# Authorizing Regional endpoint API operations with IAM Authorizing Regional endpoint API operations with IAM AWS Identity and Access Management (IAM) is an AWS service that helps administrators securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in directory buckets and S3 Express One Zone operations. You can use IAM for no additional charge. By default, users don't have permissions for directory buckets. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. To provide access, you can add permissions to your users, groups, or roles through the following means: + **Users and groups in AWS IAM Identity Center** – Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. + **Users managed in IAM through an identity provider** – Create a role for identity federation. Follow the instructions in [Creating a role for a third-party identity provider (federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + **IAM roles and users** – Create a role that your user can assume. Follow the instructions in [Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. For more information about IAM for S3 Express One Zone, see the following topics. **Topics** + [ ## Principals ](#s3-express-security-iam-principals) + [ ## Resources ](#s3-express-security-iam-resources) + [ ## Actions for directory buckets ](#s3-express-security-iam-actions) + [ # IAM identity-based policies for directory buckets ](s3-express-security-iam-identity-policies.md) + [ # Example bucket policies for directory buckets ](s3-express-security-iam-example-bucket-policies.md) + [ # AWS managed policies for Amazon S3 Express One Zone ](s3-express-one-zone-security-iam-awsmanpol.md) ## Principals When you create a resource-based policy to grant access to your buckets, you must use the `Principal` element to specify the person or application that can make a request for an action or operation on that resource. For directory bucket policies, you can use the following principals: + An AWS account + An IAM user + An IAM role + A federated user For more information, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*. ## Resources Amazon Resource Names (ARNs) for directory buckets contain the `s3express` namespace, the AWS Region, the AWS account ID, and the directory bucket name, which includes the AWS Zone ID. (an Availability Zone or Local Zone ID). To access and perform actions on your directory bucket, you must use the following ARN format: ``` arn:aws:s3express:region:account-id:bucket/base-bucket-name--zone-id--x-s3 ``` To access and perform actions on your access point for a directory bucket, you must use the following ARN format: ``` arn:aws::s3express:region:account-id:accesspoint/accesspoint-basename--zone-id--xa-s3 ``` For more information about ARNs, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) in the *IAM User Guide*. For more information about resources, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the *IAM User Guide*. ## Actions for directory buckets In an IAM identity-based policy or resource-based policy, you define which S3 actions are allowed or denied. Actions correspond to specific API operations. With directory buckets, you must use the S3 Express One Zone namespace to grant permissions, called `s3express`. When you allow the `s3express:CreateSession` permission, the `CreateSession` API operation retrieves a temporary session token for all Zonal endpoint API (object level) operations. The session token returns credentials that are used for all other Zonal endpoint API operations. As a result, you don't grant access permissions to Zonal API operations with IAM policies. Instead, `CreateSession` enables access for all object level operations. For the list of Zonal API operations and permissions, see [Authenticating and authorizing requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-authenticating-authorizing.html). To learn more about the `CreateSession` API operation, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the *Amazon Simple Storage Service API Reference*. You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation with the same name. However, in some cases, a single action controls access to more than one API operation. Access to bucket-level actions can be granted in only IAM identity-based policies (user or role) and not bucket policies. For more information about how to configure access point policies, see [Configuring IAM policies for using access points for directory buckets](access-points-directory-buckets-policies.md). For more information, see [Actions, resources, and condition keys for Amazon S3 Express](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3express.html). # IAM identity-based policies for directory buckets Identity-based policies Before you can create directory buckets, you must grant the necessary permissions to your AWS Identity and Access Management (IAM) role or users. This example policy allows access to the `CreateSession` API operation (for use with Zonal endpoint [object level] API operations) and all of the Regional endpoint (bucket-level) API operations. This policy allows the `CreateSession` API operation for use with all directory buckets, but the Regional endpoint API operations are allowed only for use with the specified directory bucket. To use this example policy, replace the `user input placeholders` with your own information. # Example bucket policies for directory buckets Bucket policies This section provides example directory bucket policies. To use these policies, replace the `user input placeholders` with your own information. The following example bucket policy allows AWS account ID `111122223333` to use the `CreateSession` API operation for the specified directory bucket. When no session mode is specified, the session will be created with the maximum allowable privilege (attempting `ReadWrite` first, then `ReadOnly` if not permitted). This policy grants access to the Zonal endpoint (object level) API operations. **Example – Bucket policy to allow `CreateSession` calls** **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ReadWriteAccess", "Effect": "Allow", "Resource": "arn:aws:s3express:us-west-2:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root" ] }, "Action": [ "s3express:CreateSession" ] } ] } ``` **Example – Bucket policy to allow `CreateSession` calls with a `ReadOnly` session** The following example bucket policy allows AWS account ID `111122223333` to use the `CreateSession` API operation. This policy uses the `s3express:SessionMode` condition key with the `ReadOnly` value to set a read-only session. **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccess", "Effect": "Allow", "Principal": { "AWS": "111122223333" }, "Action": "s3express:CreateSession", "Resource": "*", "Condition": { "StringEquals": { "s3express:SessionMode": "ReadOnly" } } } ] } ``` **Example – Bucket policy to allow cross-account access for `CreateSession` calls** The following example bucket policy allows AWS account ID `111122223333` to use the `CreateSession` API operation for the specified directory bucket that's owned by AWS account ID *`444455556666`*. **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CrossAccount", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "s3express:CreateSession" ], "Resource": "arn:aws:s3express:us-west-2:444455556666:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3" } ] } ``` # AWS managed policies for Amazon S3 Express One Zone AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. ## AWS managed policy: AmazonS3ExpressFullAccess You can attach the `AmazonS3ExpressFullAccess` policy to your IAM identities. This policy grants full access to Amazon S3 Express One Zone directory buckets and operations. It allows all actions under the `s3express` service prefix on all resources. This policy is intended for users or roles that need unrestricted access to directory buckets. This policy covers only Amazon S3 Express One Zone operations. For standard Amazon S3 operations, you need additional policies. To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3ExpressFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3ExpressFullAccess.html) in the AWS Managed Policy Reference. ## AWS managed policy: AmazonS3ExpressReadOnlyAccess You can attach the `AmazonS3ExpressReadOnlyAccess` policy to your IAM identities. This policy grants permissions that allow `ReadOnly` access to Amazon S3 Express One Zone directory buckets. **Note** The `CreateSession` action supports the `SessionMode` condition key which can be set to `ReadOnly` or `ReadWrite`. This policy uses `SessionMode` for a `ReadOnly` session. To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3ExpressReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3ExpressReadOnlyAccess.html) in the AWS Managed Policy Reference. ## Amazon S3 Express One Zone updates to AWS managed policies Policy updates View details about updates to AWS managed policies for Amazon S3 Express One Zone since this service began tracking these changes. | Change | Description | Date | | --- | --- | --- | | Amazon S3 Express One Zone added `AmazonS3ExpressFullAccess`. | Amazon S3 Express One Zone added a new AWS managed policy called `AmazonS3ExpressFullAccess`. This policy grants permissions that allow full access to Amazon S3 Express One Zone directory buckets and operations. | April 03, 2026 | | Amazon S3 Express One Zone added `AmazonS3ExpressReadOnlyAccess`. | Amazon S3 Express One Zone added a new AWS managed policy called `AmazonS3ExpressReadOnlyAccess`. This policy grants permissions that allow read-only access to Amazon S3 Express One Zone directory buckets. | April 03, 2026 | | Amazon S3 Express One Zone started tracking changes. | Amazon S3 Express One Zone started tracking changes for its AWS managed policies. | April 03, 2026 |