Skip to main content
Welcome. This lesson assumes you already have an S3 vector bucket. To allow programmatic access to that bucket, create a customer-managed IAM policy scoped to the vector bucket ARN(s) and attach it to the user or role your application uses. This lets you explicitly grant the exact S3 actions required for vector workflows (list, read, write, permission management, and tagging) while following least-privilege principles. Overview
  • Goal: Create a customer-managed IAM policy that permits programmatic listing, reading, writing, permission management, and tagging for S3 vector buckets, then attach it to a user.
  • Pre-requisite: You have an existing S3 vector bucket (or buckets) and an IAM user or role to attach the policy to.
Step 1 — Create the customer-managed policy
  1. In the AWS Console, search for and open IAM.
  2. On the left menu, click Policies, then click Create policy.
  3. In the policy editor:
    • If your account or organization provides an S3 Vectors policy template, search for vectors and select it.
    • If that template is not available, choose the S3 service and manually select the actions your vector workflows require (examples below).
  4. Fine-tune allowed actions depending on your needs:
    • Permit only listing, only read/write, or full control depending on the principle of least privilege.
    • For this demo, enable actions required for listing, reading, writing, permission management, and tagging so the user can list, read, write, and manage S3 vector buckets and objects.
  5. Choose the resource scope:
    • Selecting All applies the policy to all S3 buckets. For least privilege, scope the policy to specific bucket ARNs such as arn:aws:s3:::my-vector-bucket and arn:aws:s3:::my-vector-bucket/*.
  6. Click Next, give the policy a name (for example S3-vector-bucket-demo), then Create policy.
The image shows an AWS IAM policy creation page where various S3 Vectors actions like List, Read, Write, Permissions management, and Tagging are selected. There is also a notification indicating that some dependent permissions are not selected.
Recommended S3 actions for vector bucket workflows
Action groupExample actionsPurpose
Listings3:ListBucketList objects in a bucket or prefixes (required for enumerating data and shards).
Reads3:GetObject, s3:GetObjectVersionRead object content and versions for embedding or retrieval.
Writes3:PutObject, s3:PutObjectAclUpload new objects, store serialized embeddings or metadata, manage ACLs.
Permission managements3:PutBucketPolicy, s3:PutBucketAclManage bucket-level policies and access controls if your app needs to change permissions.
Tagging & metadatas3:PutObjectTagging, s3:GetObjectTaggingTag objects for lifecycle, labeling, or vector metadata.
Example minimal customer-managed IAM policy (adjust ARNs and actions for your environment)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListBucket",
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::your-vector-bucket-name"]
    },
    {
      "Sid": "AllowObjectsReadWriteAndTag",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectTagging",
        "s3:GetObjectTagging"
      ],
      "Resource": ["arn:aws:s3:::your-vector-bucket-name/*"]
    }
  ]
}
Replace your-vector-bucket-name with your actual bucket name, or add multiple ARNs to scope to several buckets. Step 2 — Attach the policy to a user (or role)
  1. In IAM, go to Users and select the target user (for example s3-vector).
  2. Click Add permissionsAttach policies directly.
  3. Choose the Customer managed filter, search for vector, select the policy you created, click Next, then Add permissions.
The image shows an AWS Identity and Access Management (IAM) console displaying details for a user named "s3-vector," including permissions policies and access keys. The user has AWS managed policies like "AmazonBedrockFullAccess" and "AmazonS3FullAccess" attached.
Note about AWS-managed policies Although this user may already have the AWS-managed AmazonS3FullAccess policy attached, creating and attaching a customer-managed policy for S3 vector buckets lets you explicitly grant the precise actions and resource scope required by your vector operations (for example scoping permissions to specific bucket ARNs or enabling tagging and permission-management actions). AWS-managed policies can be broader than necessary for your application.
If you have multiple vector buckets or separate environments (dev/stage/prod), create separate policies per environment and scope ARNs accordingly. This makes auditing and rotation easier.
Dependent permissions and encryption Depending on how your buckets are configured, you may need additional permissions beyond basic S3 actions:
  • If objects are encrypted with a KMS key, include the appropriate KMS key permissions such as kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey for the key used by the bucket or objects.
  • Cross-account bucket access, bucket policies, or object lambda integrations may require extra permissions or trust relationships.
Generate and store programmatic credentials If your application will access the S3 vector buckets from code, create programmatic access keys:
  1. In the user’s Security credentials tab, generate an Access key (access key ID and secret access key).
  2. Store these keys securely — for example:
    • In an AWS Secrets Manager secret.
    • In an encrypted environment variable management solution.
    • In a CI/CD secret store.
Never commit access keys to source control. Store them securely (for example, in a secrets manager or environment variables) and rotate them regularly.
Quick checklist before testing access
  • Policy created and scoped to correct bucket ARNs.
  • Policy attached to the intended user or role.
  • KMS key policy updated if bucket uses SSE-KMS.
  • Access keys generated and stored securely.
  • Application environment configured to use the keys or role.
References and further reading That completes this lesson. Use these credentials to programmatically access the S3 vector bucket, upload and embed data, and query your vector store.

Watch Video