Posted On: Dec 21, 2020
The s3:ResourceAccount and s3:TLSVersion IAM condition keys help you write simple policies that restrict access to your buckets based on the Amazon Web Services Account ID of the bucket owner, or by the TLS Version used by the client.
Using the new s3:ResourceAccount IAM condition key, you can write simple IAM or Virtual Private Cloud Endpoint (VPCE) policies to restrict user or application access to S3 buckets that are owned by specified Amazon Web Services Accounts. Additionally, since this new condition key filters access by Amazon Web Services Account ID instead of by bucket or resource name, you can be certain that policies will be predictably applied into the future, even as buckets are added and removed over time.
Using the new s3:TLSVersion IAM condition key, you can now write simple IAM or Virtual Private Cloud Endpoint (VPCE) policies to restrict user or application access to S3 buckets based on the TLS Version used by the client. This gives you an easy way to write short, simple policies that ensure that all clients use a minimum customer-defined TLS version.
The s3:ResourceAccount IAM and s3:TLSVersioncondition keys are available at no additional cost in is available today in all Amazon Web Services Regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD.
To learn more about the IAM condition keys for S3, visit the documentation.