buckets beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
## Common ways to use tags with access points for directory buckets
Attribute-based access control (ABAC) allows you to scale access permissions and grant access to access points for directory buckets based on their tags. For more information about ABAC in Amazon S3, see [Using tags for ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac).
### ABAC for S3 Access Points
Amazon S3 Access Points support attribute-based access control (ABAC) using tags. Use tag-based condition keys in your AWS organizations, IAM, and Access Points policies. For enterprises, ABAC in Amazon S3 supports authorization across multiple AWS accounts.
In your IAM policies, you can control access to access points for directory buckets based on the bucket's tags by using the following [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys):
+ `aws:ResourceTag/key-name`
+ Use this key to compare the tag key-value pair that you specify in the policy with the key-value pair attached to the resource. For example, you could require that access to a resource is allowed only if the resource has the attached tag key `Dept` with the value `Marketing`. For more information, see [Controlling access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources).
+ `aws:RequestTag/key-name`
+ Use this key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key `Dept` and that it has the value `Accounting`. For more information, see [Controlling access during AWS requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests). You can use this condition key to restrict which tag key-value pairs can be passed during the `TagResource` and `CreateAccessPoint` API operations.
+ `aws:TagKeys`
+ Use this key to compare the tag keys in a request with the keys that you specify in the policy. We recommend that when you use policies to control access using tags, use the `aws:TagKeys` condition key to define what tag keys are allowed. For example policies and more information, see [Controlling access based on tag keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys). You can create an access point for directory buckets with tags. To allow tagging during the `CreateAccessPoint` API operation, you must create a policy that includes both the `s3express:TagResource` and `s3express:CreateAccessPoint` actions. You can then use the `aws:TagKeys` condition key to enforce using specific tags in the `CreateAccessPoint` request.
+ `s3express:AccessPointTag/tag-key`
+ Use this condition key to grant permissions to specific data via access points using tags. When using `aws:ResourceTag/tag-key` in an IAM policy, both the access point as well as the bucket to which the access point points to are required to have the same tag as they are both considered during authorization. If you want to control access to your data specifically via the access-point tag only, you can use `s3express:AccessPointTag/tag-key` condition key.
### Example ABAC policies for access points for directory buckets
See the following example ABAC policies for access points for directory buckets.
#### 1.1 - IAM policy to create or modify access points with specific tags
In this IAM policy, users or roles with this policy can only create access points if they tag the access points with the tag key `project` and tag value `Trinity` in the access point creation request. They can also add or modify tags on existing access points for directory buckets as long as the `TagResource` request includes the tag key-value pair `project:Trinity`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccessPointWithTags",
"Effect": "Allow",
"Action": [
"s3express:CreateAccessPoint",
"s3express:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/project": [
"Trinity"
]
}
}
}
]
}
```
#### 1.2 - Access Point policy to restrict operations on the bucket using tags
In this Access Point policy, IAM principals (users and roles) can perform operations using the `CreateSession` action on the access point only if the value of the access point's `project` tag matches the value of the principal's `project` tag.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectOperations",
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "s3express:CreateSession",
"Resource": "arn:aws::s3express:region:111122223333:access-point/my-access-point",
"Condition": {
"StringEquals": {
"aws:ResourceTag/project": "${aws:PrincipalTag/project}"
}
}
}
]
}
```
#### 1.3 - IAM policy to modify tags on existing resources maintaining tagging governence
In this IAM policy, IAM principals (users or roles) can modify tags on an access point only if the value of the access point's `project` tag matches the value of the principal's `project` tag. Only the four tags `project`, `environment`, `owner`, and `cost-center` specified in the `aws:TagKeys` condition keys are permitted for these access points. This helps enforce tag governance, prevents unauthorized tag modifications, and keeps the tagging schema consistent across your access points.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceTaggingRulesOnModification",
"Effect": "Allow",
"Action": [
"s3express:TagResource"
],
"Resource": "arn:aws::s3express:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"aws:ResourceTag/project": "${aws:PrincipalTag/project}"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"project",
"environment",
"owner",
"cost-center"
]
}
}
}
]
}
```
#### 1.4 - Using the s3express:AccessPointTag condition key
In this IAM policy, the condition statement allows access to the bucket's data only if the access point used to access the bucket has the tag key `Environment` and tag value `Production`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSpecificAccessPoint",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws::s3express:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"s3express:AccessPointTag/Environment": "Production"
}
}
}
]
}
```
## Working with tags for access points for directory buckets
You can add or manage tags for access points for directory buckets using the Amazon S3 Console, the AWS Command Line Interface (CLI), the AWS SDKs, or using the S3 APIs: [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html), [UntagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html), and [ListTagsForResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html). For more information, see:
**Topics**
+ [Common ways to use tags with access points for directory buckets](#common-ways-to-use-tags-access-points-db)
+ [Working with tags for access points for directory buckets](#working-with-tags-access-points-db)
+ [Creating access points for directory buckets with tags](access-points-db-create-tag.md)
+ [Adding a tag to an access point for directory buckets](access-points-db-tag-add.md)
+ [Viewing the tags of an access point for directory buckets](access-points-db-tag-view.md)
+ [Deleting a tag from an access point for directory buckets](access-points-db-tag-delete.md)
# Creating access points for directory buckets with tags
You can tag Amazon S3 Access Points for directory buckets when you create them. For additional information, see [Using tags with S3 Access Points for directory buckets](access-points-db-tagging.md).
