There's almost no documentation for new object lock permissions

[copumpkin]

In this page I can see a s3:PutObjectRetention action, as well as a s3:object-lock-remaining-retention-days condition key.

However, the ARC page for S3 doesn't mention either of those nor any of the associated IAM actions or condition keys.

Furthermore, nor does the S3 actions mapping page, or the condition keys page.

Given the importance of these object locks for compliance, it seems good to get some pretty detailed permissions spelled out for it.

[copumpkin]

For example, I guessed that s3:object-lock-mode would work (and take on values of COMPLIANCE or GOVERNANCE) and that seems to be true, but isn't mentioned anywhere in the docs.

[copumpkin]

Also, s3:object-lock-legal-hold seems to take on string values of ON and OFF.

[copumpkin]

@RandyOcheltree @AWSRandall does anyone from AWS check this repository? there are dozens of tickets and PRs with no engagement and I'm wondering if it's worth anyone's time to report anything here

[kitos9112]

@copumpkin is right. Not sure whether we should spend our own time on this repository...

[jschwarzwalder]

I have shared you message with the S3 writing team.

Thank you for your feedback!

[copumpkin]

Thanks @jschwarzwalder!

[RandyOcheltree]

I apologize for not answering sooner. We have updated https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html and https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html

[copumpkin]

@RandyOcheltree that's great, and I see it propagated to the autogenerated page as well, thanks! The one thing I'd ask is whether I was wrong about s3:object-lock-legal-hold being ON or OFF rather than the more conventional true or false values. Or does the IAM machinery somehow normalize those? The documentation you linked to doesn't mention anything special there and if it isn't a conventional boolean then it seems worth mentioning to minimize confusion.