Fine-Grained S3 Access Policies for AI

We’re excited to introduce fine-grained access policies for S3 buckets via Storage Connections. This feature gives you precise control over what AI agents can do with your files and folders, ensuring they only interact with the resources they’re supposed to.

Access policies work alongside AWS IAM permissions, providing an additional layer of security without changing your existing IAM roles. It’s important to note that access policies do not override IAM permissions—they act as an additional restriction layer. Always configure access policies carefully to ensure AI agents only access the files and folders they need

Setting Resource-Based Control with Glob Patterns
You can create Access Policies that target specific files or folders using flexible glob patterns. Based on these patterns, files or folders can be mapped to specific allowed actions: FILE_READ, FILE_WRITE, FILE_CREATE, FILE_DELETE.

Pattern	Match	Example
**	All files and directories recursively	All files in the bucket
example.txt	Explicit file at the root	example.txt only
foo/*	Direct children of a directory	foo/bar.txt, foo/data.json
foo/**	All files under a directory recursively	foo/bar.txt, foo/sub/file.txt
**/*.txt	All .txt files recursively	Any .txt file anywhere
*.txt	.txt files at root level only	Root-level .txt files
reports/**/*.pdf	All PDF files under reports recursively	reports/q1/summary.pdf, reports/2024/annual.pdf
data/*/output.json	output.json in direct subdirectories	data/prod/output.json, data/test/output.json

How Actions Map To IAM Permissions
To use the following actions, the respective IAM permissions must be enabled:

Action	Description	Required IAM Permission
FILE_READ	Read and list files and folders	s3:GetObject, s3:ListBucket
FILE_WRITE	Overwrite existing files (does not create new)	s3:PutObject
FILE_CREATE	Create new files (does not overwrite existing)	s3:PutObject
FILE_DELETE	Delete files and folders	s3:DeleteObject

For more information visit docs.vendia.com