## Permissions
To create an access point for directory buckets with tags, you must have the following permissions:
+ `s3express:CreateAccessPoint`
+ `s3express:TagResource`
## Troubleshooting errors
If you encounter an error when attempting to create an access point for directory buckets with tags, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-create-tag-permissions) to create the access point for directory buckets and add a tag to it.
+ Check your IAM user policy for any attribute-based access control (ABAC) conditions. You may be required to label your access points for directory buckets only with specific tag keys and values. For more information, see [Using tags for attribute-based access control (ABAC)](tagging.md#using-tags-for-abac).
## Steps
You can create an access point for directory buckets with tags applied by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To create an access point for directory buckets with tags using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose **create access point** to create a new access point.
1. Enter a name for the access point. For more information, see [Access points for directory buckets naming rules, restrictions, and limitations](access-points-directory-buckets-restrictions-limitations-naming-rules.md).
1. On the **Create access point** page, **Tags** is an option when creating a new access point.
1. Choose **Add new Tag** to open the Tags editor and enter a tag key-value pair. The tag key is required, but the value is optional.
1. To add another tag, select **Add new Tag** again. You can enter up to 50 tag key-value pairs.
1. After you complete specifying the options for your new access point, choose **Create access point**.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to create an access point with tags by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
CreateAccessPointRequest createAccessPointRequest = CreateAccessPointRequest.builder()
.accountId(111122223333)
.name(my-access-point)
.bucket(amzn-s3-demo-bucket--zone-id--x-s3)
.tags(Collections.singletonList(Tag.builder().key("key1").value("value1").build()))
.build();
awss3Control.createAccessPoint(createAccessPointRequest);
```
------
## Using the REST API
For information about the Amazon S3 REST API support for creating a directory bucket with tags, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to create an access point for directory buckets with tags by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
When you create an access point for directory buckets you must provide configuration details and use the following naming convention: `my-access-point`
**Request:**
```
aws s3control create-access-point \
--account-id 111122223333 \
--name my-access-point \
--bucket amzn-s3-demo-bucket--zone-id--x-s3 \
--profile personal \
--tags Key=key1,Value=value1 Key=MyKey2,Value=value2 \
--region region
```
# Adding a tag to an access point for directory buckets
You can add tags to Amazon S3 Access Points for directory buckets and modify these tags. For additional information, see [Using tags with S3 Access Points for directory buckets](access-points-db-tagging.md).
## Permissions
To add a tag to an access point for directory buckets, you must have the following permission:
+ `s3express:TagResource`
## Troubleshooting errors
If you encounter an error when attempting to add a tag to an access point for directory buckets, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-tag-add-permissions) to add a tag to an access point for directory buckets.
+ If you attempted to add a tag key that starts with the AWS reserved prefix `aws:`, change the tag key and try again.
## Steps
You can add tags to access points for directory buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To add tags to an access point for directory buckets using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section and choose **Add new Tag**.
1. This opens the **Add Tags** page. You can enter up to 50 tag key value pairs.
1. If you add a new tag with the same key name as an existing tag, the value of the new tag overrides the value of the existing tag.
1. You can also edit the values of existing tags on this page.
1. After you have added the tag(s), choose **Save changes**.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to add tags to an access point for directory buckets by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3control.S3ControlClient;
import software.amazon.awssdk.services.s3control.model.Tag;
import software.amazon.awssdk.services.s3control.model.TagResourceRequest;
import software.amazon.awssdk.services.s3control.model.TagResourceResponse;
public class TagResourceExample {
public static void tagResourceExample() {
S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build();
TagResourceRequest tagResourceRequest = TagResourceRequest.builder()
.resourceArn("arn:aws::s3:region:111122223333:accesspoint/my-access-point/*")
.accountId("111122223333")
.tags(Tag.builder().key("key1").value("value1").build())
.build();
TagResourceResponse response = s3Control.tagResource(tagResourceRequest);
System.out.println("Status code (should be 204):");
System.out.println(response.sdkHttpResponse().statusCode());
}
}
```
------
## Using the REST API
For information about the Amazon S3 REST API support for adding tags to an access point for directory buckets, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to add tags to a directory bucket by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control tag-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3express:region:444455556666:bucket/prefix--use1-az4--x-s3 \
--tags "Key=key1,Value=value1"
```
**Response:**
```
{
"ResponseMetadata": {
"RequestId": "EXAMPLE123456789",
"HTTPStatusCode": 200,
"HTTPHeaders": {
"date": "Wed, 19 Jun 2025 10:30:00 GMT",
"content-length": "0"
},
"RetryAttempts": 0
}
}
```
# Viewing the tags of an access point for directory buckets
You can view or list tags applied to Amazon S3 Access Points for directory buckets. For additional information, see [Using tags with S3 directory buckets](directory-buckets-tagging.md).
