Amazon S3 (s3)

Has Resource: True

Actions:
  - AbortMultipartUpload
  - BypassGovernanceRetention
  - CreateAccessPoint
  - CreateAccessPointForObjectLambda
  - CreateBucket
  - CreateJob
  - DeleteAccessPoint
  - DeleteAccessPointForObjectLambda
  - DeleteAccessPointPolicy
  - DeleteAccessPointPolicyForObjectLambda
  - DeleteBucket
  - DeleteBucketOwnershipControls
  - DeleteBucketPolicy
  - DeleteBucketWebsite
  - DeleteJobTagging
  - DeleteObject
  - DeleteObjectTagging
  - DeleteObjectVersion
  - DeleteObjectVersionTagging
  - DeleteStorageLensConfiguration
  - DeleteStorageLensConfigurationTagging
  - DescribeJob
  - GetAccelerateConfiguration
  - GetAccessPoint
  - GetAccessPointConfigurationForObjectLambda
  - GetAccessPointForObjectLambda
  - GetAccessPointPolicy
  - GetAccessPointPolicyForObjectLambda
  - GetAccessPointPolicyStatus
  - GetAccessPointPolicyStatusForObjectLambda
  - GetAccountPublicAccessBlock
  - GetAnalyticsConfiguration
  - GetBucketAcl
  - GetBucketCORS
  - GetBucketLocation
  - GetBucketLogging
  - GetBucketNotification
  - GetBucketObjectLockConfiguration
  - GetBucketOwnershipControls
  - GetBucketPolicy
  - GetBucketPolicyStatus
  - GetBucketPublicAccessBlock
  - GetBucketRequestPayment
  - GetBucketTagging
  - GetBucketVersioning
  - GetBucketWebsite
  - GetEncryptionConfiguration
  - GetIntelligentTieringConfiguration
  - GetInventoryConfiguration
  - GetJobTagging
  - GetLifecycleConfiguration
  - GetMetricsConfiguration
  - GetObject
  - GetObjectAcl
  - GetObjectLegalHold
  - GetObjectRetention
  - GetObjectTagging
  - GetObjectTorrent
  - GetObjectVersion
  - GetObjectVersionAcl
  - GetObjectVersionForReplication
  - GetObjectVersionTagging
  - GetObjectVersionTorrent
  - GetReplicationConfiguration
  - GetStorageLensConfiguration
  - GetStorageLensConfigurationTagging
  - GetStorageLensDashboard
  - ListAccessPoints
  - ListAccessPointsForObjectLambda
  - ListAllMyBuckets
  - ListBucket
  - ListBucketMultipartUploads
  - ListBucketVersions
  - ListJobs
  - ListMultipartUploadParts
  - ListStorageLensConfigurations
  - ObjectOwnerOverrideToBucketOwner
  - PutAccelerateConfiguration
  - PutAccessPointConfigurationForObjectLambda
  - PutAccessPointPolicy
  - PutAccessPointPolicyForObjectLambda
  - PutAccountPublicAccessBlock
  - PutAnalyticsConfiguration
  - PutBucketAcl
  - PutBucketCORS
  - PutBucketLogging
  - PutBucketNotification
  - PutBucketObjectLockConfiguration
  - PutBucketOwnershipControls
  - PutBucketPolicy
  - PutBucketPublicAccessBlock
  - PutBucketRequestPayment
  - PutBucketTagging
  - PutBucketVersioning
  - PutBucketWebsite
  - PutEncryptionConfiguration
  - PutIntelligentTieringConfiguration
  - PutInventoryConfiguration
  - PutJobTagging
  - PutLifecycleConfiguration
  - PutMetricsConfiguration
  - PutObject
  - PutObjectAcl
  - PutObjectLegalHold
  - PutObjectRetention
  - PutObjectTagging
  - PutObjectVersionAcl
  - PutObjectVersionTagging
  - PutReplicationConfiguration
  - PutStorageLensConfiguration
  - PutStorageLensConfigurationTagging
  - ReplicateDelete
  - ReplicateObject
  - ReplicateTags
  - RestoreObject
  - UpdateJobPriority
  - UpdateJobStatus

ARN Format: arn:aws:s3:::${BucketName}/${KeyName}
ARN Regex: ^arn:aws:s3:::.+

Condition Keys:
  - aws:RequestTag/${TagKey}
  - aws:ResourceTag/${TagKey}
  - aws:TagKeys
  - s3:AccessPointNetworkOrigin
  - s3:DataAccessPointAccount
  - s3:DataAccessPointArn
  - s3:ExistingJobOperation
  - s3:ExistingJobPriority
  - s3:ExistingObjectTag/<key>
  - s3:JobSuspendedCause
  - s3:LocationConstraint
  - s3:RequestJobOperation
  - s3:RequestJobPriority
  - s3:RequestObjectTag/<key>
  - s3:RequestObjectTagKeys
  - s3:ResourceAccount
  - s3:TlsVersion
  - s3:VersionId
  - s3:authType
  - s3:delimiter
  - s3:locationconstraint
  - s3:max-keys
  - s3:object-lock-legal-hold
  - s3:object-lock-mode
  - s3:object-lock-remaining-retention-days
  - s3:object-lock-retain-until-date
  - s3:prefix
  - s3:signatureAge
  - s3:signatureversion
  - s3:versionid
  - s3:x-amz-acl
  - s3:x-amz-content-sha256
  - s3:x-amz-copy-source
  - s3:x-amz-grant-full-control
  - s3:x-amz-grant-read
  - s3:x-amz-grant-read-acp
  - s3:x-amz-grant-write
  - s3:x-amz-grant-write-acp
  - s3:x-amz-metadata-directive
  - s3:x-amz-server-side-encryption
  - s3:x-amz-server-side-encryption-aws-kms-key-id
  - s3:x-amz-storage-class
  - s3:x-amz-website-redirect-location
