Posted On: Dec 21, 2020

The s3:ResourceAccount and s3:TLSVersion IAM condition keys help you write simple policies that restrict access to your buckets based on the AWS Account ID of the bucket owner, or by the TLS Version used by the client. 

Using the new s3:ResourceAccount IAM condition key, you can write simple IAM or Virtual Private Cloud Endpoint (VPCE) policies to restrict user or application access to S3 buckets that are owned by specified AWS Accounts. Additionally, since this new condition key filters access by AWS Account ID instead of by bucket or resource name, you can be certain that policies will be predictably applied into the future, even as buckets are added and removed over time. 

Using the new s3:TLSVersion IAM condition key, you can now write simple IAM or Virtual Private Cloud Endpoint (VPCE) policies to restrict user or application access to S3 buckets based on the TLS Version used by the client. This gives you an easy way to write short, simple policies that ensure that all clients use a minimum customer-defined TLS version. 

The s3:ResourceAccount IAM and s3:TLSVersioncondition keys are available at no additional cost in is available today in all AWS Regions, including the AWS China (Beijing) Region, operated by Sinnet, and the AWS China (Ningxia) Region, operated by NWCD. 

To learn more about the IAM condition keys for S3, visit the documentation