## Permissions
To view tags applied to an access point, you must have the following permission:
+ `s3express:ListTagsForResource`
## Troubleshooting errors
If you encounter an error when attempting to list or view the tags of an access point for directory buckets, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-tag-view-permissions) to view or list the tags of the access point for directory buckets.
## Steps
You can view tags applied to access points for directory buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To view tags applied to an access point for directory buckets using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section to view all of the tags applied to the access point for directory buckets.
1. The **Tags** section shows the **User-defined tags** by default. You can select the **AWS-generated tags** tab to view tags applied to your access point by AWS services.
## Using the AWS SDKs
This section provides an example of how to view tags applied to an access point for directory buckets by using the AWS SDKs.
------
#### [ SDK for Java 2.x ]
This example shows you how to view tags applied to an access point for directory buckets by using the AWS SDK for Java 2.x.
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3control.S3ControlClient;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceRequest;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceResponse;
public class ListTagsForResourceExample {
public static void listTagsForResourceExample() {
S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build();
ListTagsForResourceRequest listTagsForResourceRequest = ListTagsForResourceRequest.builder()
.resourceArn("arn:aws::s3:us-west-2:111122223333:accesspoint/my-access-point/*")
.accountId("111122223333")
.build();
ListTagsForResourceResponse response = s3Control.listTagsForResource(listTagsForResourceRequest);
System.out.println("Tags on my resource:");
System.out.println(response.toString());
}
}
```
------
## Using the REST API
For information about the Amazon S3 REST API support for viewing the tags applied to a directory bucket, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [ListTagsforResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to view tags applied to an access point for directory buckets. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control list-tags-for-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3express:region:444455556666:bucket/prefix--use1-az4--x-s3 \
```
**Response - tags present:**
```
{
"Tags": [
{
"Key": "MyKey1",
"Value": "MyValue1"
},
{
"Key": "MyKey2",
"Value": "MyValue2"
},
{
"Key": "MyKey3",
"Value": "MyValue3"
}
]
}
```
**Response - no tags present:**
```
{
"Tags": []
}
```
# Deleting a tag from an access point for directory buckets
You can remove tags from Access Points for directory buckets. For additional information, see [Using tags with S3 Access Points for directory buckets](access-points-db-tagging.md).
**Note**
If you delete a tag and later learn that it was being used to track costs or for access control, you can add the tag back to the access point for directory buckets.
## Permissions
To delete a tag from an access point for directory buckets, you must have the following permission:
+ `s3express:UntagResource`
## Troubleshooting errors
If you encounter an error when attempting to delete a tag from an access point for directory buckets, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-tag-delete-permissions) to delete a tag from an access point for directory buckets.
## Steps
You can delete tags from access points for directory buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To delete tags from an access point for directory buckets using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section and select the checkbox next to the tag or tags that you would like to delete.
1. Choose **Delete**.
1. The **Delete user-defined tags** pop-up appears and asks you to confirm the deletion of the tag or tags you selected.
1. Choose **Delete** to confirm.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to delete tags from a directory bucket by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3control.S3ControlClient;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceRequest;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceResponse;
public class ListTagsForResourceExample {
public static void listTagsForResourceExample() {
S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build();
UntagResourceRequest untagResourceRequest = UntagResourceRequest.builder()
.resourceArn("arn:aws::s3:region:111122223333:accesspoint/my-access-point/*")
.accountId("111122223333")
.tagKeys("key1")
.build();
UntagResourceResponse response = s3Control.untagResource(untagResourceRequest);
System.out.println("Status code (should be 204):");
System.out.println(response.sdkHttpResponse().statusCode());
}
}
```
------
## Using the REST API
For information about the Amazon S3 REST API support for deleting tags from an access point, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [UnTagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to delete tags from an access point by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control untag-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3:region:111122223333:accesspoint/my-access-point/* \
--tag-keys "key1" "key2"
```
**Response:**
```
{
"ResponseMetadata": {
"RequestId": "EXAMPLE123456789",
"HTTPStatusCode": 204,
"HTTPHeaders": {
"date": "Wed, 19 Jun 2025 10:30:00 GMT",
"content-length": "0"
},
"RetryAttempts": 0
}
}
```