diff --git a/.github/workflows/end2end.yaml b/.github/workflows/end2end.yaml index d1053a659b..11f6d0dbc4 100644 --- a/.github/workflows/end2end.yaml +++ b/.github/workflows/end2end.yaml @@ -693,7 +693,7 @@ jobs: - name: Debug wait uses: ./.github/actions/debug-wait timeout-minutes: 60 - if: failure() && runner.debug == '1' + if: always() - name: Archive artifact logs and data uses: ./.github/actions/archive-artifacts env: diff --git a/tests/ctst/features/bucket-notifications/notifications.feature b/tests/ctst/features/bucket-notifications/notifications.feature deleted file mode 100644 index 2a8828cf4a..0000000000 --- a/tests/ctst/features/bucket-notifications/notifications.feature +++ /dev/null @@ -1,183 +0,0 @@ -Feature: Bucket notifications - In order to receive notifications - As an Artesca User - I want to activate notifications - And to subscribe to events I want to be notified on - And to receive notifications on buckets/objects activities I have subscribed to - - @2.6.0 - @PreMerge - @BucketNotification - Scenario Outline: Configure bucket notifications for events - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination - Then notifications should be enabled for "" event in destination - - Examples: - | versioningConfiguration | notificationType | destination | - | Non versioned | s3:ObjectCreated:* | 0 | - | Non versioned | s3:ObjectCreated:Put | 0 | - | Non versioned | s3:ObjectCreated:Copy | 0 | - | Non versioned | s3:ObjectRemoved:* | 0 | - | Non versioned | s3:ObjectRemoved:Delete | 0 | - | Non versioned | s3:ObjectTagging:* | 0 | - | Non versioned | s3:ObjectTagging:Put | 0 | - | Non versioned | s3:ObjectTagging:Delete | 0 | - | Non versioned | s3:ObjectAcl:Put | 0 | - | Versioned | s3:ObjectCreated:* | 0 | - | Versioned | s3:ObjectCreated:Put | 0 | - | Versioned | s3:ObjectCreated:Copy | 0 | - | Versioned | s3:ObjectRemoved:* | 0 | - | Versioned | s3:ObjectRemoved:Delete | 0 | - | Versioned | s3:ObjectRemoved:DeleteMarkerCreated| 0 | - | Versioned | s3:ObjectTagging:* | 0 | - | Versioned | s3:ObjectTagging:Put | 0 | - | Versioned | s3:ObjectTagging:Delete | 0 | - | Versioned | s3:ObjectAcl:Put | 0 | - | Versioning suspended | s3:ObjectCreated:* | 0 | - | Versioning suspended | s3:ObjectCreated:Put | 0 | - | Versioning suspended | s3:ObjectCreated:Copy | 0 | - | Versioning suspended | s3:ObjectRemoved:* | 0 | - | Versioning suspended | s3:ObjectRemoved:Delete | 0 | - | Versioning suspended | s3:ObjectRemoved:DeleteMarkerCreated| 0 | - | Versioning suspended | s3:ObjectTagging:* | 0 | - | Versioning suspended | s3:ObjectTagging:Put | 0 | - | Versioning suspended | s3:ObjectTagging:Delete | 0 | - | Versioning suspended | s3:ObjectAcl:Put | 0 | - - @2.6.0 - @PreMerge - @Flaky - @BucketNotification - Scenario Outline: Recieve notification for configured events - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | subscribedNotificationType | notificationType | enable | filterType | shouldReceive | destination | - | Non versioned | s3:ObjectCreated:* | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectCreated:* | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Non versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Non versioned | s3:ObjectRemoved:* | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:* | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:* | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:Put | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Non versioned | s3:ObjectAcl:Put | s3:ObjectAcl:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectCreated:* | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectCreated:Copy | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:* | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:* | s3:ObjectRemoved:DeleteMarkerCreated | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:Delete | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectRemoved:DeleteMarkerCreated | s3:ObjectRemoved:DeleteMarkerCreated | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:* | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:* | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:Put | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioned | s3:ObjectTagging:Delete | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioned | s3:ObjectAcl:Put | s3:ObjectAcl:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:* | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:* | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectCreated:Copy | s3:ObjectCreated:Copy | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectRemoved:* | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectRemoved:Delete | s3:ObjectRemoved:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:* | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:* | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:Put | s3:ObjectTagging:Put | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectTagging:Delete | s3:ObjectTagging:Delete | without | filter | receive | 0 | - | Versioning suspended | s3:ObjectAcl:Put | s3:ObjectAcl:Put | without | filter | receive | 0 | - - @2.6.0 - @PreMerge - @BucketNotification - Scenario Outline: Not recieving notification for non configured events - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination - And i unsubscribe from "" notifications for destination - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | subscribedNotificationType | notificationType | enable | filterType | shouldReceive | destination | - | Non versioned | all | s3:ObjectCreated:Put | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectCreated:Copy | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectRemoved:Delete | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectTagging:Put | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectTagging:Delete | without | filter | not receive | 0 | - | Non versioned | all | s3:ObjectAcl:Put | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectCreated:Put | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectCreated:Copy | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectRemoved:Delete | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectTagging:Put | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectTagging:Delete | without | filter | not receive | 0 | - | Versioned | all | s3:ObjectAcl:Put | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectCreated:Put | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectCreated:Copy | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectRemoved:Delete | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectTagging:Put | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectTagging:Delete | without | filter | not receive | 0 | - | Versioning suspended | all | s3:ObjectAcl:Put | without | filter | not receive | 0 | - - @2.6.0 - @PreMerge - @Flaky - @BucketNotification - Scenario Outline: Recieve notification for configured events with correct filter - Given a "" bucket - And one notification destination - When i subscribe to "" notifications for destination with "" filter - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | notificationType | enable | filterType | shouldReceive | destination | - | Non versioned | s3:ObjectCreated:Put | with | prefix | receive | 0 | - | Non versioned | s3:ObjectCreated:Put | with | suffix | receive | 0 | - | Non versioned | s3:ObjectCreated:Put | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectCreated:Put | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | with | prefix | receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | with | suffix | receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectCreated:Copy | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | with | prefix | receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | with | suffix | receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectRemoved:Delete | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Put | with | prefix | receive | 0 | - | Non versioned | s3:ObjectTagging:Put | with | suffix | receive | 0 | - | Non versioned | s3:ObjectTagging:Put | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Put | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | with | prefix | receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | with | suffix | receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectTagging:Delete | without | suffix | not receive | 0 | - | Non versioned | s3:ObjectAcl:Put | with | prefix | receive | 0 | - | Non versioned | s3:ObjectAcl:Put | with | suffix | receive | 0 | - | Non versioned | s3:ObjectAcl:Put | without | prefix | not receive | 0 | - | Non versioned | s3:ObjectAcl:Put | without | suffix | not receive | 0 | - - @2.6.0 - @PreMerge - @Flaky - @BucketNotification - Scenario Outline: Recieve notification in multiple destinations - Given a "" bucket - And two notification destinations - When i subscribe to "" notifications for destination - And i subscribe to "" notifications for destination - And a "" event is triggered "" "" - Then i should "" a notification for "" event in destination - And i should "" a notification for "" event in destination - - Examples: - | versioningConfiguration | subscribedNotificationType | subscribedNotificationTypeSec | triggeredNotif | enable | filterType | shouldReceive | shouldReceiveSec | destination | destinationSec | - | Non versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Put | s3:ObjectCreated:Put | without | filter | receive | receive | 0 | 1 | - | Non versioned | s3:ObjectCreated:Put | s3:ObjectCreated:Copy | s3:ObjectCreated:Put | without | filter | receive | not receive | 0 | 1 | diff --git a/tests/ctst/features/cloudserverAuth.feature b/tests/ctst/features/cloudserverAuth.feature deleted file mode 100644 index 959a9cbf0a..0000000000 --- a/tests/ctst/features/cloudserverAuth.feature +++ /dev/null @@ -1,58 +0,0 @@ -Feature: AWS S3 Bucket operations - - @2.6.0 - @PreMerge - @Cloudserver-Auth - Scenario: Check Authentication on bucket object lock actions with Vault - Given a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "CreateBucket" on "*" - And an IAM policy attached to the entity "user" with "" effect to perform "PutBucketObjectLockConfiguration" on "*" - And an IAM policy attached to the entity "user" with "" effect to perform "PutBucketVersioning" on "*" - When the user tries to perform CreateBucket - Then it "" pass Vault authentication - - Examples: - | allow | should | - | Allow | should | - # TODO: reenable after fix CLOUDSERVER-401 - # | Deny | should not | - - - @2.6.0 - @PreMerge - @Cloudserver-Auth - Scenario: Check Authentication on bucket retention actions with Vault - Given an existing bucket "" "without" versioning, "with" ObjectLock "GOVERNANCE" retention mode - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "PutObject" on "*" - And an IAM policy attached to the entity "user" with "Allow" effect to perform "PutObjectRetention" on "*" - And an IAM policy attached to the entity "user" with "" effect to perform "BypassGovernanceRetention" on "*" - And an object "" that "exists" - When the user tries to perform PutObjectRetention "" bypass - Then it "" pass Vault authentication - - Examples: - | allow | should | withBypass | - | Allow | should | with | - | Allow | should not | without | - | Deny | should not | with | - - - @2.6.0 - @PreMerge - @Cloudserver-Auth - Scenario: Check Authentication on DeleteObjects with Vault - Given an existing bucket "" "without" versioning, "without" ObjectLock "without" retention mode - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "PutObject" on "*" - And an IAM policy attached to the entity "user" with "Allow" effect to perform "DeleteObject" on "" - And an IAM policy attached to the entity "user" with "" effect to perform "DeleteObject" on "" - And an object "" that "exists" - And an object "" that "exists" - When the user tries to perform DeleteObjects - Then it "" pass Vault authentication - - Examples: - | bucketName | objName1 | objName2 | resource1 | resource2 | allow | should | - | ca-do-bucket-1 | obj1 | obj2 | ca-do-bucket-1/obj1 | ca-do-bucket-1/obj2 | Allow | should | - | ca-do-bucket-2 | obj1 | obj2 | ca-do-bucket-2/obj1 | ca-do-bucket-2/obj2 | Deny | should not | diff --git a/tests/ctst/features/iam-policies/AssumeRole.feature b/tests/ctst/features/iam-policies/AssumeRole.feature deleted file mode 100644 index 77d3ad95c9..0000000000 --- a/tests/ctst/features/iam-policies/AssumeRole.feature +++ /dev/null @@ -1,99 +0,0 @@ -Feature: IAM Policies for Assume Role Session Users - This feature allows you to create and attach IAM policies for IAM users. - IAM users should have the permissions to perform the actions that they are granted in their IAM policies. - - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is not authorized to perform the actions with no IAM policy attached to the role - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | objectExists | ifCrossAccount | - | MetadataSearch | does not exist | | - | MetadataSearch | does not exist | cross account | - | GetObject | exists | | - | GetObject | exists | cross account | - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is authorized to perform the actions if the IAM policies that attached to the role have the right permission - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - And an IAM policy attached to the entity "role" with "Allow" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | resource | bucketName | objectExists | objectName | ifCrossAccount | - | MetadataSearch | * | | does not exist | | | - | MetadataSearch | * | | does not exist | | cross account | - | GetObject | * | | exists | | | - | GetObject | * | | exists | | cross account | - | MetadataSearch | ar-md-bucket1 | ar-md-bucket1 | does not exist | | | - | MetadataSearch | ar-md-bucket2 | ar-md-bucket2 | does not exist | | cross account | - | GetObject | ar-go-bucket1/* | ar-go-bucket1 | exists | | | - | GetObject | ar-go-bucket2/* | ar-go-bucket2 | exists | | cross account | - | GetObject | ar-go-bucket3/go-object | ar-go-bucket3 | exists | go-object | | - | GetObject | ar-go-bucket4/go-object | ar-go-bucket4 | exists | go-object | cross account | - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is not authorized to perform the actions on the resource when they don't have permissions for or explicitly denied in the IAM policies that attached the role that the User assumed - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - And an IAM policy attached to the entity "role" with "" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | effect | resource | bucketName | objectExists | objectName | ifCrossAccount | - | MetadataSearch | Allow | ar-md-bucket3-1 | ar-md-bucket3 | does not exist | | | - | MetadataSearch | Allow | ar-md-bucket4-1 | ar-md-bucket4 | does not exist | | cross account | - | MetadataSearch | Deny | * | | does not exist | | | - | MetadataSearch | Deny | * | | does not exist | | cross account | - | MetadataSearch | Deny | ar-md-bucket5 | ar-md-bucket5 | does not exist | | | - | MetadataSearch | Deny | ar-md-bucket6 | ar-md-bucket6 | does not exist | | cross account | - | GetObject | Allow | ar-go-bucket5-1/* | ar-go-bucket5 | exists | | | - | GetObject | Allow | ar-go-bucket6-1/* | ar-go-bucket6 | exists | | cross account | - | GetObject | Allow | ar-go-bucket7/go-object1 | ar-go-bucket7 | exists | go-object | | - | GetObject | Allow | ar-go-bucket8/go-object1 | ar-go-bucket8 | exists | go-object | cross account | - | GetObject | Deny | * | ar-go-bucket9 | exists | | | - | GetObject | Deny | * | ar-go-bucket10 | exists | | cross account | - | GetObject | Deny | ar-go-bucket11/* | ar-go-bucket11 | exists | | | - | GetObject | Deny | ar-go-bucket12/* | ar-go-bucket12 | exists | | cross account | - | GetObject | Deny | ar-go-bucket13/go-object | ar-go-bucket13 | exists | go-object | | - | GetObject | Deny | ar-go-bucket14/go-object | ar-go-bucket14 | exists | go-object | cross account | - - @2.6.0 - @PreMerge - @IamPoliciesAssumeRole - Scenario Outline: Assume Role User is not authorized to perform the actions on the resource if Allow and Denied are both specified in the IAM policies that attached to the role the User assumed - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a "" AssumeRole user - And an IAM policy attached to the entity "role" with "Allow" effect to perform "" on "" - And an IAM policy attached to the entity "role" with "Deny" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - Examples: - | action | resource | bucketName | objectExists | objectName | ifCrossAccount | - | MetadataSearch | * | ar-md-bucket7 | does not exist | | | - | MetadataSearch | * | ar-md-bucket8 | does not exist | | cross account | - | MetadataSearch | ar-md-bucket9 | ar-md-bucket9 | does not exist | | | - | MetadataSearch | ar-md-bucket10 | ar-md-bucket10 | does not exist | | cross account | - | GetObject | * | ar-go-bucket15 | exists | | | - | GetObject | * | ar-go-bucket16 | exists | | cross account | - | GetObject | ar-go-bucket17/* | ar-go-bucket17 | exists | | | - | GetObject | ar-go-bucket18/* | ar-go-bucket18 | exists | | cross account | - | GetObject | ar-go-bucket19/go-object | ar-go-bucket19 | exists | go-object | | - | GetObject | ar-go-bucket20/go-object | ar-go-bucket20 | exists | go-object | cross account | diff --git a/tests/ctst/features/iam-policies/AssumeRoleWithWebIdentity.feature b/tests/ctst/features/iam-policies/AssumeRoleWithWebIdentity.feature deleted file mode 100644 index 68d9c035ee..0000000000 --- a/tests/ctst/features/iam-policies/AssumeRoleWithWebIdentity.feature +++ /dev/null @@ -1,190 +0,0 @@ -Feature: Assume Role with Web Identity - In order to interact with restricted APIs - As an Artesca User - I want to use a web identity - And to succeed in accessing the API - - @2.6.0 - @PreMerge - @IAM-Policies-ARWWI - Scenario Outline: Assume Role with Web Identity - Given an existing bucket "" "" versioning, "without" ObjectLock "without" retention mode - And an object "" that "" - And a type - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | type | withVersioning | objectExists | - | MetadataSearch | STORAGE_MANAGER | without | does not exist | - | PutObject | STORAGE_MANAGER | without | exists | - | PutObjectAcl | STORAGE_MANAGER | without | exists | - | GetObject | STORAGE_MANAGER | without | exists | - | GetObject | STORAGE_MANAGER | with | exists | - | GetObjectAcl | STORAGE_MANAGER | without | exists | - | DeleteObject | STORAGE_MANAGER | without | exists | - | DeleteObject | STORAGE_MANAGER | with | exists | - | GetBucketVersioning | STORAGE_MANAGER | with | does not exist | - | GetBucketAcl | STORAGE_MANAGER | without | does not exist | - | ListObjectsV2 | STORAGE_MANAGER | without | exists | - | ListObjectVersions | STORAGE_MANAGER | with | exists | - | DeleteObjects | STORAGE_MANAGER | without | exists | - | HeadObject | STORAGE_MANAGER | without | exists | - | CopyObject | STORAGE_MANAGER | without | exists | - | GetObjectTagging | STORAGE_MANAGER | without | exists | - | GetObjectTagging | STORAGE_MANAGER | with | exists | - | PutObjectTagging | STORAGE_MANAGER | without | exists | - | PutBucketLifecycleConfiguration | STORAGE_MANAGER | without | does not exist | - | GetObjectTagging | STORAGE_MANAGER | with | exists | - | DeleteObjectTagging | STORAGE_MANAGER | with | exists | - | DeleteObjectTagging | STORAGE_MANAGER | without | exists | - | PutObjectTagging | STORAGE_MANAGER | without | exists | - | PutObjectTagging | STORAGE_MANAGER | with | exists | - | GetObjectAcl | STORAGE_MANAGER | with | exists | - | GetObjectAcl | STORAGE_MANAGER | without | exists | - | PutObjectAcl | STORAGE_MANAGER | with | exists | - | PutObjectAcl | STORAGE_MANAGER | without | exists | - | PutBucketTagging | STORAGE_MANAGER | without | does not exist | - | DeleteBucketTagging | STORAGE_MANAGER | without | does not exist | - | PutBucketReplication | STORAGE_MANAGER | with | does not exist | - | MetadataSearch | STORAGE_ACCOUNT_OWNER | without | does not exist | - | PutObject | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObject | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObject | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | DeleteObject | STORAGE_ACCOUNT_OWNER | without | exists | - | DeleteObject | STORAGE_ACCOUNT_OWNER | with | exists | - | GetBucketVersioning | STORAGE_ACCOUNT_OWNER | with | does not exist | - | GetBucketAcl | STORAGE_ACCOUNT_OWNER | without | does not exist | - | ListObjectsV2 | STORAGE_ACCOUNT_OWNER | without | exists | - | ListObjectVersions | STORAGE_ACCOUNT_OWNER | with | exists | - | DeleteObjects | STORAGE_ACCOUNT_OWNER | without | exists | - | HeadObject | STORAGE_ACCOUNT_OWNER | without | exists | - | CopyObject | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | GetObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | PutObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | PutBucketLifecycleConfiguration | STORAGE_ACCOUNT_OWNER | without | does not exist | - | GetObject | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | DeleteObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | DeleteObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectTagging | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectTagging | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectAcl | STORAGE_ACCOUNT_OWNER | with | exists | - | GetObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | with | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | without | exists | - | PutObjectAcl | STORAGE_ACCOUNT_OWNER | with | exists | - | PutBucketTagging | STORAGE_ACCOUNT_OWNER | without | does not exist | - | DeleteBucketTagging | STORAGE_ACCOUNT_OWNER | without | does not exist | - | PutBucketReplication | STORAGE_ACCOUNT_OWNER | with | does not exist | - | MetadataSearch | DATA_CONSUMER | without | does not exist | - | PutObject | DATA_CONSUMER | without | exists | - | PutObjectAcl | DATA_CONSUMER | without | exists | - | GetObject | DATA_CONSUMER | without | exists | - | GetObject | DATA_CONSUMER | with | exists | - | GetObjectAcl | DATA_CONSUMER | without | exists | - | DeleteObject | DATA_CONSUMER | without | exists | - | DeleteObject | DATA_CONSUMER | with | exists | - | GetBucketVersioning | DATA_CONSUMER | with | does not exist | - | GetBucketAcl | DATA_CONSUMER | without | does not exist | - | ListObjectsV2 | DATA_CONSUMER | without | exists | - | ListObjectVersions | DATA_CONSUMER | with | exists | - | DeleteObjects | DATA_CONSUMER | without | exists | - | HeadObject | DATA_CONSUMER | without | exists | - | CopyObject | DATA_CONSUMER | without | exists | - | GetObjectTagging | DATA_CONSUMER | without | exists | - | GetObjectTagging | DATA_CONSUMER | with | exists | - | PutObjectTagging | DATA_CONSUMER | without | exists | - | PutBucketLifecycleConfiguration | DATA_CONSUMER | without | does not exist | - | GetObject | DATA_CONSUMER | with | exists | - | GetObjectTagging | DATA_CONSUMER | with | exists | - | DeleteObjectTagging | DATA_CONSUMER | with | exists | - | DeleteObjectTagging | DATA_CONSUMER | without | exists | - | PutObjectTagging | DATA_CONSUMER | without | exists | - | PutObjectTagging | DATA_CONSUMER | with | exists | - | GetObjectAcl | DATA_CONSUMER | with | exists | - | GetObjectAcl | DATA_CONSUMER | without | exists | - | PutObjectAcl | DATA_CONSUMER | with | exists | - | PutObjectAcl | DATA_CONSUMER | without | exists | - | PutBucketTagging | DATA_CONSUMER | without | does not exist | - | DeleteBucketTagging | DATA_CONSUMER | without | does not exist | - | PutBucketReplication | DATA_CONSUMER | with | does not exist | - - - @2.6.0 - @PreMerge - @IAM-Policies-ARWWI - Scenario Outline: Assume Role with Web Identity bucket setting tests - Given an existing bucket "" "" versioning, "without" ObjectLock "without" retention mode - And an object "" that "" - And a type - When the user tries to perform "" on the bucket - Then the user should receive "" error - - Examples: - | action | type | withVersioning | objectExists | error | - | RestoreObject | STORAGE_MANAGER | with | exists | InvalidObjectState | - | GetBucketCors | STORAGE_MANAGER | without | does not exist | NoSuchCORSConfiguration | - | GetObjectLockConfiguration | STORAGE_MANAGER | without | exists | ObjectLockConfigurationNotFoundError | - | GetObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketReplication | STORAGE_MANAGER | without | does not exist | ReplicationConfigurationNotFoundError | - | GetBucketLifecycleConfiguration | STORAGE_MANAGER | without | does not exist | NoSuchLifecycleConfiguration | - | GetObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_MANAGER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketTagging | STORAGE_MANAGER | without | does not exist | NoSuchTagSet | - | PutObjectLockConfiguration | STORAGE_MANAGER | without | exists | InvalidBucketState | - | RestoreObject | STORAGE_ACCOUNT_OWNER | with | exists | InvalidObjectState | - | GetBucketCors | STORAGE_ACCOUNT_OWNER | without | does not exist | NoSuchCORSConfiguration | - | GetObjectLockConfiguration | STORAGE_ACCOUNT_OWNER | without | exists | ObjectLockConfigurationNotFoundError | - | GetObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketReplication | STORAGE_ACCOUNT_OWNER | without | does not exist | ReplicationConfigurationNotFoundError | - | GetBucketLifecycleConfiguration | STORAGE_ACCOUNT_OWNER | without | does not exist | NoSuchLifecycleConfiguration | - | GetObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | STORAGE_ACCOUNT_OWNER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketTagging | STORAGE_ACCOUNT_OWNER | without | does not exist | NoSuchTagSet | - | PutObjectLockConfiguration | STORAGE_ACCOUNT_OWNER | without | exists | InvalidBucketState | - | RestoreObject | DATA_CONSUMER | with | exists | InvalidObjectState | - | GetBucketCors | DATA_CONSUMER | without | does not exist | NoSuchCORSConfiguration | - | GetObjectLockConfiguration | DATA_CONSUMER | without | exists | ObjectLockConfigurationNotFoundError | - | GetObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketReplication | DATA_CONSUMER | without | does not exist | ReplicationConfigurationNotFoundError | - | GetBucketLifecycleConfiguration | DATA_CONSUMER | without | does not exist | NoSuchLifecycleConfiguration | - | GetObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectRetention | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | PutObjectLegalHold | DATA_CONSUMER | with | exists | Bucket is missing Object Lock Configuration | - | GetBucketTagging | DATA_CONSUMER | without | does not exist | NoSuchTagSet | - | PutObjectLockConfiguration | DATA_CONSUMER | without | exists | InvalidBucketState | - - - @2.6.0 - @PreMerge - @IAM-Policies-ARWWI - Scenario Outline: Data Consumer with Web Identity cannot perform these bucket actions - Given an existing bucket "" "" versioning, "without" ObjectLock "without" retention mode - And an object "" that "" - And a DATA_CONSUMER type - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | withVersioning | objectExists | - | CreateBucket | with | does not exist | - | DeleteBucket | with | does not exist | - | PutBucketVersioning | with | does not exist | diff --git a/tests/ctst/features/iam-policies/IAMUser.feature b/tests/ctst/features/iam-policies/IAMUser.feature deleted file mode 100644 index 192566a739..0000000000 --- a/tests/ctst/features/iam-policies/IAMUser.feature +++ /dev/null @@ -1,78 +0,0 @@ -Feature: IAM Policies for IAM Users - This feature allows you to create and attach IAM policies for IAM users. - IAM users should have the permissions to perform the actions that they are granted in their IAM policies. - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is not authorized to perform the actions without IAM policy - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | objectExists | - | MetadataSearch | does not exist | - | GetObject | exists | - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is authorized to perform the actions that are granted in the IAM policy - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | resource | bucketName | objectExists | objectName | - | MetadataSearch | * | | does not exist | | - | GetObject | * | | exists | | - | MetadataSearch | iu-md-bucket1 | iu-md-bucket1 | does not exist | | - | GetObject | iu-go-bucket1/* | iu-go-bucket1 | exists | | - | GetObject | iu-go-bucket2/go-object | iu-go-bucket2 | exists | go-object | - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is not authorized to perform the actions on the resource that they don't have permissions for or explicitly denied - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - And an IAM policy attached to the entity "user" with "" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - - Examples: - | action | effect | resource | bucketName | objectExists | objectName | - | MetadataSearch | Allow | iu-md-bucket3-1 | iu-md-bucket3 | does not exist | | - | MetadataSearch | Deny | * | | does not exist | | - | MetadataSearch | Deny | iu-md-bucket4 | iu-md-bucket4 | does not exist | | - | GetObject | Allow | iu-go-bucket3-1/* | iu-go-bucket3 | exists | | - | GetObject | Allow | iu-go-bucket4/go-object1 | iu-go-bucket4 | exists | go-object | - | GetObject | Deny | * | iu-go-bucket5 | exists | | - | GetObject | Deny | iu-go-bucket5/* | iu-go-bucket5 | exists | | - | GetObject | Deny | iu-go-bucket6/go-object | iu-go-bucket6 | exists | go-object | - - @2.6.0 - @PreMerge - @IamPoliciesIamUsers - Scenario Outline: User is not authorized to perform the actions on the resource when Allow and Denied are both specified - Given an existing bucket "" "without" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a IAM_USER type - And an IAM policy attached to the entity "user" with "Allow" effect to perform "" on "" - And an IAM policy attached to the entity "user" with "Deny" effect to perform "" on "" - When the user tries to perform "" on the bucket - Then the user should receive "AccessDenied" error - Examples: - | action | resource | bucketName | objectExists | objectName | - | MetadataSearch | * | iu-md-bucket5 | does not exist | | - | MetadataSearch | iu-md-bucket6 | iu-md-bucket6 | does not exist | | - | GetObject | * | iu-go-bucket7 | exists | | - | GetObject | iu-go-bucket8/* | iu-go-bucket8 | exists | | - | GetObject | iu-go-bucket9/go-object | iu-go-bucket9 | exists | go-object | diff --git a/tests/ctst/features/iam-policies/backbeatServiceUser.feature b/tests/ctst/features/iam-policies/backbeatServiceUser.feature deleted file mode 100644 index 351bbc1894..0000000000 --- a/tests/ctst/features/iam-policies/backbeatServiceUser.feature +++ /dev/null @@ -1,62 +0,0 @@ -Feature: IAM Policies for Backbeat Service Users - As a backbeat service user, - I want to have specific permissions to perform S3 actions for data replication and expiration - So that I can effectively manage data within the system. - - - @2.6.0 - @PreMerge - @IamPoliciesBackbeatServiceUser - Scenario Outline: Backbeat Service Users are authorized to perform the actions and get success response - Given an existing bucket "" "" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a service user "" assuming the role "" of a user account - When the user tries to perform "" on the bucket - Then the user should be able to perform successfully the "" action - - Examples: - | action | withVersioning | objectExists | serviceUserName | roleName | - | GetBucketVersioning | with | does not exist | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | ListObjects | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | ListMultipartUploads | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObjectTagging | without | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObjectTagging | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObject | without | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObject | with | exists | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | - | GetObject | without | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | GetObject | with | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | DeleteObject | without | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | DeleteObject | with | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | AbortMultipartUpload | with | exists | backbeat-lifecycle-op-1 | backbeat-lifecycle-op-1 | - | GetObject | without | exists | sorbet-fwd-2 | cold-storage-archive-role-2 | - | GetObject | with | exists | sorbet-fwd-2 | cold-storage-archive-role-2 | - | GetObject | without | exists | sorbet-fwd-2 | cold-storage-restore-role-2 | - | GetObject | with | exists | sorbet-fwd-2 | cold-storage-restore-role-2 | - - @2.6.0 - @PreMerge - @IamPoliciesBackbeatServiceUser - Scenario Outline: Backbeat Service Users are authorized to perform the actions and get expected error response - Given an existing bucket "" "" versioning, "without" ObjectLock "" retention mode - And an object "" that "" - And a service user "" assuming the role "" of a user account - When the user tries to perform "" on the bucket - Then the user should receive "" error - - Examples: - | action | withVersioning | objectExists | serviceUserName | roleName | expectedError | - | GetBucketLifecycleConfiguration | with | does not exist | backbeat-lifecycle-bp-1 | backbeat-lifecycle-bp-1 | NoSuchLifecycleConfiguration | - | PutObjectVersion | with | exists | sorbet-fwd-2 | cold-storage-restore-role-2 | InvalidObjectState | - - @2.6.0 - @PreMerge - @IamPoliciesBackbeatServiceUser - Scenario Outline: Backbeat Service Users are authorized to perform the actions - Given a service user "" assuming the role "" of an internal service account - When the user tries to perform vault auth "" - Then the user should be able to perform successfully the "" action - - Examples: - | action | serviceUserName | roleName | - | GetAccountInfo | backbeat-qp-1 | backbeat-qp-1 | - | GetAccountInfo | backbeat-lifecycle-conductor-1 | backbeat-lifecycle-conductor-1 | \ No newline at end of file diff --git a/tests/ctst/features/pra.feature b/tests/ctst/features/pra.feature deleted file mode 100644 index f0aede1e32..0000000000 --- a/tests/ctst/features/pra.feature +++ /dev/null @@ -1,91 +0,0 @@ -Feature: PRA operations - - @2.6.0 - @PreMerge - @Dmf - @PRA - @ColdStorage - Scenario Outline: PRA (nominal case) - # Prepare objects in the primary site - Given a "" bucket - And a transition workflow to "e2e-cold" location - And objects "obj" of size bytes on "Primary" site - Then object "obj-1" should be "transitioned" and have the storage class "e2e-cold" - And object "obj-2" should be "transitioned" and have the storage class "e2e-cold" - And dmf volume should contain objects - - # Deploy PRA - Given a DR installed - Then the DR source should be in phase "Running" - And the DR sink should be in phase "Running" - Then the kafka DR volume exists - - # Check that objects are transitioned in the DR site - Given access keys for the replicated account - - Then object "obj-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Test again the transition workflow - Given objects "obj2" of size bytes on "Pimary" site - Then object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - And object "obj2-2" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - Then object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj2-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - When i restore object "obj-1" for 2 days on "Primary" site - Then object "obj-1" should "" be "restored" and have the storage class "e2e-cold" on "Primary" site - And object "obj-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Test the readonly - When the "vault-check-seeds" cronjobs completes without error on "Primary" site - And the DATA_ACCESSOR user tries to perform PutObject on "DR" site - Then it "should not" pass Vault authentication - - # Switch to failover - When I request the failover state for the DR - Then the DR sink should be in phase "Failover" - - # Restore on DR site - When i restore object "obj2-1" for 200000 days on "DR" site - Then object "obj2-1" should "" be "restored" and have the storage class "e2e-cold" on "DR" site - And object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - - # Switch to failback - When I resume operations for the DR - Then the DR sink should be in phase "Running" - And object "obj2-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Pause / Resume DR - When I pause the DR - Then the DR source should be in phase "Paused" - - Given objects "obj3" of size bytes on "Pimary" site - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - And object "obj3-2" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - Then object "obj3-1" should "not" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj3-2" should "not" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - When I resume the DR - Then the DR source should be in phase "Running" - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj3-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - # Uninstall DR - When I uninstall DR - Then the DR custom resources should be deleted - - # Re-add objects to bucket - Given objects "obj3" of size bytes on "Primary" site - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "Primary" site - - # Deploy PRA again - Given a DR installed - Then the DR source should be in phase "Running" - And the DR sink should be in phase "Running" - Given access keys for the replicated account - Then object "obj3-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - And object "obj3-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site - - Examples: - | versioningConfiguration | objectCount | objectSize | - | Versioned | 2 | 100 | \ No newline at end of file diff --git a/tests/ctst/features/quotas/CountItems.feature b/tests/ctst/features/quotas/CountItems.feature deleted file mode 100644 index e009f1766a..0000000000 --- a/tests/ctst/features/quotas/CountItems.feature +++ /dev/null @@ -1,12 +0,0 @@ -Feature: CountItems measures the utilization metrics - The utilization metrics are computed for accounts, buckets and locations - -@2.6.0 -@PreMerge -@CronJob -@CountItems -Scenario Outline: Countitems runs without error and compute utilization metrics - Given an existing bucket "" "without" versioning, "without" ObjectLock "without" retention mode - And an object "" that "exists" - When the "count-items" cronjobs completes without error - Then the operation finished without error diff --git a/tests/ctst/features/quotas/Quotas.feature b/tests/ctst/features/quotas/Quotas.feature deleted file mode 100644 index e9de9ba341..0000000000 --- a/tests/ctst/features/quotas/Quotas.feature +++ /dev/null @@ -1,98 +0,0 @@ -Feature: Quota Management for APIs - This feature ensures that quotas are correctly set and honored - for different APIs. - - @2.6.0 - @PreMerge - @Quotas - @CronJob - @DataWrite - Scenario Outline: Quotas are evaluated during write operations - Given an action "" - And an upload size of B for the object "" - And a STORAGE_MANAGER type - And a bucket quota set to B - And an account quota set to B - And a type - And an environment setup for the API - And an "existing" IAM Policy that "applies" with "ALLOW" effect for the current API - When the user tries to perform the current S3 action on the bucket 20 times with a 400 ms delay - Then the API should "" with "" - - Examples: - | action | uploadSize | bucketQuota | accountQuota | userType | result | expectedError | - | PutObject | 10 | 0 | 0 | ACCOUNT | succeed | | - | PutObject | 10 | 100 | 0 | ACCOUNT | fail | QuotaExceeded | - | PutObject | 10 | 0 | 100 | ACCOUNT | fail | QuotaExceeded | - | PutObject | 10 | 100 | 100 | ACCOUNT | fail | QuotaExceeded | - | PutObject | 10 | 300 | 300 | ACCOUNT | succeed | | - | PutObject | 10 | 0 | 0 | IAM_USER | succeed | | - | PutObject | 10 | 100 | 0 | IAM_USER | fail | QuotaExceeded | - | PutObject | 10 | 0 | 100 | IAM_USER | fail | QuotaExceeded | - | PutObject | 10 | 100 | 100 | IAM_USER | fail | QuotaExceeded | - | PutObject | 10 | 300 | 300 | IAM_USER | succeed | | - | CopyObject | 10 | 0 | 0 | ACCOUNT | succeed | | - | CopyObject | 10 | 100 | 0 | ACCOUNT | fail | QuotaExceeded | - | CopyObject | 10 | 0 | 100 | ACCOUNT | fail | QuotaExceeded | - | CopyObject | 10 | 100 | 100 | ACCOUNT | fail | QuotaExceeded | - | CopyObject | 10 | 300 | 300 | ACCOUNT | succeed | | - | CopyObject | 10 | 0 | 0 | IAM_USER | succeed | | - | CopyObject | 10 | 100 | 0 | IAM_USER | fail | QuotaExceeded | - | CopyObject | 10 | 0 | 100 | IAM_USER | fail | QuotaExceeded | - | CopyObject | 10 | 100 | 100 | IAM_USER | fail | QuotaExceeded | - | CopyObject | 10 | 300 | 300 | IAM_USER | succeed | | - | UploadPart | 10 | 0 | 0 | ACCOUNT | succeed | | - | UploadPart | 10 | 100 | 0 | ACCOUNT | fail | QuotaExceeded | - | UploadPart | 10 | 0 | 100 | ACCOUNT | fail | QuotaExceeded | - | UploadPart | 10 | 100 | 100 | ACCOUNT | fail | QuotaExceeded | - | UploadPart | 10 | 300 | 300 | ACCOUNT | succeed | | - | UploadPart | 10 | 0 | 0 | IAM_USER | succeed | | - | UploadPart | 10 | 100 | 0 | IAM_USER | fail | QuotaExceeded | - | UploadPart | 10 | 0 | 100 | IAM_USER | fail | QuotaExceeded | - | UploadPart | 10 | 100 | 100 | IAM_USER | fail | QuotaExceeded | - | UploadPart | 10 | 300 | 300 | IAM_USER | succeed | | - | UploadPartCopy | 10 | 0 | 0 | ACCOUNT | succeed | | - | UploadPartCopy | 10 | 100 | 0 | ACCOUNT | fail | QuotaExceeded | - | UploadPartCopy | 10 | 0 | 100 | ACCOUNT | fail | QuotaExceeded | - | UploadPartCopy | 10 | 100 | 100 | ACCOUNT | fail | QuotaExceeded | - | UploadPartCopy | 10 | 300 | 300 | ACCOUNT | succeed | | - | UploadPartCopy | 10 | 0 | 0 | IAM_USER | succeed | | - | UploadPartCopy | 10 | 100 | 0 | IAM_USER | fail | QuotaExceeded | - | UploadPartCopy | 10 | 0 | 100 | IAM_USER | fail | QuotaExceeded | - | UploadPartCopy | 10 | 100 | 100 | IAM_USER | fail | QuotaExceeded | - | UploadPartCopy | 10 | 300 | 300 | IAM_USER | succeed | | - - @2.6.0 - @PreMerge - @Quotas - @CronJob - @DataDeletion - @NonVersioned - Scenario Outline: Quotas are affected by deletion operations - Given an action "DeleteObject" - And a permission to perform the "PutObject" action - And a STORAGE_MANAGER type - And a bucket quota set to 10000 B - And an account quota set to 10000 B - And an upload size of 1000 B for the object "obj-1" - And a bucket quota set to B - And an account quota set to B - And a type - And an environment setup for the API - And an "existing" IAM Policy that "applies" with "ALLOW" effect for the current API - When I wait 3 seconds - And I PUT an object with size - Then the API should "fail" with "QuotaExceeded" - When i delete object "obj-1" - And I wait 3 seconds - And I PUT an object with size - Then the API should "succeed" with "" - - Examples: - | uploadSize | bucketQuota | accountQuota | userType | - | 100 | 200 | 0 | ACCOUNT | - | 100 | 0 | 200 | ACCOUNT | - | 100 | 200 | 200 | ACCOUNT | - | 100 | 200 | 0 | IAM_USER | - | 100 | 0 | 200 | IAM_USER | - | 100 | 200 | 200 | IAM_USER | diff --git a/tests/ctst/features/resource-policies/AssumeRole.feature b/tests/ctst/features/resource-policies/AssumeRole.feature deleted file mode 100644 index 38b718f072..0000000000 --- a/tests/ctst/features/resource-policies/AssumeRole.feature +++ /dev/null @@ -1,1283 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for IAM Assume Roles - This feature allows you to create and attach bucket policies to S3 buckets. - IAM Users should have the permissions to perform the actions that they are granted in their bucket policies - based on the other permissions they also have from their role. - This test suite is not meant to be human-readable, but brings confidence in our Authz flow for all supported - S3 actions. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-ASSUME_ROLE_USER - Scenario Outline: ASSUME ROLE: IAM Policy and S3 Bucket Policy - Given an action "" - And an existing bucket prepared for the action - And a ASSUME_ROLE_USER type - And an environment setup for the API - And an "" IAM Policy that "" with "" effect for the current API - And an "" S3 Bucket Policy that "" with "" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | bucketPolicyExists | bucketPolicyApplies | bucketPolicyEffect | iamPolicyExists | iamPolicyApplies | iamPolicyEffect | - # Everything below is generated - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | non-existing | | | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | non-existing | | | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW | - | AbortMultipartUpload | non-existing | | | existing | applies | DENY | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | AbortMultipartUpload | non-existing | | | non-existing | | | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | non-existing | | | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CompleteMultipartUpload | non-existing | | | existing | applies | DENY | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CompleteMultipartUpload | non-existing | | | non-existing | | | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | applies | ALLOW | existing | applies | DENY | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | applies | ALLOW | non-existing | | | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW | - | CopyObject | existing | applies | DENY | existing | applies | DENY | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | DENY | existing | does not apply | ALLOW | - | CopyObject | existing | applies | DENY | non-existing | | | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | does not apply | ALLOW | existing | applies | DENY | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | does not apply | ALLOW | non-existing | | | - | CopyObject | non-existing | | | existing | applies | ALLOW | - | CopyObject | non-existing | | | existing | applies | DENY | - | CopyObject | non-existing | | | existing | applies | ALLOW+DENY | - | CopyObject | non-existing | | | existing | does not apply | ALLOW | - | CopyObject | non-existing | | | non-existing | | | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | non-existing | | | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CreateMultipartUpload | non-existing | | | existing | applies | DENY | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CreateMultipartUpload | non-existing | | | non-existing | | | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | ALLOW | non-existing | | | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucket | existing | applies | DENY | existing | applies | DENY | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | DENY | non-existing | | | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucket | non-existing | | | existing | applies | ALLOW | - | DeleteBucket | non-existing | | | existing | applies | DENY | - | DeleteBucket | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucket | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucket | non-existing | | | non-existing | | | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | non-existing | | | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | DENY | non-existing | | | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW | - | DeleteBucketCors | non-existing | | | existing | applies | DENY | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketCors | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketCors | non-existing | | | non-existing | | | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | non-existing | | | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | non-existing | | | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW | - | DeleteBucketEncryption | non-existing | | | existing | applies | DENY | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketEncryption | non-existing | | | non-existing | | | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | non-existing | | | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | non-existing | | | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW | - | DeleteBucketLifecycle | non-existing | | | existing | applies | DENY | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | non-existing | | | non-existing | | | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | non-existing | | | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | non-existing | | | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW | - | DeleteBucketPolicy | non-existing | | | existing | applies | DENY | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketPolicy | non-existing | | | non-existing | | | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | non-existing | | | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | non-existing | | | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW | - | DeleteBucketReplication | non-existing | | | existing | applies | DENY | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketReplication | non-existing | | | non-existing | | | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | non-existing | | | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | non-existing | | | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW | - | DeleteBucketWebsite | non-existing | | | existing | applies | DENY | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketWebsite | non-existing | | | non-existing | | | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | ALLOW | non-existing | | | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObject | existing | applies | DENY | existing | applies | DENY | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | DENY | non-existing | | | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | non-existing | | | - | DeleteObject | non-existing | | | existing | applies | ALLOW | - | DeleteObject | non-existing | | | existing | applies | DENY | - | DeleteObject | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObject | non-existing | | | existing | does not apply | ALLOW | - | DeleteObject | non-existing | | | non-existing | | | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | non-existing | | | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | non-existing | | | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW | - | DeleteBucketTagging | non-existing | | | existing | applies | DENY | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketTagging | non-existing | | | non-existing | | | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectTagging | non-existing | | | non-existing | | | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | ALLOW | non-existing | | | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjects | existing | applies | DENY | existing | applies | DENY | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | DENY | non-existing | | | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjects | non-existing | | | existing | applies | ALLOW | - | DeleteObjects | non-existing | | | existing | applies | DENY | - | DeleteObjects | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjects | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjects | non-existing | | | non-existing | | | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | non-existing | | | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | DENY | existing | applies | DENY | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | DENY | non-existing | | | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW | - | GetBucketAcl | non-existing | | | existing | applies | DENY | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | GetBucketAcl | non-existing | | | non-existing | | | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | ALLOW | non-existing | | | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketCors | existing | applies | DENY | existing | applies | DENY | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | DENY | non-existing | | | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | non-existing | | | - | GetBucketCors | non-existing | | | existing | applies | ALLOW | - | GetBucketCors | non-existing | | | existing | applies | DENY | - | GetBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketCors | non-existing | | | existing | does not apply | ALLOW | - | GetBucketCors | non-existing | | | non-existing | | | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | non-existing | | | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | DENY | non-existing | | | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW | - | GetBucketEncryption | non-existing | | | existing | applies | DENY | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | GetBucketEncryption | non-existing | | | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | non-existing | | | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | non-existing | | | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | DENY | non-existing | | | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW | - | GetBucketPolicy | non-existing | | | existing | applies | DENY | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | GetBucketPolicy | non-existing | | | non-existing | | | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | non-existing | | | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | DENY | existing | applies | DENY | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | DENY | non-existing | | | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW | - | GetBucketReplication | non-existing | | | existing | applies | DENY | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | GetBucketReplication | non-existing | | | non-existing | | | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | non-existing | | | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | DENY | non-existing | | | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW | - | GetBucketVersioning | non-existing | | | existing | applies | DENY | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | GetBucketVersioning | non-existing | | | non-existing | | | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObject | existing | applies | ALLOW | existing | applies | DENY | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | applies | ALLOW | non-existing | | | - | GetObject | existing | applies | DENY | existing | applies | ALLOW | - | GetObject | existing | applies | DENY | existing | applies | DENY | - | GetObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObject | existing | applies | DENY | non-existing | | | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObject | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | does not apply | ALLOW | non-existing | | | - | GetObject | non-existing | | | existing | applies | ALLOW | - | GetObject | non-existing | | | existing | applies | DENY | - | GetObject | non-existing | | | existing | applies | ALLOW+DENY | - | GetObject | non-existing | | | existing | does not apply | ALLOW | - | GetObject | non-existing | | | non-existing | | | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | DENY | non-existing | | | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectAcl | non-existing | | | existing | applies | DENY | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectAcl | non-existing | | | non-existing | | | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | non-existing | | | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | GetObjectLegalHold | non-existing | | | existing | applies | DENY | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLegalHold | non-existing | | | non-existing | | | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | GetObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | non-existing | | | non-existing | | | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | non-existing | | | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | DENY | existing | applies | DENY | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | DENY | non-existing | | | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW | - | GetObjectRetention | non-existing | | | existing | applies | DENY | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | GetObjectRetention | non-existing | | | non-existing | | | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | non-existing | | | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | DENY | existing | applies | DENY | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | DENY | non-existing | | | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW | - | GetBucketTagging | non-existing | | | existing | applies | DENY | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | GetBucketTagging | non-existing | | | non-existing | | | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | DENY | non-existing | | | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectTagging | non-existing | | | existing | applies | DENY | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectTagging | non-existing | | | non-existing | | | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | applies | ALLOW | existing | applies | DENY | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | ALLOW | non-existing | | | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW | - | HeadBucket | existing | applies | DENY | existing | applies | DENY | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | DENY | non-existing | | | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | non-existing | | | - | HeadBucket | non-existing | | | existing | applies | ALLOW | - | HeadBucket | non-existing | | | existing | applies | DENY | - | HeadBucket | non-existing | | | existing | applies | ALLOW+DENY | - | HeadBucket | non-existing | | | existing | does not apply | ALLOW | - | HeadBucket | non-existing | | | non-existing | | | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | applies | ALLOW | existing | applies | DENY | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | applies | ALLOW | non-existing | | | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW | - | HeadObject | existing | applies | DENY | existing | applies | DENY | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadObject | existing | applies | DENY | non-existing | | | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | does not apply | ALLOW | non-existing | | | - | HeadObject | non-existing | | | existing | applies | ALLOW | - | HeadObject | non-existing | | | existing | applies | DENY | - | HeadObject | non-existing | | | existing | applies | ALLOW+DENY | - | HeadObject | non-existing | | | existing | does not apply | ALLOW | - | HeadObject | non-existing | | | non-existing | | | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | non-existing | | | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | DENY | existing | applies | DENY | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | DENY | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | DENY | non-existing | | | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | non-existing | | | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW | - | ListMultipartUploads | non-existing | | | existing | applies | DENY | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW+DENY | - | ListMultipartUploads | non-existing | | | existing | does not apply | ALLOW | - | ListMultipartUploads | non-existing | | | non-existing | | | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | non-existing | | | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | DENY | existing | applies | DENY | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | DENY | non-existing | | | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | non-existing | | | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW | - | ListObjectVersions | non-existing | | | existing | applies | DENY | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectVersions | non-existing | | | existing | does not apply | ALLOW | - | ListObjectVersions | non-existing | | | non-existing | | | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | applies | ALLOW | existing | applies | DENY | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | applies | ALLOW | non-existing | | | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW | - | ListObjects | existing | applies | DENY | existing | applies | DENY | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjects | existing | applies | DENY | non-existing | | | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | does not apply | ALLOW | non-existing | | | - | ListObjects | non-existing | | | existing | applies | ALLOW | - | ListObjects | non-existing | | | existing | applies | DENY | - | ListObjects | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjects | non-existing | | | existing | does not apply | ALLOW | - | ListObjects | non-existing | | | non-existing | | | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | non-existing | | | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | DENY | existing | applies | DENY | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | DENY | non-existing | | | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | non-existing | | | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW | - | ListObjectsV2 | non-existing | | | existing | applies | DENY | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectsV2 | non-existing | | | existing | does not apply | ALLOW | - | ListObjectsV2 | non-existing | | | non-existing | | | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | non-existing | | | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | DENY | existing | applies | DENY | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | DENY | non-existing | | | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW | - | PutBucketAcl | non-existing | | | existing | applies | DENY | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | PutBucketAcl | non-existing | | | non-existing | | | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | ALLOW | non-existing | | | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketCors | existing | applies | DENY | existing | applies | DENY | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | DENY | non-existing | | | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | non-existing | | | - | PutBucketCors | non-existing | | | existing | applies | ALLOW | - | PutBucketCors | non-existing | | | existing | applies | DENY | - | PutBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketCors | non-existing | | | existing | does not apply | ALLOW | - | PutBucketCors | non-existing | | | non-existing | | | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | non-existing | | | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | DENY | non-existing | | | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW | - | PutBucketEncryption | non-existing | | | existing | applies | DENY | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | PutBucketEncryption | non-existing | | | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | non-existing | | | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | non-existing | | | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | DENY | non-existing | | | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW | - | PutBucketPolicy | non-existing | | | existing | applies | DENY | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | PutBucketPolicy | non-existing | | | non-existing | | | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | non-existing | | | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | DENY | existing | applies | DENY | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | DENY | non-existing | | | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW | - | PutBucketReplication | non-existing | | | existing | applies | DENY | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | PutBucketReplication | non-existing | | | non-existing | | | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | non-existing | | | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | DENY | non-existing | | | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW | - | PutBucketVersioning | non-existing | | | existing | applies | DENY | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | PutBucketVersioning | non-existing | | | non-existing | | | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObject | existing | applies | ALLOW | existing | applies | DENY | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | applies | ALLOW | non-existing | | | - | PutObject | existing | applies | DENY | existing | applies | ALLOW | - | PutObject | existing | applies | DENY | existing | applies | DENY | - | PutObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObject | existing | applies | DENY | non-existing | | | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObject | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | does not apply | ALLOW | non-existing | | | - | PutObject | non-existing | | | existing | applies | ALLOW | - | PutObject | non-existing | | | existing | applies | DENY | - | PutObject | non-existing | | | existing | applies | ALLOW+DENY | - | PutObject | non-existing | | | existing | does not apply | ALLOW | - | PutObject | non-existing | | | non-existing | | | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | DENY | non-existing | | | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectAcl | non-existing | | | existing | applies | DENY | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectAcl | non-existing | | | non-existing | | | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLegalHold | non-existing | | | non-existing | | | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | PutObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | non-existing | | | non-existing | | | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | DENY | non-existing | | | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectRetention | non-existing | | | existing | applies | DENY | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectRetention | non-existing | | | non-existing | | | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | non-existing | | | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | DENY | existing | applies | DENY | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | DENY | non-existing | | | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW | - | PutBucketTagging | non-existing | | | existing | applies | DENY | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | PutBucketTagging | non-existing | | | non-existing | | | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | DENY | non-existing | | | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectTagging | non-existing | | | existing | applies | DENY | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectTagging | non-existing | | | non-existing | | | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | applies | ALLOW | existing | applies | DENY | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | applies | ALLOW | non-existing | | | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW | - | UploadPart | existing | applies | DENY | existing | applies | DENY | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPart | existing | applies | DENY | non-existing | | | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | does not apply | ALLOW | non-existing | | | - | UploadPart | non-existing | | | existing | applies | ALLOW | - | UploadPart | non-existing | | | existing | applies | DENY | - | UploadPart | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPart | non-existing | | | existing | does not apply | ALLOW | - | UploadPart | non-existing | | | non-existing | | | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | non-existing | | | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | DENY | existing | applies | DENY | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | DENY | non-existing | | | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | non-existing | | | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW | - | UploadPartCopy | non-existing | | | existing | applies | DENY | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPartCopy | non-existing | | | existing | does not apply | ALLOW | - | UploadPartCopy | non-existing | | | non-existing | | | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | non-existing | | | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersion | non-existing | | | existing | applies | DENY | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersion | non-existing | | | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | non-existing | | | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | non-existing | | | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | DENY | non-existing | | | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW | - | GetObjectVersion | non-existing | | | existing | applies | DENY | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersion | non-existing | | | non-existing | | | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | non-existing | | | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionAcl | non-existing | | | existing | applies | DENY | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionAcl | non-existing | | | non-existing | | | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | non-existing | | | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionTagging | non-existing | | | existing | applies | DENY | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | non-existing | | | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionAcl | non-existing | | | existing | applies | DENY | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionAcl | non-existing | | | non-existing | | | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | non-existing | | | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionTagging | non-existing | | | existing | applies | DENY | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | non-existing | | | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionRetention | non-existing | | | existing | applies | DENY | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionRetention | non-existing | | | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | non-existing | | | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | applies | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | ALLOW | non-existing | | | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW | - | MetadataSearch | existing | applies | DENY | existing | applies | DENY | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | DENY | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | DENY | non-existing | | | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | non-existing | | | - | MetadataSearch | non-existing | | | existing | applies | ALLOW | - | MetadataSearch | non-existing | | | existing | applies | DENY | - | MetadataSearch | non-existing | | | existing | applies | ALLOW+DENY | - | MetadataSearch | non-existing | | | existing | does not apply | ALLOW | - | MetadataSearch | non-existing | | | non-existing | | | diff --git a/tests/ctst/features/resource-policies/Conditions.feature b/tests/ctst/features/resource-policies/Conditions.feature deleted file mode 100644 index 90795c8211..0000000000 --- a/tests/ctst/features/resource-policies/Conditions.feature +++ /dev/null @@ -1,52 +0,0 @@ -Feature: S3 Bucket Policies Conditions - Bucket policies conditions controls when a policy is in effect. They are independent - from the API(s) being called. They are used to control the effect of the policy - based on the context of the request. For example, you can use conditions to - control access to a bucket based on the IP address of the requestor. - - @2.6.0 - @PreMerge - @BucketPolicies - @BucketPoliciesConditions - Scenario Outline: Bucket policies with IP address conditions - Given an action "GetObject" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And a condition for the bucket policy with "" "" "" expecting "" - And an "existing" S3 Bucket Policy that "applies" with "ALLOW" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | conditionVerb | conditionType | conditionValue | expect | - | IpAddress | aws:SourceIp | 0.0.0.0/0 | Allow | - | NotIpAddress | aws:SourceIp | 10.0.1.0 | Allow | - | IpAddress | aws:SourceIp | 192.0.0.1 | Deny | - | IpAddress | aws:SourceIp | 0.0.0.0/0,10.0.2.0 | Allow | - | IpAddress | aws:SourceIp | 192.0.0.1,10.0.2.0 | Deny | - | NotIpAddress | aws:SourceIp | 0.0.0.0/0,10.0.2.0 | Deny | - | NotIpAddress | aws:SourceIp | 192.0.0.1,10.0.2.0 | Allow | - - @2.6.0 - @PreMerge - @BucketPolicies - @BucketPoliciesConditions - Scenario Outline: Bucket policies with retention days conditions - Given an action "PutObjectRetention" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And a condition for the bucket policy with "" "" "" expecting "" - And an "existing" S3 Bucket Policy that "applies" with "ALLOW" effect for the current API - And a retention date set to "" days - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | conditionVerb | conditionType | retentionDate | conditionValue | expect | - | NumericLessThanEquals | s3:object-lock-remaining-retention-days | 80 | 100 | Allow | - | NumericGreaterThan | s3:object-lock-remaining-retention-days | 80 | 100 | Deny | - | NumericEquals | s3:object-lock-remaining-retention-days | 100 | 100 | Allow | - | NumericGreaterThan | s3:object-lock-remaining-retention-days | 200 | 100 | Allow | - | NumericLessThan | s3:object-lock-remaining-retention-days | 200 | 100 | Deny | diff --git a/tests/ctst/features/resource-policies/CrossAccountAssumeRole.feature b/tests/ctst/features/resource-policies/CrossAccountAssumeRole.feature deleted file mode 100644 index 5c9e12fbfd..0000000000 --- a/tests/ctst/features/resource-policies/CrossAccountAssumeRole.feature +++ /dev/null @@ -1,1283 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for IAM Assume Roles (cross account) - This feature allows you to create and attach bucket policies to S3 buckets. - IAM Users should have the permissions to perform the actions that they are granted in their bucket policies - based on the other permissions they also have from their role. - This test suite is not meant to be human-readable, but brings confidence in our Authz flow for all supported - S3 actions. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-ASSUME_ROLE_USER_CROSS_ACCOUNT - Scenario Outline: ASSUME ROLE CROSS ACCOUNT: IAM Policy and S3 Bucket Policy - Given an action "" - And an existing bucket prepared for the action - And a ASSUME_ROLE_USER_CROSS_ACCOUNT type - And an environment setup for the API - And an "" IAM Policy that "" with "" effect for the current API - And an "" S3 Bucket Policy that "" with "" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | bucketPolicyExists | bucketPolicyApplies | bucketPolicyEffect | iamPolicyExists | iamPolicyApplies | iamPolicyEffect | - # Everything below is generated - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | non-existing | | | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | non-existing | | | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW | - | AbortMultipartUpload | non-existing | | | existing | applies | DENY | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | AbortMultipartUpload | non-existing | | | non-existing | | | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | non-existing | | | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CompleteMultipartUpload | non-existing | | | existing | applies | DENY | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CompleteMultipartUpload | non-existing | | | non-existing | | | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | applies | ALLOW | existing | applies | DENY | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | applies | ALLOW | non-existing | | | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW | - | CopyObject | existing | applies | DENY | existing | applies | DENY | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | DENY | existing | does not apply | ALLOW | - | CopyObject | existing | applies | DENY | non-existing | | | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | does not apply | ALLOW | existing | applies | DENY | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | does not apply | ALLOW | non-existing | | | - | CopyObject | non-existing | | | existing | applies | ALLOW | - | CopyObject | non-existing | | | existing | applies | DENY | - | CopyObject | non-existing | | | existing | applies | ALLOW+DENY | - | CopyObject | non-existing | | | existing | does not apply | ALLOW | - | CopyObject | non-existing | | | non-existing | | | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | non-existing | | | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CreateMultipartUpload | non-existing | | | existing | applies | DENY | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CreateMultipartUpload | non-existing | | | non-existing | | | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | ALLOW | non-existing | | | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucket | existing | applies | DENY | existing | applies | DENY | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | DENY | non-existing | | | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucket | non-existing | | | existing | applies | ALLOW | - | DeleteBucket | non-existing | | | existing | applies | DENY | - | DeleteBucket | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucket | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucket | non-existing | | | non-existing | | | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | non-existing | | | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | DENY | non-existing | | | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW | - | DeleteBucketCors | non-existing | | | existing | applies | DENY | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketCors | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketCors | non-existing | | | non-existing | | | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | non-existing | | | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | non-existing | | | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW | - | DeleteBucketEncryption | non-existing | | | existing | applies | DENY | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketEncryption | non-existing | | | non-existing | | | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | non-existing | | | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | non-existing | | | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW | - | DeleteBucketLifecycle | non-existing | | | existing | applies | DENY | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | non-existing | | | non-existing | | | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | non-existing | | | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | non-existing | | | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW | - | DeleteBucketPolicy | non-existing | | | existing | applies | DENY | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketPolicy | non-existing | | | non-existing | | | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | non-existing | | | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | non-existing | | | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW | - | DeleteBucketReplication | non-existing | | | existing | applies | DENY | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketReplication | non-existing | | | non-existing | | | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | non-existing | | | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | non-existing | | | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW | - | DeleteBucketWebsite | non-existing | | | existing | applies | DENY | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketWebsite | non-existing | | | non-existing | | | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | ALLOW | non-existing | | | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObject | existing | applies | DENY | existing | applies | DENY | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | DENY | non-existing | | | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | non-existing | | | - | DeleteObject | non-existing | | | existing | applies | ALLOW | - | DeleteObject | non-existing | | | existing | applies | DENY | - | DeleteObject | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObject | non-existing | | | existing | does not apply | ALLOW | - | DeleteObject | non-existing | | | non-existing | | | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | non-existing | | | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | non-existing | | | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW | - | DeleteBucketTagging | non-existing | | | existing | applies | DENY | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketTagging | non-existing | | | non-existing | | | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectTagging | non-existing | | | non-existing | | | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | ALLOW | non-existing | | | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjects | existing | applies | DENY | existing | applies | DENY | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | DENY | non-existing | | | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjects | non-existing | | | existing | applies | ALLOW | - | DeleteObjects | non-existing | | | existing | applies | DENY | - | DeleteObjects | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjects | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjects | non-existing | | | non-existing | | | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | non-existing | | | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | DENY | existing | applies | DENY | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | DENY | non-existing | | | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW | - | GetBucketAcl | non-existing | | | existing | applies | DENY | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | GetBucketAcl | non-existing | | | non-existing | | | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | ALLOW | non-existing | | | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketCors | existing | applies | DENY | existing | applies | DENY | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | DENY | non-existing | | | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | non-existing | | | - | GetBucketCors | non-existing | | | existing | applies | ALLOW | - | GetBucketCors | non-existing | | | existing | applies | DENY | - | GetBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketCors | non-existing | | | existing | does not apply | ALLOW | - | GetBucketCors | non-existing | | | non-existing | | | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | non-existing | | | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | DENY | non-existing | | | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW | - | GetBucketEncryption | non-existing | | | existing | applies | DENY | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | GetBucketEncryption | non-existing | | | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | non-existing | | | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | non-existing | | | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | DENY | non-existing | | | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW | - | GetBucketPolicy | non-existing | | | existing | applies | DENY | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | GetBucketPolicy | non-existing | | | non-existing | | | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | non-existing | | | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | DENY | existing | applies | DENY | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | DENY | non-existing | | | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW | - | GetBucketReplication | non-existing | | | existing | applies | DENY | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | GetBucketReplication | non-existing | | | non-existing | | | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | non-existing | | | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | DENY | non-existing | | | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW | - | GetBucketVersioning | non-existing | | | existing | applies | DENY | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | GetBucketVersioning | non-existing | | | non-existing | | | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObject | existing | applies | ALLOW | existing | applies | DENY | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | applies | ALLOW | non-existing | | | - | GetObject | existing | applies | DENY | existing | applies | ALLOW | - | GetObject | existing | applies | DENY | existing | applies | DENY | - | GetObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObject | existing | applies | DENY | non-existing | | | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObject | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | does not apply | ALLOW | non-existing | | | - | GetObject | non-existing | | | existing | applies | ALLOW | - | GetObject | non-existing | | | existing | applies | DENY | - | GetObject | non-existing | | | existing | applies | ALLOW+DENY | - | GetObject | non-existing | | | existing | does not apply | ALLOW | - | GetObject | non-existing | | | non-existing | | | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | DENY | non-existing | | | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectAcl | non-existing | | | existing | applies | DENY | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectAcl | non-existing | | | non-existing | | | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | non-existing | | | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | GetObjectLegalHold | non-existing | | | existing | applies | DENY | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLegalHold | non-existing | | | non-existing | | | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | GetObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | non-existing | | | non-existing | | | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | non-existing | | | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | DENY | existing | applies | DENY | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | DENY | non-existing | | | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW | - | GetObjectRetention | non-existing | | | existing | applies | DENY | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | GetObjectRetention | non-existing | | | non-existing | | | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | non-existing | | | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | DENY | existing | applies | DENY | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | DENY | non-existing | | | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW | - | GetBucketTagging | non-existing | | | existing | applies | DENY | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | GetBucketTagging | non-existing | | | non-existing | | | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | DENY | non-existing | | | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectTagging | non-existing | | | existing | applies | DENY | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectTagging | non-existing | | | non-existing | | | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | applies | ALLOW | existing | applies | DENY | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | ALLOW | non-existing | | | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW | - | HeadBucket | existing | applies | DENY | existing | applies | DENY | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | DENY | non-existing | | | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | non-existing | | | - | HeadBucket | non-existing | | | existing | applies | ALLOW | - | HeadBucket | non-existing | | | existing | applies | DENY | - | HeadBucket | non-existing | | | existing | applies | ALLOW+DENY | - | HeadBucket | non-existing | | | existing | does not apply | ALLOW | - | HeadBucket | non-existing | | | non-existing | | | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | applies | ALLOW | existing | applies | DENY | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | applies | ALLOW | non-existing | | | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW | - | HeadObject | existing | applies | DENY | existing | applies | DENY | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadObject | existing | applies | DENY | non-existing | | | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | does not apply | ALLOW | non-existing | | | - | HeadObject | non-existing | | | existing | applies | ALLOW | - | HeadObject | non-existing | | | existing | applies | DENY | - | HeadObject | non-existing | | | existing | applies | ALLOW+DENY | - | HeadObject | non-existing | | | existing | does not apply | ALLOW | - | HeadObject | non-existing | | | non-existing | | | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | non-existing | | | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | DENY | existing | applies | DENY | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | DENY | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | DENY | non-existing | | | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | non-existing | | | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW | - | ListMultipartUploads | non-existing | | | existing | applies | DENY | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW+DENY | - | ListMultipartUploads | non-existing | | | existing | does not apply | ALLOW | - | ListMultipartUploads | non-existing | | | non-existing | | | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | non-existing | | | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | DENY | existing | applies | DENY | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | DENY | non-existing | | | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | non-existing | | | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW | - | ListObjectVersions | non-existing | | | existing | applies | DENY | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectVersions | non-existing | | | existing | does not apply | ALLOW | - | ListObjectVersions | non-existing | | | non-existing | | | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | applies | ALLOW | existing | applies | DENY | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | applies | ALLOW | non-existing | | | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW | - | ListObjects | existing | applies | DENY | existing | applies | DENY | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjects | existing | applies | DENY | non-existing | | | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | does not apply | ALLOW | non-existing | | | - | ListObjects | non-existing | | | existing | applies | ALLOW | - | ListObjects | non-existing | | | existing | applies | DENY | - | ListObjects | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjects | non-existing | | | existing | does not apply | ALLOW | - | ListObjects | non-existing | | | non-existing | | | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | non-existing | | | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | DENY | existing | applies | DENY | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | DENY | non-existing | | | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | non-existing | | | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW | - | ListObjectsV2 | non-existing | | | existing | applies | DENY | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectsV2 | non-existing | | | existing | does not apply | ALLOW | - | ListObjectsV2 | non-existing | | | non-existing | | | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | non-existing | | | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | DENY | existing | applies | DENY | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | DENY | non-existing | | | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW | - | PutBucketAcl | non-existing | | | existing | applies | DENY | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | PutBucketAcl | non-existing | | | non-existing | | | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | ALLOW | non-existing | | | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketCors | existing | applies | DENY | existing | applies | DENY | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | DENY | non-existing | | | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | non-existing | | | - | PutBucketCors | non-existing | | | existing | applies | ALLOW | - | PutBucketCors | non-existing | | | existing | applies | DENY | - | PutBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketCors | non-existing | | | existing | does not apply | ALLOW | - | PutBucketCors | non-existing | | | non-existing | | | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | non-existing | | | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | DENY | non-existing | | | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW | - | PutBucketEncryption | non-existing | | | existing | applies | DENY | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | PutBucketEncryption | non-existing | | | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | non-existing | | | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | non-existing | | | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | DENY | non-existing | | | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW | - | PutBucketPolicy | non-existing | | | existing | applies | DENY | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | PutBucketPolicy | non-existing | | | non-existing | | | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | non-existing | | | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | DENY | existing | applies | DENY | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | DENY | non-existing | | | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW | - | PutBucketReplication | non-existing | | | existing | applies | DENY | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | PutBucketReplication | non-existing | | | non-existing | | | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | non-existing | | | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | DENY | non-existing | | | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW | - | PutBucketVersioning | non-existing | | | existing | applies | DENY | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | PutBucketVersioning | non-existing | | | non-existing | | | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObject | existing | applies | ALLOW | existing | applies | DENY | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | applies | ALLOW | non-existing | | | - | PutObject | existing | applies | DENY | existing | applies | ALLOW | - | PutObject | existing | applies | DENY | existing | applies | DENY | - | PutObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObject | existing | applies | DENY | non-existing | | | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObject | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | does not apply | ALLOW | non-existing | | | - | PutObject | non-existing | | | existing | applies | ALLOW | - | PutObject | non-existing | | | existing | applies | DENY | - | PutObject | non-existing | | | existing | applies | ALLOW+DENY | - | PutObject | non-existing | | | existing | does not apply | ALLOW | - | PutObject | non-existing | | | non-existing | | | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | DENY | non-existing | | | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectAcl | non-existing | | | existing | applies | DENY | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectAcl | non-existing | | | non-existing | | | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLegalHold | non-existing | | | non-existing | | | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | PutObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | non-existing | | | non-existing | | | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | DENY | non-existing | | | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectRetention | non-existing | | | existing | applies | DENY | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectRetention | non-existing | | | non-existing | | | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | non-existing | | | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | DENY | existing | applies | DENY | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | DENY | non-existing | | | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW | - | PutBucketTagging | non-existing | | | existing | applies | DENY | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | PutBucketTagging | non-existing | | | non-existing | | | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | DENY | non-existing | | | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectTagging | non-existing | | | existing | applies | DENY | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectTagging | non-existing | | | non-existing | | | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | applies | ALLOW | existing | applies | DENY | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | applies | ALLOW | non-existing | | | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW | - | UploadPart | existing | applies | DENY | existing | applies | DENY | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPart | existing | applies | DENY | non-existing | | | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | does not apply | ALLOW | non-existing | | | - | UploadPart | non-existing | | | existing | applies | ALLOW | - | UploadPart | non-existing | | | existing | applies | DENY | - | UploadPart | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPart | non-existing | | | existing | does not apply | ALLOW | - | UploadPart | non-existing | | | non-existing | | | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | non-existing | | | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | DENY | existing | applies | DENY | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | DENY | non-existing | | | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | non-existing | | | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW | - | UploadPartCopy | non-existing | | | existing | applies | DENY | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPartCopy | non-existing | | | existing | does not apply | ALLOW | - | UploadPartCopy | non-existing | | | non-existing | | | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | non-existing | | | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersion | non-existing | | | existing | applies | DENY | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersion | non-existing | | | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | non-existing | | | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | non-existing | | | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | DENY | non-existing | | | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW | - | GetObjectVersion | non-existing | | | existing | applies | DENY | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersion | non-existing | | | non-existing | | | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | non-existing | | | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionAcl | non-existing | | | existing | applies | DENY | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionAcl | non-existing | | | non-existing | | | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | non-existing | | | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionTagging | non-existing | | | existing | applies | DENY | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | non-existing | | | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionAcl | non-existing | | | existing | applies | DENY | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionAcl | non-existing | | | non-existing | | | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | non-existing | | | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionTagging | non-existing | | | existing | applies | DENY | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | non-existing | | | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionRetention | non-existing | | | existing | applies | DENY | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionRetention | non-existing | | | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | non-existing | | | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | applies | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | ALLOW | non-existing | | | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW | - | MetadataSearch | existing | applies | DENY | existing | applies | DENY | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | DENY | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | DENY | non-existing | | | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | non-existing | | | - | MetadataSearch | non-existing | | | existing | applies | ALLOW | - | MetadataSearch | non-existing | | | existing | applies | DENY | - | MetadataSearch | non-existing | | | existing | applies | ALLOW+DENY | - | MetadataSearch | non-existing | | | existing | does not apply | ALLOW | - | MetadataSearch | non-existing | | | non-existing | | | diff --git a/tests/ctst/features/resource-policies/IAMUser.feature b/tests/ctst/features/resource-policies/IAMUser.feature deleted file mode 100644 index 50e0a4c08f..0000000000 --- a/tests/ctst/features/resource-policies/IAMUser.feature +++ /dev/null @@ -1,1283 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for IAM Users - This feature allows you to create and attach bucket policies to S3 buckets. - IAM Users should have the permissions to perform the actions that they are granted in their bucket policies - based on the other permissions they also have. - This test suite is not meant to be human-readable, but brings confidence in our Authz flow for all supported - S3 actions. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-IAM_USER - Scenario Outline: IAM USER: IAM Policy and S3 Bucket Policy - Given an action "" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "" IAM Policy that "" with "" effect for the current API - And an "" S3 Bucket Policy that "" with "" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | bucketPolicyExists | bucketPolicyApplies | bucketPolicyEffect | iamPolicyExists | iamPolicyApplies | iamPolicyEffect | - # Everything below is generated - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | ALLOW | non-existing | | | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | applies | DENY | non-existing | | | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | AbortMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW | - | AbortMultipartUpload | non-existing | | | existing | applies | DENY | - | AbortMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | AbortMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | AbortMultipartUpload | non-existing | | | non-existing | | | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | applies | DENY | non-existing | | | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CompleteMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CompleteMultipartUpload | non-existing | | | existing | applies | DENY | - | CompleteMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CompleteMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CompleteMultipartUpload | non-existing | | | non-existing | | | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | applies | ALLOW | existing | applies | DENY | - | CopyObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | applies | ALLOW | non-existing | | | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW | - | CopyObject | existing | applies | DENY | existing | applies | DENY | - | CopyObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CopyObject | existing | applies | DENY | existing | does not apply | ALLOW | - | CopyObject | existing | applies | DENY | non-existing | | | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CopyObject | existing | does not apply | ALLOW | existing | applies | DENY | - | CopyObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CopyObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CopyObject | existing | does not apply | ALLOW | non-existing | | | - | CopyObject | non-existing | | | existing | applies | ALLOW | - | CopyObject | non-existing | | | existing | applies | DENY | - | CopyObject | non-existing | | | existing | applies | ALLOW+DENY | - | CopyObject | non-existing | | | existing | does not apply | ALLOW | - | CopyObject | non-existing | | | non-existing | | | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | ALLOW | non-existing | | | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | applies | DENY | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | applies | DENY | non-existing | | | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | CreateMultipartUpload | existing | does not apply | ALLOW | non-existing | | | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW | - | CreateMultipartUpload | non-existing | | | existing | applies | DENY | - | CreateMultipartUpload | non-existing | | | existing | applies | ALLOW+DENY | - | CreateMultipartUpload | non-existing | | | existing | does not apply | ALLOW | - | CreateMultipartUpload | non-existing | | | non-existing | | | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | ALLOW | non-existing | | | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucket | existing | applies | DENY | existing | applies | DENY | - | DeleteBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucket | existing | applies | DENY | non-existing | | | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucket | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucket | non-existing | | | existing | applies | ALLOW | - | DeleteBucket | non-existing | | | existing | applies | DENY | - | DeleteBucket | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucket | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucket | non-existing | | | non-existing | | | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | ALLOW | non-existing | | | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketCors | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | applies | DENY | non-existing | | | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketCors | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW | - | DeleteBucketCors | non-existing | | | existing | applies | DENY | - | DeleteBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketCors | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketCors | non-existing | | | non-existing | | | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | ALLOW | non-existing | | | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | applies | DENY | non-existing | | | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW | - | DeleteBucketEncryption | non-existing | | | existing | applies | DENY | - | DeleteBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketEncryption | non-existing | | | non-existing | | | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | ALLOW | non-existing | | | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | applies | DENY | non-existing | | | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW | - | DeleteBucketLifecycle | non-existing | | | existing | applies | DENY | - | DeleteBucketLifecycle | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketLifecycle | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketLifecycle | non-existing | | | non-existing | | | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | ALLOW | non-existing | | | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | applies | DENY | non-existing | | | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW | - | DeleteBucketPolicy | non-existing | | | existing | applies | DENY | - | DeleteBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketPolicy | non-existing | | | non-existing | | | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | ALLOW | non-existing | | | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | applies | DENY | non-existing | | | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW | - | DeleteBucketReplication | non-existing | | | existing | applies | DENY | - | DeleteBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketReplication | non-existing | | | non-existing | | | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | ALLOW | non-existing | | | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | applies | DENY | non-existing | | | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketWebsite | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW | - | DeleteBucketWebsite | non-existing | | | existing | applies | DENY | - | DeleteBucketWebsite | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketWebsite | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketWebsite | non-existing | | | non-existing | | | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | ALLOW | non-existing | | | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObject | existing | applies | DENY | existing | applies | DENY | - | DeleteObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObject | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObject | existing | applies | DENY | non-existing | | | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObject | existing | does not apply | ALLOW | non-existing | | | - | DeleteObject | non-existing | | | existing | applies | ALLOW | - | DeleteObject | non-existing | | | existing | applies | DENY | - | DeleteObject | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObject | non-existing | | | existing | does not apply | ALLOW | - | DeleteObject | non-existing | | | non-existing | | | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | ALLOW | non-existing | | | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | applies | DENY | non-existing | | | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW | - | DeleteBucketTagging | non-existing | | | existing | applies | DENY | - | DeleteBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteBucketTagging | non-existing | | | non-existing | | | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectTagging | non-existing | | | non-existing | | | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | ALLOW | non-existing | | | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjects | existing | applies | DENY | existing | applies | DENY | - | DeleteObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjects | existing | applies | DENY | non-existing | | | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjects | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjects | non-existing | | | existing | applies | ALLOW | - | DeleteObjects | non-existing | | | existing | applies | DENY | - | DeleteObjects | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjects | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjects | non-existing | | | non-existing | | | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | ALLOW | non-existing | | | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketAcl | existing | applies | DENY | existing | applies | DENY | - | GetBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketAcl | existing | applies | DENY | non-existing | | | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW | - | GetBucketAcl | non-existing | | | existing | applies | DENY | - | GetBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | GetBucketAcl | non-existing | | | non-existing | | | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | ALLOW | non-existing | | | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketCors | existing | applies | DENY | existing | applies | DENY | - | GetBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketCors | existing | applies | DENY | non-existing | | | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketCors | existing | does not apply | ALLOW | non-existing | | | - | GetBucketCors | non-existing | | | existing | applies | ALLOW | - | GetBucketCors | non-existing | | | existing | applies | DENY | - | GetBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketCors | non-existing | | | existing | does not apply | ALLOW | - | GetBucketCors | non-existing | | | non-existing | | | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | ALLOW | non-existing | | | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | GetBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | applies | DENY | non-existing | | | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW | - | GetBucketEncryption | non-existing | | | existing | applies | DENY | - | GetBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | GetBucketEncryption | non-existing | | | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetBucketNotificationConfiguration | non-existing | | | non-existing | | | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | ALLOW | non-existing | | | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | GetBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | applies | DENY | non-existing | | | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW | - | GetBucketPolicy | non-existing | | | existing | applies | DENY | - | GetBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | GetBucketPolicy | non-existing | | | non-existing | | | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | ALLOW | non-existing | | | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketReplication | existing | applies | DENY | existing | applies | DENY | - | GetBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketReplication | existing | applies | DENY | non-existing | | | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW | - | GetBucketReplication | non-existing | | | existing | applies | DENY | - | GetBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | GetBucketReplication | non-existing | | | non-existing | | | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | ALLOW | non-existing | | | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | GetBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | applies | DENY | non-existing | | | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW | - | GetBucketVersioning | non-existing | | | existing | applies | DENY | - | GetBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | GetBucketVersioning | non-existing | | | non-existing | | | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObject | existing | applies | ALLOW | existing | applies | DENY | - | GetObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | applies | ALLOW | non-existing | | | - | GetObject | existing | applies | DENY | existing | applies | ALLOW | - | GetObject | existing | applies | DENY | existing | applies | DENY | - | GetObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObject | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObject | existing | applies | DENY | non-existing | | | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObject | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObject | existing | does not apply | ALLOW | non-existing | | | - | GetObject | non-existing | | | existing | applies | ALLOW | - | GetObject | non-existing | | | existing | applies | DENY | - | GetObject | non-existing | | | existing | applies | ALLOW+DENY | - | GetObject | non-existing | | | existing | does not apply | ALLOW | - | GetObject | non-existing | | | non-existing | | | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectAcl | existing | applies | DENY | non-existing | | | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectAcl | non-existing | | | existing | applies | DENY | - | GetObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectAcl | non-existing | | | non-existing | | | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | applies | DENY | non-existing | | | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | GetObjectLegalHold | non-existing | | | existing | applies | DENY | - | GetObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLegalHold | non-existing | | | non-existing | | | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | GetObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | GetObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | GetObjectLockConfiguration | non-existing | | | non-existing | | | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | ALLOW | non-existing | | | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectRetention | existing | applies | DENY | existing | applies | DENY | - | GetObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectRetention | existing | applies | DENY | non-existing | | | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW | - | GetObjectRetention | non-existing | | | existing | applies | DENY | - | GetObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | GetObjectRetention | non-existing | | | non-existing | | | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | ALLOW | non-existing | | | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetBucketTagging | existing | applies | DENY | existing | applies | DENY | - | GetBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetBucketTagging | existing | applies | DENY | non-existing | | | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW | - | GetBucketTagging | non-existing | | | existing | applies | DENY | - | GetBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | GetBucketTagging | non-existing | | | non-existing | | | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectTagging | existing | applies | DENY | non-existing | | | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectTagging | non-existing | | | existing | applies | DENY | - | GetObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectTagging | non-existing | | | non-existing | | | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | applies | ALLOW | existing | applies | DENY | - | HeadBucket | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | ALLOW | non-existing | | | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW | - | HeadBucket | existing | applies | DENY | existing | applies | DENY | - | HeadBucket | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadBucket | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadBucket | existing | applies | DENY | non-existing | | | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadBucket | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadBucket | existing | does not apply | ALLOW | non-existing | | | - | HeadBucket | non-existing | | | existing | applies | ALLOW | - | HeadBucket | non-existing | | | existing | applies | DENY | - | HeadBucket | non-existing | | | existing | applies | ALLOW+DENY | - | HeadBucket | non-existing | | | existing | does not apply | ALLOW | - | HeadBucket | non-existing | | | non-existing | | | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | applies | ALLOW | existing | applies | DENY | - | HeadObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | applies | ALLOW | non-existing | | | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW | - | HeadObject | existing | applies | DENY | existing | applies | DENY | - | HeadObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | HeadObject | existing | applies | DENY | existing | does not apply | ALLOW | - | HeadObject | existing | applies | DENY | non-existing | | | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | HeadObject | existing | does not apply | ALLOW | existing | applies | DENY | - | HeadObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | HeadObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | HeadObject | existing | does not apply | ALLOW | non-existing | | | - | HeadObject | non-existing | | | existing | applies | ALLOW | - | HeadObject | non-existing | | | existing | applies | DENY | - | HeadObject | non-existing | | | existing | applies | ALLOW+DENY | - | HeadObject | non-existing | | | existing | does not apply | ALLOW | - | HeadObject | non-existing | | | non-existing | | | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | ALLOW | non-existing | | | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW | - | ListMultipartUploads | existing | applies | DENY | existing | applies | DENY | - | ListMultipartUploads | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | applies | DENY | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | applies | DENY | non-existing | | | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListMultipartUploads | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListMultipartUploads | existing | does not apply | ALLOW | non-existing | | | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW | - | ListMultipartUploads | non-existing | | | existing | applies | DENY | - | ListMultipartUploads | non-existing | | | existing | applies | ALLOW+DENY | - | ListMultipartUploads | non-existing | | | existing | does not apply | ALLOW | - | ListMultipartUploads | non-existing | | | non-existing | | | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | ALLOW | non-existing | | | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectVersions | existing | applies | DENY | existing | applies | DENY | - | ListObjectVersions | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectVersions | existing | applies | DENY | non-existing | | | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectVersions | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectVersions | existing | does not apply | ALLOW | non-existing | | | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW | - | ListObjectVersions | non-existing | | | existing | applies | DENY | - | ListObjectVersions | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectVersions | non-existing | | | existing | does not apply | ALLOW | - | ListObjectVersions | non-existing | | | non-existing | | | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | applies | ALLOW | existing | applies | DENY | - | ListObjects | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | applies | ALLOW | non-existing | | | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW | - | ListObjects | existing | applies | DENY | existing | applies | DENY | - | ListObjects | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjects | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjects | existing | applies | DENY | non-existing | | | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjects | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjects | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjects | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjects | existing | does not apply | ALLOW | non-existing | | | - | ListObjects | non-existing | | | existing | applies | ALLOW | - | ListObjects | non-existing | | | existing | applies | DENY | - | ListObjects | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjects | non-existing | | | existing | does not apply | ALLOW | - | ListObjects | non-existing | | | non-existing | | | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | ALLOW | non-existing | | | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW | - | ListObjectsV2 | existing | applies | DENY | existing | applies | DENY | - | ListObjectsV2 | existing | applies | DENY | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | applies | DENY | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | applies | DENY | non-existing | | | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | ListObjectsV2 | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | ListObjectsV2 | existing | does not apply | ALLOW | non-existing | | | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW | - | ListObjectsV2 | non-existing | | | existing | applies | DENY | - | ListObjectsV2 | non-existing | | | existing | applies | ALLOW+DENY | - | ListObjectsV2 | non-existing | | | existing | does not apply | ALLOW | - | ListObjectsV2 | non-existing | | | non-existing | | | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | ALLOW | non-existing | | | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketAcl | existing | applies | DENY | existing | applies | DENY | - | PutBucketAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketAcl | existing | applies | DENY | non-existing | | | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketAcl | existing | does not apply | ALLOW | non-existing | | | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW | - | PutBucketAcl | non-existing | | | existing | applies | DENY | - | PutBucketAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketAcl | non-existing | | | existing | does not apply | ALLOW | - | PutBucketAcl | non-existing | | | non-existing | | | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | ALLOW | non-existing | | | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketCors | existing | applies | DENY | existing | applies | DENY | - | PutBucketCors | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketCors | existing | applies | DENY | non-existing | | | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketCors | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketCors | existing | does not apply | ALLOW | non-existing | | | - | PutBucketCors | non-existing | | | existing | applies | ALLOW | - | PutBucketCors | non-existing | | | existing | applies | DENY | - | PutBucketCors | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketCors | non-existing | | | existing | does not apply | ALLOW | - | PutBucketCors | non-existing | | | non-existing | | | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | ALLOW | non-existing | | | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketEncryption | existing | applies | DENY | existing | applies | DENY | - | PutBucketEncryption | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | applies | DENY | non-existing | | | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketEncryption | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketEncryption | existing | does not apply | ALLOW | non-existing | | | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW | - | PutBucketEncryption | non-existing | | | existing | applies | DENY | - | PutBucketEncryption | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketEncryption | non-existing | | | existing | does not apply | ALLOW | - | PutBucketEncryption | non-existing | | | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketLifecycleConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketLifecycleConfiguration | non-existing | | | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | applies | DENY | non-existing | | | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketNotificationConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutBucketNotificationConfiguration | non-existing | | | non-existing | | | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | ALLOW | non-existing | | | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketPolicy | existing | applies | DENY | existing | applies | DENY | - | PutBucketPolicy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | applies | DENY | non-existing | | | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketPolicy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketPolicy | existing | does not apply | ALLOW | non-existing | | | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW | - | PutBucketPolicy | non-existing | | | existing | applies | DENY | - | PutBucketPolicy | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketPolicy | non-existing | | | existing | does not apply | ALLOW | - | PutBucketPolicy | non-existing | | | non-existing | | | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | ALLOW | non-existing | | | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketReplication | existing | applies | DENY | existing | applies | DENY | - | PutBucketReplication | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketReplication | existing | applies | DENY | non-existing | | | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketReplication | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketReplication | existing | does not apply | ALLOW | non-existing | | | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW | - | PutBucketReplication | non-existing | | | existing | applies | DENY | - | PutBucketReplication | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketReplication | non-existing | | | existing | does not apply | ALLOW | - | PutBucketReplication | non-existing | | | non-existing | | | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | ALLOW | non-existing | | | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketVersioning | existing | applies | DENY | existing | applies | DENY | - | PutBucketVersioning | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | applies | DENY | non-existing | | | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketVersioning | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketVersioning | existing | does not apply | ALLOW | non-existing | | | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW | - | PutBucketVersioning | non-existing | | | existing | applies | DENY | - | PutBucketVersioning | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketVersioning | non-existing | | | existing | does not apply | ALLOW | - | PutBucketVersioning | non-existing | | | non-existing | | | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObject | existing | applies | ALLOW | existing | applies | DENY | - | PutObject | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | applies | ALLOW | non-existing | | | - | PutObject | existing | applies | DENY | existing | applies | ALLOW | - | PutObject | existing | applies | DENY | existing | applies | DENY | - | PutObject | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObject | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObject | existing | applies | DENY | non-existing | | | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObject | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObject | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObject | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObject | existing | does not apply | ALLOW | non-existing | | | - | PutObject | non-existing | | | existing | applies | ALLOW | - | PutObject | non-existing | | | existing | applies | DENY | - | PutObject | non-existing | | | existing | applies | ALLOW+DENY | - | PutObject | non-existing | | | existing | does not apply | ALLOW | - | PutObject | non-existing | | | non-existing | | | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectAcl | existing | applies | DENY | non-existing | | | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectAcl | non-existing | | | existing | applies | DENY | - | PutObjectAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectAcl | non-existing | | | non-existing | | | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLegalHold | non-existing | | | non-existing | | | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | ALLOW | non-existing | | | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | applies | DENY | non-existing | | | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | existing | does not apply | ALLOW | non-existing | | | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW | - | PutObjectLockConfiguration | non-existing | | | existing | applies | DENY | - | PutObjectLockConfiguration | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectLockConfiguration | non-existing | | | existing | does not apply | ALLOW | - | PutObjectLockConfiguration | non-existing | | | non-existing | | | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectRetention | existing | applies | DENY | non-existing | | | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectRetention | non-existing | | | existing | applies | DENY | - | PutObjectRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectRetention | non-existing | | | non-existing | | | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | ALLOW | non-existing | | | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutBucketTagging | existing | applies | DENY | existing | applies | DENY | - | PutBucketTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutBucketTagging | existing | applies | DENY | non-existing | | | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutBucketTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutBucketTagging | existing | does not apply | ALLOW | non-existing | | | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW | - | PutBucketTagging | non-existing | | | existing | applies | DENY | - | PutBucketTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutBucketTagging | non-existing | | | existing | does not apply | ALLOW | - | PutBucketTagging | non-existing | | | non-existing | | | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectTagging | existing | applies | DENY | non-existing | | | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectTagging | non-existing | | | existing | applies | DENY | - | PutObjectTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectTagging | non-existing | | | non-existing | | | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | applies | ALLOW | existing | applies | DENY | - | UploadPart | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | applies | ALLOW | non-existing | | | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW | - | UploadPart | existing | applies | DENY | existing | applies | DENY | - | UploadPart | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPart | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPart | existing | applies | DENY | non-existing | | | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPart | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPart | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPart | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPart | existing | does not apply | ALLOW | non-existing | | | - | UploadPart | non-existing | | | existing | applies | ALLOW | - | UploadPart | non-existing | | | existing | applies | DENY | - | UploadPart | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPart | non-existing | | | existing | does not apply | ALLOW | - | UploadPart | non-existing | | | non-existing | | | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | ALLOW | non-existing | | | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW | - | UploadPartCopy | existing | applies | DENY | existing | applies | DENY | - | UploadPartCopy | existing | applies | DENY | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | applies | DENY | existing | does not apply | ALLOW | - | UploadPartCopy | existing | applies | DENY | non-existing | | | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | UploadPartCopy | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | UploadPartCopy | existing | does not apply | ALLOW | non-existing | | | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW | - | UploadPartCopy | non-existing | | | existing | applies | DENY | - | UploadPartCopy | non-existing | | | existing | applies | ALLOW+DENY | - | UploadPartCopy | non-existing | | | existing | does not apply | ALLOW | - | UploadPartCopy | non-existing | | | non-existing | | | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | applies | DENY | non-existing | | | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersion | non-existing | | | existing | applies | DENY | - | DeleteObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersion | non-existing | | | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | applies | DENY | non-existing | | | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | DeleteObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | DeleteObjectVersionTagging | non-existing | | | non-existing | | | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | ALLOW | non-existing | | | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersion | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersion | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersion | existing | applies | DENY | non-existing | | | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersion | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersion | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW | - | GetObjectVersion | non-existing | | | existing | applies | DENY | - | GetObjectVersion | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersion | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersion | non-existing | | | non-existing | | | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | applies | DENY | non-existing | | | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionAcl | non-existing | | | existing | applies | DENY | - | GetObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionAcl | non-existing | | | non-existing | | | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | applies | DENY | non-existing | | | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | GetObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | GetObjectVersionTagging | non-existing | | | existing | applies | DENY | - | GetObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | GetObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | GetObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | applies | DENY | non-existing | | | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionAcl | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionAcl | non-existing | | | existing | applies | DENY | - | PutObjectVersionAcl | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionAcl | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionAcl | non-existing | | | non-existing | | | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | applies | DENY | non-existing | | | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionTagging | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionTagging | non-existing | | | existing | applies | DENY | - | PutObjectVersionTagging | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionTagging | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionTagging | non-existing | | | non-existing | | | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | applies | DENY | non-existing | | | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionRetention | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionRetention | non-existing | | | existing | applies | DENY | - | PutObjectVersionRetention | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionRetention | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionRetention | non-existing | | | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | applies | DENY | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | applies | DENY | non-existing | | | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | existing | does not apply | ALLOW | non-existing | | | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | applies | ALLOW+DENY | - | PutObjectVersionLegalHold | non-existing | | | existing | does not apply | ALLOW | - | PutObjectVersionLegalHold | non-existing | | | non-existing | | | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | applies | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | applies | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | ALLOW | non-existing | | | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW | - | MetadataSearch | existing | applies | DENY | existing | applies | DENY | - | MetadataSearch | existing | applies | DENY | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | applies | DENY | existing | does not apply | ALLOW | - | MetadataSearch | existing | applies | DENY | non-existing | | | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | applies | ALLOW+DENY | - | MetadataSearch | existing | does not apply | ALLOW | existing | does not apply | ALLOW | - | MetadataSearch | existing | does not apply | ALLOW | non-existing | | | - | MetadataSearch | non-existing | | | existing | applies | ALLOW | - | MetadataSearch | non-existing | | | existing | applies | DENY | - | MetadataSearch | non-existing | | | existing | applies | ALLOW+DENY | - | MetadataSearch | non-existing | | | existing | does not apply | ALLOW | - | MetadataSearch | non-existing | | | non-existing | | | diff --git a/tests/ctst/features/resource-policies/UseCases.feature b/tests/ctst/features/resource-policies/UseCases.feature deleted file mode 100644 index 679512eea1..0000000000 --- a/tests/ctst/features/resource-policies/UseCases.feature +++ /dev/null @@ -1,81 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow use cases - Bucket policies feature should ensure the customer use cases are - supported. - - @2.6.0 - @PreMerge - @BucketPolicies - Scenario Outline: Use case : bucket policy, all access, - Given an action "" - And an existing bucket prepared for the action - And a IAM_USER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And a policy granting full access to the objects and read access to the bucket - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct - Examples: - | action | - | AbortMultipartUpload | - | CompleteMultipartUpload | - | CopyObject | - | CreateMultipartUpload | - | DeleteBucket | - | DeleteBucketCors | - | DeleteBucketEncryption | - | DeleteBucketLifecycle | - | DeleteBucketPolicy | - | DeleteBucketReplication | - | DeleteBucketWebsite | - | DeleteObject | - | DeleteBucketTagging | - | DeleteObjectTagging | - | DeleteObjects | - | GetBucketAcl | - | GetBucketCors | - | GetBucketEncryption | - | GetBucketLifecycleConfiguration | - | GetBucketNotificationConfiguration | - | GetBucketPolicy | - | GetBucketReplication | - | GetBucketVersioning | - | GetObject | - | GetObjectAcl | - | GetObjectLegalHold | - | GetObjectLockConfiguration | - | GetObjectRetention | - | GetBucketTagging | - | GetObjectTagging | - | HeadBucket | - | HeadObject | - | ListMultipartUploads | - | ListObjectVersions | - | ListObjects | - | ListObjectsV2 | - | PutBucketAcl | - | PutBucketCors | - | PutBucketEncryption | - | PutBucketLifecycleConfiguration | - | PutBucketNotificationConfiguration | - | PutBucketPolicy | - | PutBucketReplication | - | PutBucketVersioning | - | PutObject | - | PutObjectAcl | - | PutObjectLegalHold | - | PutObjectLockConfiguration | - | PutObjectRetention | - | PutBucketTagging | - | PutObjectTagging | - | UploadPart | - | UploadPartCopy | - | DeleteObjectVersion | - | DeleteObjectVersionTagging | - | GetObjectVersion | - | GetObjectVersionAcl | - | GetObjectVersionTagging | - | PutObjectVersionAcl | - | PutObjectVersionTagging | - | PutObjectVersionRetention | - | PutObjectVersionLegalHold | - | MetadataSearch | diff --git a/tests/ctst/features/resource-policies/WebIdentity.feature b/tests/ctst/features/resource-policies/WebIdentity.feature deleted file mode 100644 index be2f1fd2d1..0000000000 --- a/tests/ctst/features/resource-policies/WebIdentity.feature +++ /dev/null @@ -1,18 +0,0 @@ -Feature: S3 Bucket Policies Authorization flow for Web Identities - Bucket policies feature should allow the default web identities to - perform more actions, or be denied on actions they are not allowed to - perform by default. - - @2.6.0 - @PreMerge - @BucketPolicies - @BP-DATA_CONSUMER - Scenario Outline: GetObject permission should be denied by the bucket policy for a web identity - Given an action "GetObject" - And an existing bucket prepared for the action - And a DATA_CONSUMER type - And an environment setup for the API - And an "non-existing" IAM Policy that "" with "" effect for the current API - And an "existing" S3 Bucket Policy that "applies" with "DENY" effect for the current API - When the user tries to perform the current S3 action on the bucket - Then the authorization result is correct diff --git a/tests/ctst/features/resource-policies/regen.js b/tests/ctst/features/resource-policies/regen.js deleted file mode 100644 index 0fe424cdfa..0000000000 --- a/tests/ctst/features/resource-policies/regen.js +++ /dev/null @@ -1,184 +0,0 @@ -/** - * BDD testing require that each scenario is explicitly written in the feature file. - * However, testing authz scenarios for each API is too extensive, so this code - * helps maintaining this test suite. - * When editing the feature files, make sure to re-run this script to ensure that - * all the tests scenarios are consistent. You can add a new S3 API to test under - * APIs, and a scenario combination under allCombinations. - * When applying the script, make sure to have the changes in a separate commit. - * Usage: node regen.js - */ -import fs from 'fs'; - -const targetFiles = [ - './AssumeRole.feature', - './CrossAccountAssumeRole.feature', - './IAMUser.feature', -]; - -const APIs = [ - 'AbortMultipartUpload', - 'CompleteMultipartUpload', - 'CopyObject', - // 'CreateBucket', - 'CreateMultipartUpload', - 'DeleteBucket', - 'DeleteBucketCors', - 'DeleteBucketEncryption', - 'DeleteBucketLifecycle', - 'DeleteBucketPolicy', - 'DeleteBucketReplication', - 'DeleteBucketWebsite', - 'DeleteObject', - 'DeleteBucketTagging', - 'DeleteObjectTagging', - 'DeleteObjects', - 'GetBucketAcl', - 'GetBucketCors', - 'GetBucketEncryption', - 'GetBucketLifecycleConfiguration', - 'GetBucketNotificationConfiguration', - 'GetBucketPolicy', - 'GetBucketReplication', - 'GetBucketVersioning', - 'GetObject', - 'GetObjectAcl', - 'GetObjectLegalHold', - 'GetObjectLockConfiguration', - 'GetObjectRetention', - 'GetBucketTagging', - 'GetObjectTagging', - 'HeadBucket', - 'HeadObject', - 'ListMultipartUploads', - 'ListObjectVersions', - 'ListObjects', - 'ListObjectsV2', - 'PutBucketAcl', - 'PutBucketCors', - 'PutBucketEncryption', - 'PutBucketLifecycleConfiguration', - 'PutBucketNotificationConfiguration', - 'PutBucketPolicy', - 'PutBucketReplication', - 'PutBucketVersioning', - 'PutObject', - 'PutObjectAcl', - 'PutObjectLegalHold', - 'PutObjectLockConfiguration', - 'PutObjectRetention', - 'PutBucketTagging', - 'PutObjectTagging', - 'UploadPart', - 'UploadPartCopy', - // Version-related - 'DeleteObjectVersion', - 'DeleteObjectVersionTagging', - 'GetObjectVersion', - 'GetObjectVersionAcl', - 'GetObjectVersionTagging', - 'PutObjectVersionAcl', - 'PutObjectVersionTagging', - 'PutObjectVersionRetention', - 'PutObjectVersionLegalHold', - // Scality-specific - 'MetadataSearch', -]; - -const scenarios = []; - -// In order, sets the current configuration for: -// bucketPolicyExists, bucketPolicyApplies, bucketPolicyEffect, -// iamPolicyExists, iamPolicyApplies, iamPolicyEffect -const allCombinations = [ - ['existing', 'applies', 'ALLOW', 'existing', 'applies', 'ALLOW'], - ['existing', 'applies', 'ALLOW', 'existing', 'applies', 'DENY'], - ['existing', 'applies', 'ALLOW', 'existing', 'applies', 'ALLOW+DENY'], - ['existing', 'applies', 'ALLOW', 'existing', 'does not apply', 'ALLOW'], - ['existing', 'applies', 'ALLOW', 'non-existing', '', ''], - ['existing', 'applies', 'DENY', 'existing', 'applies', 'ALLOW'], - ['existing', 'applies', 'DENY', 'existing', 'applies', 'DENY'], - ['existing', 'applies', 'DENY', 'existing', 'applies', 'ALLOW+DENY'], - ['existing', 'applies', 'DENY', 'existing', 'does not apply', 'ALLOW'], - ['existing', 'applies', 'DENY', 'non-existing', '', ''], - ['existing', 'does not apply', 'ALLOW', 'existing', 'applies', 'ALLOW'], - ['existing', 'does not apply', 'ALLOW', 'existing', 'applies', 'DENY'], - ['existing', 'does not apply', 'ALLOW', 'existing', 'applies', 'ALLOW+DENY'], - ['existing', 'does not apply', 'ALLOW', 'existing', 'does not apply', 'ALLOW'], - ['existing', 'does not apply', 'ALLOW', 'non-existing', '', ''], - ['non-existing', '', '', 'existing', 'applies', 'ALLOW'], - ['non-existing', '', '', 'existing', 'applies', 'DENY'], - ['non-existing', '', '', 'existing', 'applies', 'ALLOW+DENY'], - ['non-existing', '', '', 'existing', 'does not apply', 'ALLOW'], - ['non-existing', '', '', 'non-existing', '', ''], -]; - -const longest = { - action: 'action'.length, - bucketPolicyExists: 'bucketPolicyExists'.length, - bucketPolicyApplies: 'bucketPolicyApplies'.length, - bucketPolicyEffect: 'bucketPolicyEffect'.length, - iamPolicyExists: 'iamPolicyExists'.length, - iamPolicyApplies: 'iamPolicyApplies'.length, - iamPolicyEffect: 'iamPolicyEffect'.length, -}; - -for (const api of APIs) { - for (const combination of allCombinations) { - const scenario = { - action: api, - bucketPolicyExists: combination[0], - bucketPolicyApplies: combination[1], - bucketPolicyEffect: combination[2], - iamPolicyExists: combination[3], - iamPolicyApplies: combination[4], - iamPolicyEffect: combination[5], - }; - scenarios.push(scenario); - for (const key in scenario) { - if (scenario[key].length > longest[key] || !longest[key]) { - longest[key] = scenario[key].length; - } - } - } -} - -const output = scenarios.map(scenario => { - const paddedAction = scenario.action.padEnd(longest.action); - const paddedIamPolicyExists = scenario.iamPolicyExists.padEnd(longest.iamPolicyExists); - const paddedIamPolicyApplies = scenario.iamPolicyApplies.padEnd(longest.iamPolicyApplies); - const paddedIamPolicyEffect = scenario.iamPolicyEffect.padEnd(longest.iamPolicyEffect); - const paddedBucketPolicyExists = scenario.bucketPolicyExists.padEnd(longest.bucketPolicyExists); - const paddedBucketPolicyApplies = scenario.bucketPolicyApplies.padEnd(longest.bucketPolicyApplies); - const paddedBucketPolicyEffect = scenario.bucketPolicyEffect.padEnd(longest.bucketPolicyEffect); - - return ( - ' ', - paddedAction, - paddedBucketPolicyExists, - paddedBucketPolicyApplies, - paddedBucketPolicyEffect, - paddedIamPolicyExists, - paddedIamPolicyApplies, - paddedIamPolicyEffect).join(' | '); -}).join('\n'); - -targetFiles.forEach(file => { - const filePath = `${__dirname}/${file}`; - const fileContent = fs.readFileSync(filePath, 'utf-8'); - const startIndex = fileContent.indexOf('Everything below is generated'); - const startIndexNextLine = fileContent.indexOf('\n', startIndex); - const endIndex = fileContent.length; - - if (startIndex !== -1 && endIndex !== -1) { - const newContent = - `${fileContent.substring(0, startIndexNextLine) }\n${ output }\n${ fileContent.substring(endIndex)}`; - fs.writeFileSync(filePath, newContent, 'utf-8'); - // eslint-disable-next-line no-console - console.log(`Content in ${file} replaced.`); - } else { - // eslint-disable-next-line no-console - console.error( - `Couldn't find the specified markers in ${file}. Make sure the file contains the markers as specified.`); - } -}); diff --git a/tests/ctst/features/sosapi.feature b/tests/ctst/features/sosapi.feature deleted file mode 100644 index f3a6353be4..0000000000 --- a/tests/ctst/features/sosapi.feature +++ /dev/null @@ -1,19 +0,0 @@ -Feature: Veeam SOSAPI - In order to use SOSAPI - As an Artesca User - I want to access the Veeam SOSAPI custom routes when SOSAPI is enabled in the CR - - @2.6.0 - @PreMerge - @SOSAPI - Scenario Outline: PUT routes for SOSAPI configuration files - Given a "" bucket - When I PUT the "" "" XML file - Then the request should be "" - - Examples: - | versioningConfiguration | isValid | sosapiFile | requestAccepted | - | Non versioned | valid | capacity.xml | accepted | - | Non versioned | invalid | capacity.xml | not accepted | - | Non versioned | valid | system.xml | accepted | - | Non versioned | invalid | system.xml | not accepted | diff --git a/tests/ctst/features/zzz.kafkaCleaner.feature b/tests/ctst/features/zzz.kafkaCleaner.feature deleted file mode 100644 index 7e372275d6..0000000000 --- a/tests/ctst/features/zzz.kafkaCleaner.feature +++ /dev/null @@ -1,9 +0,0 @@ -# This file name starts with zzz to ensure it runs last because cucumber runs tests in alphabetical order by default -Feature: Kafka Cleaner - - @2.6.0 - @PreMerge - @AfterAll - @Flaky - Scenario Outline: Verify that consumed messages gets deleted by kafkacleaner - Then kafka consumed messages should not take too much place on disk \ No newline at end of file