Amazon S3 now supports attribute-based access control
Amazon S3 supports attribute-based access control (ABAC) for S3 general purpose buckets. In addition to using tags on your S3 buckets for cost allocation, you can now use them for ABAC to automatically manage permissions to your data. This helps eliminate frequent Amazon Identity and Access Management (IAM) or bucket policy updates as your organization grows, simplifying how you govern access at scale.
With ABAC support, Amazon S3 automatically evaluates tag-based conditions in your policies before granting access to your data. For example, create an IAM policy that references tags on your buckets, then grant users and roles access simply by adding or modifying tags to new or existing buckets. To get started, enable ABAC on your bucket using the S3 PutBucketAbac API and manage tags through the S3 TagResource and UntagResource APIs. You can also require that users add specific tags at the time of bucket creation to set consistent tagging standards across your organization.
ABAC support for S3 general purpose bucket is available in all Amazon Web Services Regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD at no additional cost. You can use the Amazon Web Services Management Console, S3 REST API, Amazon CLI, SDK, and CloudFormation. To learn more about using tags for access control in S3 general purpose buckets, visit the S3 User Guide.